chore: add current provisioning state before migration

taskservs/kms/default/env-kms.j2

@@ -0,0 +1,55 @@
+# Cosmian KMS Environment Configuration
+# Generated by provisioning system
+
+KMS_VERSION={{ kms.version }}
+KMS_RUN_USER={{ kms.run_user.name }}
+KMS_RUN_GROUP={{ kms.run_user.group }}
+KMS_RUN_USER_HOME={{ kms.run_user.home }}
+KMS_WORK_PATH={{ kms.work_path }}
+KMS_CONFIG_PATH={{ kms.config_path }}
+KMS_CONFIG_FILE={{ kms.config_file }}
+KMS_RUN_PATH={{ kms.run_path }}
+
+# Server Configuration
+KMS_BIND_ADDR={{ kms.bind_addr }}
+KMS_PORT={{ kms.port }}
+KMS_LOG_LEVEL={{ kms.log_level }}
+KMS_FIPS_MODE={{ kms.fips_mode | lower }}
+
+# Database Configuration
+KMS_DATABASE_TYPE={{ kms.database.typ }}
+{% if kms.database.typ != "sqlite" %}
+KMS_DATABASE_HOST={{ kms.database.host }}
+KMS_DATABASE_PORT={{ kms.database.port }}
+KMS_DATABASE_NAME={{ kms.database.database }}
+KMS_DATABASE_USERNAME={{ kms.database.username }}
+KMS_DATABASE_PASSWORD={{ kms.database.password }}
+KMS_DATABASE_SSL_MODE={{ kms.database.ssl_mode }}
+{% else %}
+KMS_DATABASE_PATH={{ kms.database.path }}
+{% endif %}
+
+# TLS Configuration
+KMS_TLS_ENABLED={{ kms.tls_enabled | lower }}
+{% if kms.tls_enabled %}
+KMS_CERT_FILE={{ kms.cert_file }}
+KMS_KEY_FILE={{ kms.key_file }}
+{% if kms.ca_cert_file is defined %}
+KMS_CA_CERT_FILE={{ kms.ca_cert_file }}
+{% endif %}
+{% endif %}
+
+# Authentication Configuration
+KMS_AUTH_ENABLED={{ kms.auth.enabled | lower }}
+{% if kms.auth.enabled %}
+KMS_JWT_ISSUER_URI={{ kms.auth.jwt_issuer_uri }}
+{% if kms.auth.jwks_uri is defined %}
+KMS_JWKS_URI={{ kms.auth.jwks_uri }}
+{% endif %}
+{% if kms.auth.jwt_audience is defined %}
+KMS_JWT_AUDIENCE={{ kms.auth.jwt_audience }}
+{% endif %}
+{% endif %}
+
+# Configuration file path for runtime
+COSMIAN_KMS_CONF={{ kms.config_path }}/{{ kms.config_file }}

