Carl Tashian tashian
tashian
/ init_aws_ca.sh
Last active
December 31, 2024 11:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # This script will launch and configure a step-ca SSH Certificate Authority | |
| # on AWS in an Ubuntu / Debian-based VM with OIDC and AWS provisioners | |
| # | |
| # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions | |
| OIDC_CLIENT_ID="[OAuth client ID]" # from Google | |
| OIDC_CLIENT_SECRET="[OAuth client secret]" # from Google | |
| ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]" |
tashian
/ init_aws_ssh_host.sh
Last active
October 10, 2024 11:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # This script will get an SSH host certificate from our CA and add a weekly | |
| # cron job to rotate the host certificate. It should be run as root. | |
| # | |
| # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions | |
| CA_URL="[Your CA URL]" | |
| # Obtain your CA fingerprint by running this on your CA: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "clientId": "step-ca", | |
| "rootUrl": "http://127.0.0.1:10000", | |
| "adminUrl": "http://127.0.0.1:10000", | |
| "surrogateAuthRequired": false, | |
| "enabled": true, | |
| "alwaysDisplayInConsole": false, | |
| "clientAuthenticatorType": "client-secret", | |
| "redirectUris": [ | |
| "http://127.0.0.1:10000/*" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Loki config based on | |
| # https://github.com/grafana/loki/blob/master/cmd/loki/loki-local-config.yaml | |
| # The only thing I've changed is the server: block. | |
| auth_enabled: false | |
| server: | |
| http_listen_address: 127.0.0.1 | |
| http_listen_port: 3100 | |
| grpc_listen_address: 127.0.0.1 |
tashian
/ step-ca-launch.sh
Last active
July 15, 2024 18:59
Install & launch step-ca in AWS on a variety of Linux distros
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| CA_NAME="Tiny" | |
| ROOT_KEY_PASSWORD="smallsteplabs" | |
| EMAIL="[email protected]" | |
| if [ -f /etc/os-release ]; then | |
| # freedesktop.org and systemd | |
| . /etc/os-release | |
| OS=$NAME |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ### Basic build environment ####### | |
| apt update | |
| apt install -y make gcc ack libpcsclite-dev pkg-config unzip debhelper | |
| apt upgrade -y | |
| cd /root | |
| ## Install golang |
tashian
/ prometheus.yml
Last active
September 26, 2024 05:24
Prometheus configuration file with TLS support
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # my global config | |
| global: | |
| scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. | |
| # A scrape configuration containing exactly one endpoint to scrape: | |
| # Here it's Prometheus itself. | |
| scrape_configs: | |
| # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config. | |
| - job_name: 'prometheus' | |
| # metrics_path defaults to '/metrics' |
tashian
/ Dockerfile.mongo.ca_bootstrap
Last active
October 5, 2021 20:26
A MongoDB Dockerfile that bootstraps with a step-ca Certificate Authority for root CA trust
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM mongo | |
| ARG CA_URL | |
| ARG CA_FINGERPRINT | |
| ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT} | |
| RUN apt update; \ | |
| apt install -y --no-install-recommends \ | |
| curl \ | |
| jq \ | |
| openssl \ | |
| ; \ |
tashian
/ Dockerfile.mongo.step_ca_bootstrap
Created
October 5, 2021 20:24
A MongoDB Dockerfile that bootstraps with a step-ca Certificate Authority for root CA trust, using the step command
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM smallstep/step-cli as step | |
| FROM mongo | |
| COPY --from=step /usr/local/bin/step /usr/local/bin/ | |
| ARG CA_URL | |
| ARG CA_FINGERPRINT | |
| ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT} | |
| RUN step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT --install |
tashian
/ fetch_tpm_certs.sh
Last active
October 10, 2023 20:03
Using a TPM EKcert as input, recursively fetch the TPM CA certificate chain
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Using a TPM EKcert filename as input, this script recursively fetches TPM CA certificates. | |
| # It depends on the EKcert having an AIA (Authority Information Access) Issuer URI field. | |
| # This field is not required and may not be present. | |
| # If available, the CA certificates will be saved into the current directory. | |
| # | |
| # To use this script, you will need the following programs: | |
| # jq — https://jqlang.github.io/jq/ | |
| # step — https://smallstep.com/docs/step-cli/installation/ | |
| # curl |