From 82f82d438c50c7a7107f92a3d63b3717d7e219c9 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 27 Jan 2021 17:29:29 -0800 Subject: [PATCH] Add systemd files --- systemd/cert-renewer@.service | 31 +++++++++++++++++++++ systemd/cert-renewer@.timer | 18 ++++++++++++ systemd/step-ca.service | 52 +++++++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 systemd/cert-renewer@.service create mode 100644 systemd/cert-renewer@.timer create mode 100644 systemd/step-ca.service diff --git a/systemd/cert-renewer@.service b/systemd/cert-renewer@.service new file mode 100644 index 00000000..29e5ec8a --- /dev/null +++ b/systemd/cert-renewer@.service @@ -0,0 +1,31 @@ +[Unit] +Description=Certificate renewer for %I +After=network-online.target +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production +StartLimitIntervalSec=0 + +[Service] +Type=oneshot +User=root + +Environment=STEPPATH=/etc/step-ca \ + CERT_LOCATION=/etc/step/certs/%i.crt \ + KEY_LOCATION=/etc/step/certs/%i.key + +; ExecStartPre checks if the certificate is ready for renewal, +; based on the exit status of the command. +; (In systemd 243 and above, you can use ExecCondition= here.) +ExecStartPre=/usr/bin/bash -c \ + 'step certificate inspect $CERT_LOCATION --format json --roots "$STEPPATH/certs/root_ca.crt" | \ + jq -e "(((.validity.start | fromdate) + \ + ((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \ + - now) <= 0" > /dev/null' + +; ExecStart renews the certificate, if ExecStartPre was successful. +ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION + +; Try to reload or restart the systemd service that relies on this cert-renewer +ExecStartPost=/usr/bin/bash -c 'systemctl --quiet is-enabled %i && systemctl try-reload-or-restart %i' + +[Install] +WantedBy=multi-user.target diff --git a/systemd/cert-renewer@.timer b/systemd/cert-renewer@.timer new file mode 100644 index 00000000..806f3407 --- /dev/null +++ b/systemd/cert-renewer@.timer @@ -0,0 +1,18 @@ +[Unit] +Description=Certificate renewal timer for %I +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production + +[Timer] +Persistent=true + +; Run the timer unit every 5 minutes. +OnCalendar=*:1/5 + +; Always run the timer on time. +AccuracySec=1us + +; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals. +RandomizedDelaySec=5m + +[Install] +WantedBy=timers.target diff --git a/systemd/step-ca.service b/systemd/step-ca.service new file mode 100644 index 00000000..4b9975e7 --- /dev/null +++ b/systemd/step-ca.service @@ -0,0 +1,52 @@ +[Unit] +Description=step-ca service +Documentation=https://smallstep.com/docs/step-ca +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production +After=network-online.target +Wants=network-online.target +StartLimitIntervalSec=30 +StartLimitBurst=3 +ConditionFileNotEmpty=/etc/step-ca/config/ca.json +ConditionFileNotEmpty=/etc/step-ca/password.txt + +[Service] +Type=simple +User=step +Group=step +Environment=STEPPATH=/etc/step-ca +WorkingDirectory=/etc/step-ca +ExecStart=/usr/local/bin/step-ca config/ca.json --password-file password.txt +ExecReload=/bin/kill --signal HUP $MAINPID +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitInterval=30 +StartLimitBurst=3 + +; Process capabilities & privileges +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +SecureBits=keep-caps +NoNewPrivileges=yes + +; Sandboxing +ProtectSystem=full +RestrictNamespaces=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectKernelModules=true +LockPersonality=true +RestrictSUIDSGID=true +RemoveIPC=true +RestrictRealtime=true +; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2: +PrivateDevices=true +MemoryDenyWriteExecute=true +ReadWriteDirectories=/etc/step-ca/db + +[Install] +WantedBy=multi-user.target