tashian

#!/bin/bash
#
# This script will launch and configure a step-ca SSH Certificate Authority
# with OIDC and AWS provisioners
#
# See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions

OIDC_CLIENT_ID="[OAuth client ID]" # from Google
OIDC_CLIENT_SECRET="[OAuth client secret]" # from Google
ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]"

tashian

#!/bin/bash
#
# This script will get an SSH host certificate from our CA and add a weekly
# cron job to rotate the host certificate. It should be run as root.
# 
# See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions

CA_URL="[Your CA URL]"

# Obtain your CA fingerprint by running this on your CA:

tashian

{
    "clientId": "step-ca",
    "rootUrl": "http://127.0.0.1:10000",
    "adminUrl": "http://127.0.0.1:10000",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": false,
    "clientAuthenticatorType": "client-secret",
    "redirectUris": [
        "http://127.0.0.1:10000/*"

tashian

# Loki config based on
# https://github.com/grafana/loki/blob/master/cmd/loki/loki-local-config.yaml
# The only thing I've changed is the server: block.

auth_enabled: false

server:
  http_listen_address: 127.0.0.1
  http_listen_port: 3100
  grpc_listen_address: 127.0.0.1

tashian

#!/bin/bash

CA_NAME="Tiny"
ROOT_KEY_PASSWORD="smallsteplabs"
EMAIL="carl@smallstep.com"
AWS_ACCOUNT_ID="123123"

if [ -f /etc/os-release ]; then
    # freedesktop.org and systemd
    . /etc/os-release

tashian

#!/bin/bash
### Basic build environment #######

apt update
apt install -y make gcc ack libpcsclite-dev pkg-config unzip debhelper
apt upgrade -y

cd /root

## Install golang

tashian

# my global config
global:
  scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'
    # metrics_path defaults to '/metrics'

tashian

FROM mongo
ARG CA_URL
ARG CA_FINGERPRINT
ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT}
RUN apt update; \
    apt install -y --no-install-recommends \
        curl \
        jq \
        openssl \
    ; \

tashian

FROM smallstep/step-cli as step
FROM mongo
COPY --from=step /usr/local/bin/step /usr/local/bin/
ARG CA_URL
ARG CA_FINGERPRINT
ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT}
RUN step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT --install

tashian

#!/bin/bash
# Using a TPM EKcert filename as input, this script recursively fetches TPM CA certificates.
# It depends on the EKcert having an AIA (Authority Information Access) Issuer URI field.
# This field is not required and may not be present.
# If available, the CA certificates will be saved into the current directory.
#
# To use this script, you will need the following programs:
# jq — https://jqlang.github.io/jq/
# step — https://smallstep.com/docs/step-cli/installation/
# curl