# [email protected] - (c) Red Hat, inc 2013 # gpl v2+ # utterly trivial so I'm not worried one way or the other # This source code adapted from http://skvidal.fedorapeople.org/misc/shapass # Enhancements (c) Jesse Buchanan 2014 - GPL v2+ # Purpose: Generates a secure, crypted password for use in /etc/shadow. # Usage: Execute without arguments. import string import getpass import sys try: from passlib.hosts import linux_context except ImportError, e: print "Couldn't import passlib. Try: pip install passlib" sys.exit(1) match = False while not match: input = getpass.getpass() input2 = getpass.getpass(prompt="Re-enter Password: ") if input == input2: match = True else: print 'Passwords do not match, try again!' print linux_context.encrypt(input)
def main():
parser = argparse.ArgumentParser(description='generates secrets for txbits')
parser.add_argument('config_json_path', metavar='config.json', help='config file path')
args = parser.parse_args()
with open(args.config_json_path, 'r') as conf_file:
conf = json.load(conf_file)
os.makedirs(conf['path'], exist_ok=True)
def pfx(path):
return os.path.join(conf['path'], path)
# DKIM
filename = pfx('opendkim/default.private')
filename2 = pfx('opendkim/default.txt')
if not_exists(filename, filename2):
make_dirs(filename)
os.system('opendkim-genkey -b 2048 -d {0}'.format(conf['mail_for_fqdn']))
mv('default.private', pfx('opendkim/default.private'))
print("You probably want to add this entry to your DNS:")
print(read('default.txt'))
mv('default.txt', pfx('opendkim/default.txt'))
# ssl certs
def process_cert(conf_property, dst_key_path, dst_cert_path, domain):
if not_exists(dst_key_path, dst_cert_path):
make_dirs(dst_key_path)
make_dirs(dst_cert_path)
if conf[conf_property]['self_signed']:
os.system('openssl req -x509 -newkey rsa:2048 -keyout {0} -out {1} -days 365 -nodes -subj {2}'.format(dst_key_path, dst_cert_path, '/CN={0}/'.format(domain)))
print("TLS key generated.")
else:
key_path = conf[conf_property]['key_path']
cp(key_path, dst_key_path)
cert_path = conf[conf_property]['cert_path']
cp(cert_path, dst_cert_path)
#TODO: change this path to be less silly
process_cert('mail_cert',
pfx('tls/key.pem'),
pfx('tls/cert.pem'),
conf['mailserver_fqdn']
)
process_cert('frontend_cert',
pfx(os.path.join('certs', conf['frontend_fqdn'], 'cert.key')),
pfx(os.path.join('certs', conf['frontend_fqdn'], 'cert.pem')),
conf['frontend_fqdn']
)
process_cert('monitor_cert',
pfx(os.path.join('certs', conf['monitor_fqdn'], 'cert.key')),
pfx(os.path.join('certs', conf['monitor_fqdn'], 'cert.pem')),
conf['monitor_fqdn']
)
process_cert('database_cert',
pfx(os.path.join('certs', 'postgres', 'server.key')),
pfx(os.path.join('certs', 'postgres', 'server.crt')),
conf['database_fqdn']
)
process_cert('lumberjack_cert',
pfx(os.path.join('certs', 'lumberjack', 'lumberjack.key')),
pfx(os.path.join('certs', 'lumberjack', 'lumberjack.crt')),
conf['monitor_fqdn']
)
process_cert('lumberjack_server_cert',
pfx(os.path.join('certs', 'lumberjack', 'lumberjack_server.key')),
pfx(os.path.join('certs', 'lumberjack', 'lumberjack_server.crt')),
conf['monitor_fqdn']
)
filename = pfx(os.path.join('certs', 'lumberjack', 'monitor_ca.crt'))
if not_exists(filename):
cp(pfx(os.path.join('certs', 'lumberjack', 'lumberjack_server.crt')), filename)
# dhparam
filename = pfx('certs/{0}/dhparam.pem'.format(conf['frontend_fqdn']))
if not_exists(filename):
os.system('openssl dhparam -out {0} 2048'.format(filename))
# spiped
def make_spiped_secret(name):
filename = pfx('spiped/'+name)
if not_exists(filename):
make_dirs(filename)
os.system('dd if=/dev/urandom of={0} bs=32 count=1'.format(filename))
#spiped_secrets = [
# 'memcached',
# 'bitcoind',
# 'litecoind'
#]
spiped_secrets = conf['spiped_secrets']
for s in spiped_secrets:
make_spiped_secret(s)
# this is secure AFAK https://docs.python.org/2/library/random.html#random.SystemRandom
r = random.SystemRandom()
charset = string.ascii_letters + string.digits
def random_pass():
return ''.join([r.choice(string.ascii_letters)] + [r.choice(charset) for x in range(41)])
charset_lowercase = string.ascii_lowercase + string.digits
def random_pass_lowercase():
return ''.join([r.choice(string.ascii_lowercase)] + [r.choice(charset_lowercase) for x in range(41)])
# vars (passwords, etc)
filename = pfx('vars.yml')
if not_exists(filename):
data_loaded = {}
else:
with open(filename, 'r') as stream:
data_loaded = yaml.load(stream)
# generate password hash for user module
# TODO: it would be great to rename mail_password to something like mail_password_hash
if conf['vars']['txbits_mail_password'] == '[generate]':
conf['vars']['txbits_mail_password'] = random_pass()
conf['vars']['mail_password'] = linux_context.encrypt(conf['vars']['txbits_mail_password'])
text = ''
for k, v in conf['vars'].items():
if k in data_loaded:
print(k+' : '+data_loaded[k])
else:
if v == '[generate]':
v = random_pass()
elif v == '[generate_lowercase]':
v = random_pass_lowercase()
# XXX: this can be improved
text += k + ': "' + v + '"\n'
data_loaded[k]=v
#write(filename, text)
with io.open(filename, 'w', encoding='utf8') as outfile:
yaml.dump(data_loaded, outfile, default_flow_style=False, allow_unicode=True)
print("Wrote vars file.")