taskservs/kms/default/install-kms.sh

@@ -0,0 +1,185 @@
+#!/bin/bash
+# Info: Script to install Cosmian KMS
+# Author: Provisioning System
+# Release: 1.0
+# Date: 2025-07-24
+
+USAGE="install-kms.sh"
+[ "$1" == "-h" ] && echo "$USAGE" && exit 1
+
+[ -r "env-kms" ] && . ./env-kms
+
+KMS_VERSION=${KMS_VERSION:-4.17.0}
+
+# Determine architecture
+ARCH="$(uname -m)"
+case $ARCH in
+    x86_64) ARCH="x86_64" ;;
+    aarch64) ARCH="aarch64" ;;
+    *) echo "Unsupported architecture: $ARCH" && exit 1 ;;
+esac
+
+KMS_URL=https://github.com/Cosmian/kms/releases/download
+KMS_BINARY=v${KMS_VERSION}/cosmian_kms_server-${KMS_VERSION}-${ARCH}-unknown-linux-gnu
+KMS_CLI_BINARY=v${KMS_VERSION}/ckms-${KMS_VERSION}-${ARCH}-unknown-linux-gnu
+
+KMS_RUN_PATH=${KMS_RUN_PATH:-/usr/local/bin/cosmian_kms}
+KMS_CLI_PATH=${KMS_CLI_PATH:-/usr/local/bin/ckms}
+KMS_SYSTEMCTL_MODE=${KMS_SYSTEMCTL_MODE:-enabled}
+
+KMS_CONFIG_PATH=${KMS_CONFIG_PATH:-/etc/cosmian}
+KMS_WORK_PATH=${KMS_WORK_PATH:-/var/lib/kms}
+KMS_CONFIG_FILE=${KMS_CONFIG_FILE:-kms.toml}
+
+KMS_RUN_USER=${KMS_RUN_USER:-kms}
+KMS_RUN_GROUP=${KMS_RUN_GROUP:-kms}
+KMS_RUN_USER_HOME=${KMS_RUN_USER_HOME:-/home/kms}
+
+KMS_PORT=${KMS_PORT:-9998}
+KMS_LOG_LEVEL=${KMS_LOG_LEVEL:-info}
+KMS_DATABASE_TYPE=${KMS_DATABASE_TYPE:-sqlite}
+KMS_DATABASE_PATH=${KMS_DATABASE_PATH:-/var/lib/kms/kms.db}
+
+echo "Installing Cosmian KMS ${KMS_VERSION}..."
+
+# Install dependencies
+echo "Installing dependencies..."
+if command -v apt-get >/dev/null 2>&1; then
+    apt-get update
+    apt-get install -y curl ca-certificates openssl libssl3
+elif command -v yum >/dev/null 2>&1; then
+    yum update -y
+    yum install -y curl ca-certificates openssl openssl-libs
+elif command -v dnf >/dev/null 2>&1; then
+    dnf update -y
+    dnf install -y curl ca-certificates openssl openssl-libs
+else
+    echo "Package manager not found. Please install curl, ca-certificates, and openssl manually."
+    exit 1
+fi
+
+# Create user and group
+if ! id "$KMS_RUN_USER" &>/dev/null; then
+    groupadd -r "$KMS_RUN_GROUP"
+    useradd -r -g "$KMS_RUN_GROUP" -d "$KMS_RUN_USER_HOME" -s /bin/bash -c "Cosmian KMS service user" "$KMS_RUN_USER"
+fi
+
+# Create directories
+mkdir -p "$KMS_CONFIG_PATH"
+mkdir -p "$KMS_WORK_PATH"
+mkdir -p "$KMS_RUN_USER_HOME"
+mkdir -p "$(dirname "$KMS_DATABASE_PATH")"
+
+# Download and install KMS server
+cd /tmp
+echo "Downloading KMS server from ${KMS_URL}/${KMS_BINARY}..."
+curl -L -o cosmian_kms_server "${KMS_URL}/${KMS_BINARY}"
+
+if [ ! -f "cosmian_kms_server" ]; then
+    echo "Failed to download KMS server binary"
+    exit 1
+fi
+
+# Download and install KMS CLI
+echo "Downloading KMS CLI from ${KMS_URL}/${KMS_CLI_BINARY}..."
+curl -L -o ckms "${KMS_URL}/${KMS_CLI_BINARY}"
+
+if [ ! -f "ckms" ]; then
+    echo "Failed to download KMS CLI binary"
+    exit 1
+fi
+
+# Install binaries
+chmod +x cosmian_kms_server ckms
+mv cosmian_kms_server "$(dirname "$KMS_RUN_PATH")/"
+mv ckms "$(dirname "$KMS_CLI_PATH")/"
+
+# Create configuration file from template if it exists
+if [ -f "kms.toml.j2" ] && command -v jinja2 >/dev/null 2>&1; then
+    echo "Generating configuration file..."
+    # This would typically be handled by the provisioning system's template engine
+    cp kms.toml.j2 "$KMS_CONFIG_PATH/$KMS_CONFIG_FILE.template"
+else
+    # Create basic configuration file
+    cat > "$KMS_CONFIG_PATH/$KMS_CONFIG_FILE" << EOF
+[server]
+port = $KMS_PORT
+bind_addr = "0.0.0.0"
+
+[database]
+database_type = "$KMS_DATABASE_TYPE"
+$(if [ "$KMS_DATABASE_TYPE" = "sqlite" ]; then echo "database_path = \"$KMS_DATABASE_PATH\""; fi)
+
+[logging]
+level = "$KMS_LOG_LEVEL"
+EOF
+fi
+
+# Set ownership
+chown -R "$KMS_RUN_USER:$KMS_RUN_GROUP" "$KMS_WORK_PATH"
+chown -R "$KMS_RUN_USER:$KMS_RUN_GROUP" "$KMS_RUN_USER_HOME"
+chown -R "$KMS_RUN_USER:$KMS_RUN_GROUP" "$KMS_CONFIG_PATH"
+
+# Initialize database if using SQLite
+if [ "$KMS_DATABASE_TYPE" = "sqlite" ]; then
+    # Ensure database directory exists and has proper permissions
+    mkdir -p "$(dirname "$KMS_DATABASE_PATH")"
+    chown -R "$KMS_RUN_USER:$KMS_RUN_GROUP" "$(dirname "$KMS_DATABASE_PATH")"
+fi
+
+# Create systemd service file
+cat > /etc/systemd/system/cosmian-kms.service << EOF
+[Unit]
+Description=Cosmian KMS Server
+Documentation=https://github.com/Cosmian/kms
+After=network.target
+
+[Service]
+Type=simple
+User=$KMS_RUN_USER
+Group=$KMS_RUN_GROUP
+Environment=COSMIAN_KMS_CONF=$KMS_CONFIG_PATH/$KMS_CONFIG_FILE
+Environment=RUST_LOG=$KMS_LOG_LEVEL
+WorkingDirectory=$KMS_WORK_PATH
+ExecStart=$KMS_RUN_PATH --config-file $KMS_CONFIG_PATH/$KMS_CONFIG_FILE
+Restart=always
+RestartSec=10
+
+# Security settings  
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=$KMS_WORK_PATH $KMS_CONFIG_PATH
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Enable and start service
+systemctl daemon-reload
+systemctl "$KMS_SYSTEMCTL_MODE" cosmian-kms.service
+
+if [ "$KMS_SYSTEMCTL_MODE" = "enabled" ]; then
+    systemctl start cosmian-kms.service
+fi
+
+# Cleanup
+cd /
+rm -rf /tmp/cosmian_kms_server /tmp/ckms
+
+echo "Cosmian KMS installation completed!"
+echo "Service: cosmian-kms.service"
+echo "KMS Server available at: http://$(hostname):$KMS_PORT"
+echo "CLI tool: $KMS_CLI_PATH"
+echo "Configuration: $KMS_CONFIG_PATH/$KMS_CONFIG_FILE"
+echo "Data directory: $KMS_WORK_PATH"
+
+# Display service status
+if systemctl is-active --quiet cosmian-kms.service; then
+    echo "✅ KMS service is running"
+else
+    echo "⚠️  KMS service status:"
+    systemctl status cosmian-kms.service --no-pager -l
+fi

