Add systemd files
This commit is contained in:
parent
1feb4fcb26
commit
82f82d438c
3 changed files with 101 additions and 0 deletions
31
systemd/cert-renewer@.service
Normal file
31
systemd/cert-renewer@.service
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Certificate renewer for %I
|
||||||
|
After=network-online.target
|
||||||
|
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
|
||||||
|
StartLimitIntervalSec=0
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
User=root
|
||||||
|
|
||||||
|
Environment=STEPPATH=/etc/step-ca \
|
||||||
|
CERT_LOCATION=/etc/step/certs/%i.crt \
|
||||||
|
KEY_LOCATION=/etc/step/certs/%i.key
|
||||||
|
|
||||||
|
; ExecStartPre checks if the certificate is ready for renewal,
|
||||||
|
; based on the exit status of the command.
|
||||||
|
; (In systemd 243 and above, you can use ExecCondition= here.)
|
||||||
|
ExecStartPre=/usr/bin/bash -c \
|
||||||
|
'step certificate inspect $CERT_LOCATION --format json --roots "$STEPPATH/certs/root_ca.crt" | \
|
||||||
|
jq -e "(((.validity.start | fromdate) + \
|
||||||
|
((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \
|
||||||
|
- now) <= 0" > /dev/null'
|
||||||
|
|
||||||
|
; ExecStart renews the certificate, if ExecStartPre was successful.
|
||||||
|
ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION
|
||||||
|
|
||||||
|
; Try to reload or restart the systemd service that relies on this cert-renewer
|
||||||
|
ExecStartPost=/usr/bin/bash -c 'systemctl --quiet is-enabled %i && systemctl try-reload-or-restart %i'
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
18
systemd/cert-renewer@.timer
Normal file
18
systemd/cert-renewer@.timer
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Certificate renewal timer for %I
|
||||||
|
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
Persistent=true
|
||||||
|
|
||||||
|
; Run the timer unit every 5 minutes.
|
||||||
|
OnCalendar=*:1/5
|
||||||
|
|
||||||
|
; Always run the timer on time.
|
||||||
|
AccuracySec=1us
|
||||||
|
|
||||||
|
; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals.
|
||||||
|
RandomizedDelaySec=5m
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
52
systemd/step-ca.service
Normal file
52
systemd/step-ca.service
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
[Unit]
|
||||||
|
Description=step-ca service
|
||||||
|
Documentation=https://smallstep.com/docs/step-ca
|
||||||
|
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
|
||||||
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
StartLimitIntervalSec=30
|
||||||
|
StartLimitBurst=3
|
||||||
|
ConditionFileNotEmpty=/etc/step-ca/config/ca.json
|
||||||
|
ConditionFileNotEmpty=/etc/step-ca/password.txt
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=step
|
||||||
|
Group=step
|
||||||
|
Environment=STEPPATH=/etc/step-ca
|
||||||
|
WorkingDirectory=/etc/step-ca
|
||||||
|
ExecStart=/usr/local/bin/step-ca config/ca.json --password-file password.txt
|
||||||
|
ExecReload=/bin/kill --signal HUP $MAINPID
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=30
|
||||||
|
StartLimitInterval=30
|
||||||
|
StartLimitBurst=3
|
||||||
|
|
||||||
|
; Process capabilities & privileges
|
||||||
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||||
|
SecureBits=keep-caps
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
|
||||||
|
; Sandboxing
|
||||||
|
ProtectSystem=full
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
PrivateTmp=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
LockPersonality=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
RemoveIPC=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2:
|
||||||
|
PrivateDevices=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
ReadWriteDirectories=/etc/step-ca/db
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in a new issue