# trust store for trusting the self signed cert of the mail server in staging
filename = pfx('txbits_truststore')
if not_exists(filename):
make_dirs(filename)
os.system('keytool -delete -keystore {0} -import -file {1} -storepass password -noprompt'.format(filename, pfx('tls/cert.pem')))
# tarsnap
if conf['backups']:
def gen_tarsnap_key(name):
master_filename = pfx('tarsnap/{0}/master.key'.format(name))
filename = pfx('tarsnap/{0}/writeonly.key'.format(name))
if not_exists(master_filename, filename):
make_dirs(master_filename)
os.system('echo -n {0} | tarsnap-keygen --keyfile {1} --user {2} --machine {3}'.format(
conf['tarsnap_password'],
master_filename,
conf['tarsnap_username'],
'{0}_{1}'.format(name, conf['path'])
)
)
print("Created tarsnap master key.")
make_dirs(filename)
os.system('tarsnap-keymgmt --outkeyfile {0} -w {1}'.format(
filename,
master_filename
)
)
print("Created tarsnap write only key.")
gen_tarsnap_key = conf['gen_tarsnap_key']
for t in spiped_secrets:
gen_tarsnap_key(t)
# [email protected] - (c) Red Hat, inc 2013 # gpl v2+ # utterly trivial so I'm not worried one way or the other # This source code adapted from http://skvidal.fedorapeople.org/misc/shapass # Enhancements (c) Jesse Buchanan 2014 - GPL v2+ # Purpose: Generates a secure, crypted password for use in /etc/shadow. # Usage: Execute without arguments. import string import getpass import sys try: from passlib.hosts import linux_context except ImportError, e: print "Couldn't import passlib. Try: pip install passlib" sys.exit(1) match = False while not match: input = getpass.getpass() input2 = getpass.getpass(prompt="Re-enter Password: ") if input == input2: match = True else: print 'Passwords do not match, try again!' print linux_context.encrypt(input)
def main():
parser = argparse.ArgumentParser(description='generates secrets for txbits')
parser.add_argument('config_json_path', metavar='config.json', help='config file path')
args = parser.parse_args()
with open(args.config_json_path, 'r') as conf_file:
conf = json.load(conf_file)
os.makedirs(conf['path'], exist_ok=True)
def pfx(path):
return os.path.join(conf['path'], path)
# DKIM
filename = pfx('opendkim/default.private')
filename2 = pfx('opendkim/default.txt')
if not_exists(filename, filename2):
make_dirs(filename)
os.system('opendkim-genkey -b 2048 -d {0}'.format(conf['mail_for_fqdn']))
mv('default.private', pfx('opendkim/default.private'))
print("You probably want to add this entry to your DNS:")
print(read('default.txt'))
mv('default.txt', pfx('opendkim/default.txt'))
# ssl certs
def process_cert(conf_property, dst_key_path, dst_cert_path, domain):
if not_exists(dst_key_path, dst_cert_path):
make_dirs(dst_key_path)
make_dirs(dst_cert_path)
if conf[conf_property]['self_signed']:
os.system('openssl req -x509 -newkey rsa:2048 -keyout {0} -out {1} -days 365 -nodes -subj {2}'.format(dst_key_path, dst_cert_path, '/CN={0}/'.format(domain)))
print("TLS key generated.")