taskservs/kms/default/kms.service.j2

@@ -0,0 +1,40 @@
+[Unit]
+Description=Cosmian KMS Server
+Documentation=https://github.com/Cosmian/kms
+After=network.target
+{% if kms.database.typ == "mysql" %}
+After=mysql.service
+Wants=mysql.service
+{% elif kms.database.typ == "postgresql" %}
+After=postgresql.service
+Wants=postgresql.service
+{% elif kms.database.typ == "redis" %}
+After=redis.service
+Wants=redis.service
+{% endif %}
+
+[Service]
+Type=simple
+User={{ kms.run_user.name }}
+Group={{ kms.run_user.group }}
+Environment=COSMIAN_KMS_CONF={{ kms.config_path }}/{{ kms.config_file }}
+Environment=RUST_LOG={{ kms.log_level }}{% if kms.fips_mode %},cosmian_kms_server=debug{% endif %}
+
+WorkingDirectory={{ kms.work_path }}
+ExecStart={{ kms.run_path }} --config-file {{ kms.config_path }}/{{ kms.config_file }}
+Restart=always
+RestartSec=10
+
+# Security settings
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths={{ kms.work_path }} {{ kms.config_path }}{% if kms.database.typ == "sqlite" %} {{ kms.database.path | dirname }}{% endif %}
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Resource limits
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

