Vault Agent PKI on a Synology NAS

bootstrap.sh

#!/bin/bash
set -e

# Proof of Concept Bash Script to connect to NAS and configure everything

REMOTE_PORT=1337
REMOTE_HOST=codex.davnet.lmhd.me
REMOTE_USER=shenanigans


export VAULT_ADDR=https://vault.fancycorp.io


echo
echo ========================================
echo Generating AppRole Credentials
echo ========================================

# Read Role ID and create Secret ID
role_id=$(vault read --field=role_id auth/approle/role/pki-davnet/role-id)
secret_id=$(vault write -f --field=secret_id auth/approle/role/pki-davnet/secret-id)


echo
echo ========================================
echo Running Setup on ${REMOTE_HOST}
echo ========================================

ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} mkdir -p /tmp/lmhd/

ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} "echo ${role_id}   > /tmp/lmhd/role-id"
ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} "echo ${secret_id} > /tmp/lmhd/secret-id"

scp -P ${REMOTE_PORT} setup.sh ${REMOTE_USER}@${REMOTE_HOST}:/tmp/lmhd/setup.sh

# Need the admin password, so we can sudo to root
# because Synology decided running NGINX as root was a GREAT idea!

echo Enter Admin Password:
read -s admin_pass
echo ${admin_pass} | ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} sudo -S /tmp/lmhd/setup.sh

setup.sh

#!/bin/bash
set -e

# TODO: Put these files elsewhere
# they are currently running in the Admin user's home directory
# which... okay, kinda works as a PoC... but not what I really want

mkdir -p vault
cd vault

if [ ! -f vault ]; then
	echo
	echo ========================================
	echo Installing Vault
	echo ========================================

	VAULT_VERSION=1.7.2
	curl https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_arm64.zip > vault.zip
	gunzip -S .zip vault.zip
	./vault version
fi


echo
echo ========================================
echo Setting up Vault Agent
echo ========================================

cat > vault_agent.hcl << EOF
vault {
  address = "https://vault.fancycorp.io"
}

auto_auth {
  method "approle" {
    config = {
      role_id_file_path   = "role-id"
      secret_id_file_path = "secret-id"
    }
  }
}

template {
  contents = <<EOT
{{ with secret "pki/inter/issue/davnet.lmhd.me" "common_name=codex.davnet.lmhd.me" }}
{{ toJSONPretty .Data }}
{{ end }}
EOT

  destination = "codex.json"

  command = "./split-cert.sh"
}
EOF

mv /tmp/lmhd/role-id .
mv /tmp/lmhd/secret-id .

cat > split-cert.sh << EOF
#!/bin/bash
set -ex

cat codex.json | jq -r '.certificate'              > /usr/syno/etc/certificate/system/default/cert.pem
cat codex.json | jq -r '.issuing_ca'               > /usr/syno/etc/certificate/system/default/chain.pem
cat codex.json | jq -r '.certificate, .issuing_ca' > /usr/syno/etc/certificate/system/default/fullchain.pem
cat codex.json | jq -r '.private_key'              > /usr/syno/etc/certificate/system/default/privkey.pem

cat codex.json | jq -r '.certificate'              > /usr/syno/etc/certificate/system/FQDN/cert.pem
cat codex.json | jq -r '.issuing_ca'               > /usr/syno/etc/certificate/system/FQDN/chain.pem
cat codex.json | jq -r '.certificate, .issuing_ca' > /usr/syno/etc/certificate/system/FQDN/fullchain.pem
cat codex.json | jq -r '.private_key'              > /usr/syno/etc/certificate/system/FQDN/privkey.pem

nginx -s reload
EOF

# TODO: get this running automatically as some kind of service, so it
# survives a reboot

# TODO: This nohup bit doesn't actually work yet
# Works when I run it manually, which is good enough for now
echo
echo ========================================
echo Running Vault Agent
echo ========================================
nohup ./vault agent -config vault_agent.hcl &