Scytale: Ansible Automated Private Key Infrastructure.

In cryptography, a scytale, is a tool used to perform a transposition cipher, consisting of a cylinder with a strip of parchment wound around it on which is written a message. The ancient Greeks, and the Spartans in particular, are said to have used this cipher to communicate during military campaigns.

Wikipedia

Scytale Github Link here

Background

While building my own infrastructure/intranet I started wanting to have SSL/TLS connections. Almost all of my connections currently take place over Wireguard anyway. This is handled by a project called Mercury that I still need to opensource.

Now I have a couple VM's at the moment that host various docker containers. While they all sit inside the Wireguard network some connections I would prefer to happen without leaving the LAN. All of the hosts are VM's on the same NAS that creates the NFS shares that the Docker hosts create their volumes from. But only one of the Docker hosts contains the stateful applications, eg Postgres, Docker Registry, RabitMQ, Prometheus.

This is where the SSL comes in we want our services to talk to Postgres/RabitMQ etc over SSL/TLS. Additionally we can require any clients to also present a certificate for authentication.

PKI Basics

Both the server and client certificates are signed by our Root CA. The Root CA certificate is installed on both the client and server thus they can each validate each other against the Root CA. More of this is covered in the project's readme.

Getting Started

Some setup

git clone https://github.com/ncrmro/scytale.git

cd scytale

pip install ansible==2.9.10

# If you already have an Ansible Vault Key set its path in vars.yml otherwise
echo random_password > ~/.ansible/vault/default_key.txt

To run the ansible play just run

sh ./main.sh

This calls

ansible-playbook --vault-password-file ~/.ansible/vault/default_key.txt -i hosts main.yml

Whoot! now you have your private key infrastructure.

If you check your vars_vault.yml it now contains all your private keys which can be checked into your git repo!