else:
key_path = conf[conf_property]['key_path']
cp(key_path, dst_key_path)
cert_path = conf[conf_property]['cert_path']
cp(cert_path, dst_cert_path)
#TODO: change this path to be less silly
process_cert('mail_cert',
pfx('tls/key.pem'),
pfx('tls/cert.pem'),
conf['mailserver_fqdn']
)
process_cert('frontend_cert',
pfx(os.path.join('certs', conf['frontend_fqdn'], 'cert.key')),
pfx(os.path.join('certs', conf['frontend_fqdn'], 'cert.pem')),
conf['frontend_fqdn']
)
process_cert('monitor_cert',
pfx(os.path.join('certs', conf['monitor_fqdn'], 'cert.key')),
pfx(os.path.join('certs', conf['monitor_fqdn'], 'cert.pem')),
conf['monitor_fqdn']
)
process_cert('database_cert',
pfx(os.path.join('certs', 'postgres', 'server.key')),
pfx(os.path.join('certs', 'postgres', 'server.crt')),
conf['database_fqdn']
)
process_cert('lumberjack_cert',
pfx(os.path.join('certs', 'lumberjack', 'lumberjack.key')),
pfx(os.path.join('certs', 'lumberjack', 'lumberjack.crt')),
conf['monitor_fqdn']
)
process_cert('lumberjack_server_cert',
pfx(os.path.join('certs', 'lumberjack', 'lumberjack_server.key')),
pfx(os.path.join('certs', 'lumberjack', 'lumberjack_server.crt')),
conf['monitor_fqdn']
)
filename = pfx(os.path.join('certs', 'lumberjack', 'monitor_ca.crt'))
if not_exists(filename):
cp(pfx(os.path.join('certs', 'lumberjack', 'lumberjack_server.crt')), filename)
# dhparam
filename = pfx('certs/{0}/dhparam.pem'.format(conf['frontend_fqdn']))
if not_exists(filename):
os.system('openssl dhparam -out {0} 2048'.format(filename))
# spiped
def make_spiped_secret(name):
filename = pfx('spiped/'+name)
if not_exists(filename):
make_dirs(filename)
os.system('dd if=/dev/urandom of={0} bs=32 count=1'.format(filename))
spiped_secrets = [
'memcached',
'bitcoind',
'litecoind'
]
for s in spiped_secrets:
make_spiped_secret(s)
# this is secure AFAK https://docs.python.org/2/library/random.html#random.SystemRandom
r = random.SystemRandom()
charset = string.ascii_letters + string.digits
def random_pass():
return ''.join([r.choice(string.ascii_letters)] + [r.choice(charset) for x in range(41)])
charset_lowercase = string.ascii_lowercase + string.digits
def random_pass_lowercase():
return ''.join([r.choice(string.ascii_lowercase)] + [r.choice(charset_lowercase) for x in range(41)])
# vars (passwords, etc)
filename = pfx('vars.yml')
if not_exists(filename):
# generate password hash for user module
# TODO: it would be great to rename mail_password to something like mail_password_hash
if conf['vars']['txbits_mail_password'] == '[generate]':
conf['vars']['txbits_mail_password'] = random_pass()
conf['vars']['mail_password'] = linux_context.encrypt(conf['vars']['txbits_mail_password'])
text = ''
for k, v in conf['vars'].items():
if v == '[generate]':
v = random_pass()
elif v == '[generate_lowercase]':
v = random_pass_lowercase()
# XXX: this can be improved
text += k + ': "' + v + '"\n'
write(filename, text)
print("Wrote vars file.")
# trust store for trusting the self signed cert of the mail server in staging
filename = pfx('txbits_truststore')
if not_exists(filename):
make_dirs(filename)
os.system('keytool -delete -keystore {0} -import -file {1} -storepass password -noprompt'.format(filename, pfx('tls/cert.pem')))
# tarsnap
if conf['backups']:
def gen_tarsnap_key(name):
master_filename = pfx('tarsnap/{0}/master.key'.format(name))
filename = pfx('tarsnap/{0}/writeonly.key'.format(name))
if not_exists(master_filename, filename):
make_dirs(master_filename)
os.system('echo -n {0} | tarsnap-keygen --keyfile {1} --user {2} --machine {3}'.format(
conf['tarsnap_password'],
master_filename,
conf['tarsnap_username'],
'{0}_{1}'.format(name, conf['path'])
)
)
print("Created tarsnap master key.")
make_dirs(filename)
os.system('tarsnap-keymgmt --outkeyfile {0} -w {1}'.format(
filename,
master_filename
)
)
print("Created tarsnap write only key.")
gen_tarsnap_key('bitcoin')
gen_tarsnap_key('litecoin')
def gen_sha512(passwd):
return linux_context.encrypt(passwd)
