Jonathan Rosser d1e27389b1 Deploy step-ca when 'stepca' is part of the deployment scenario.
There is currently no CI testing of support for Letsencrypt/ACME
in Openstack-Ansible. Adding testing first requires a suitable CA
and we cannot use the LE staging environment as it cannot be
guaranteed to have connectivity, and there is also no reasonable
DNS entry that will work universally for all AIO/CI builds.

This patch deploys Step-CA locally on the deployment/AIO node
and configures a sufficiently functional ACME API endpoint and root
CA.

Change-Id: Ib0770ed20c12111dacc6bb63436d0b58d108b853
2023-03-15 23:16:48 +01:00

51 lines
1.3 KiB
Django/Jinja

[Unit]
Description=step-ca
Documentation=https://smallstep.com/docs/step-ca
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
After=syslog.target network.target
[Service]
Type=simple
User={{ step_ca_user }}
Group={{ step_ca_group }}
Environment=STEPPATH={{ step_ca_config_dir }}
WorkingDirectory={{ step_ca_config_dir }}
ExecStart=/bin/sh -c '{{ step_ca_binary }} {{ step_ca_config_dir }}/config/ca.json --password-file={{ step_ca_config_dir }}/config/password.txt'
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure
RestartSec=10
TimeoutStopSec=30
StartLimitInterval=30
StartLimitBurst=3
; Process capabilities & privileges
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes
; Sandboxing
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectKernelModules=true
LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
ReadWriteDirectories=/etc/step-ca/db
[Install]
WantedBy=multi-user.target