taskservs/kms/default/kms.toml.j2

@@ -0,0 +1,47 @@
+# Cosmian KMS Configuration File
+# Generated by provisioning system
+
+[server]
+port = {{ kms.port }}
+bind_addr = "{{ kms.bind_addr }}"
+
+{% if kms.tls_enabled %}
+[tls]
+cert_file = "{{ kms.cert_file }}"
+key_file = "{{ kms.key_file }}"
+{% if kms.ca_cert_file is defined %}
+ca_cert_file = "{{ kms.ca_cert_file }}"
+{% endif %}
+{% endif %}
+
+[database]
+{% if kms.database.typ == "sqlite" %}
+database_type = "sqlite"
+database_path = "{{ kms.database.path }}"
+{% elif kms.database.typ == "mysql" %}
+database_type = "mysql"
+database_url = "mysql://{{ kms.database.username }}:{{ kms.database.password }}@{{ kms.database.host }}:{{ kms.database.port }}/{{ kms.database.database }}"
+{% elif kms.database.typ == "postgresql" %}
+database_type = "postgresql" 
+database_url = "postgresql://{{ kms.database.username }}:{{ kms.database.password }}@{{ kms.database.host }}:{{ kms.database.port }}/{{ kms.database.database }}"
+{% elif kms.database.typ == "redis" %}
+database_type = "redis-findex"
+database_url = "redis://{{ kms.database.host }}:{{ kms.database.port }}"
+{% if kms.database.password %}
+redis_master_password = "{{ kms.database.password }}"
+{% endif %}
+{% endif %}
+
+{% if kms.auth.enabled %}
+[auth]
+jwt_issuer_uri = "{{ kms.auth.jwt_issuer_uri }}"
+{% if kms.auth.jwks_uri is defined %}
+jwks_uri = "{{ kms.auth.jwks_uri }}"
+{% endif %}
+{% if kms.auth.jwt_audience is defined %}
+jwt_audience = "{{ kms.auth.jwt_audience }}"
+{% endif %}
+{% endif %}
+
+[logging]
+level = "{{ kms.log_level }}"

taskservs/kms/default/prepare

@@ -0,0 +1,80 @@
+#!/bin/bash
+# Info: Cosmian KMS preparation script
+# Author: Provisioning System
+# Release: 1.0
+
+echo "Preparing Cosmian KMS installation..."
+
+# Load environment variables
+[ -r "env-kms" ] && . ./env-kms
+
+# Check if required tools are available
+command -v curl >/dev/null 2>&1 || { echo "curl is required but not installed." >&2; exit 1; }
+command -v systemctl >/dev/null 2>&1 || { echo "systemctl is required but not installed." >&2; exit 1; }
+
+# Check OpenSSL version (KMS requires OpenSSL v3.2.0+)
+if command -v openssl >/dev/null 2>&1; then
+    OPENSSL_VERSION=$(openssl version | awk '{print $2}')
+    echo "Found OpenSSL version: $OPENSSL_VERSION"
+    
+    # Basic version check (simplified)
+    MAJOR_VERSION=$(echo "$OPENSSL_VERSION" | cut -d. -f1)
+    if [ "$MAJOR_VERSION" -lt "3" ]; then
+        echo "Warning: OpenSSL version 3.2.0+ is recommended for KMS"
+    fi
+else
+    echo "Warning: OpenSSL not found. KMS requires OpenSSL v3.2.0+"
+fi
+
+# Validate configuration
+if [ -z "$KMS_VERSION" ]; then
+    echo "KMS_VERSION must be set" >&2
+    exit 1
+fi
+
+if [ -z "$KMS_PORT" ]; then
+    echo "KMS_PORT must be set" >&2
+    exit 1
+fi
+
+# Check port availability
+if command -v netstat >/dev/null 2>&1; then
+    if netstat -tuln | grep -q ":${KMS_PORT:-9998} "; then
+        echo "Warning: Port ${KMS_PORT:-9998} appears to be in use"
+    fi
+elif command -v ss >/dev/null 2>&1; then
+    if ss -tuln | grep -q ":${KMS_PORT:-9998} "; then
+        echo "Warning: Port ${KMS_PORT:-9998} appears to be in use"
+    fi
+fi
+
+# Validate database configuration
+case "${KMS_DATABASE_TYPE:-sqlite}" in
+    sqlite)
+        echo "Using SQLite database"
+        ;;
+    mysql)
+        if [ -z "$KMS_DATABASE_HOST" ] || [ -z "$KMS_DATABASE_USERNAME" ] || [ -z "$KMS_DATABASE_PASSWORD" ]; then
+            echo "MySQL requires host, username, and password configuration" >&2
+            exit 1
+        fi
+        ;;
+    postgresql)
+        if [ -z "$KMS_DATABASE_HOST" ] || [ -z "$KMS_DATABASE_USERNAME" ] || [ -z "$KMS_DATABASE_PASSWORD" ]; then
+            echo "PostgreSQL requires host, username, and password configuration" >&2
+            exit 1
+        fi
+        ;;
+    redis)
+        if [ -z "$KMS_DATABASE_HOST" ]; then
+            echo "Redis requires host configuration" >&2
+            exit 1
+        fi
+        ;;
+    *)
+        echo "Unsupported database type: ${KMS_DATABASE_TYPE}" >&2
+        exit 1
+        ;;
+esac
+
+echo "Preparation completed successfully."

taskservs/kms/default/provisioning.toml

@@ -0,0 +1,2 @@
+info = "cosmian-kms"
+release = "1.0"