CodeMonkeyCybersecurity
diff --git a/‎Makefile‎
Lines changed: 39 additions & 0 deletions b/‎Makefile‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎outputs/eos-consul-audit-report.md‎
Lines changed: 453 additions & 0 deletions b/‎outputs/eos-consul-audit-report.md‎
Lines changed: 453 additions & 0 deletions
diff --git a/‎pkg/consul/config/generator.go‎
Lines changed: 44 additions & 16 deletions b/‎pkg/consul/config/generator.go‎
Lines changed: 44 additions & 16 deletions
diff --git a/‎pkg/consul/config/generator_test.go‎
Lines changed: 45 additions & 38 deletions b/‎pkg/consul/config/generator_test.go‎
Lines changed: 45 additions & 38 deletions
diff --git a/‎pkg/consul/config/types.go‎
Lines changed: 8 additions & 0 deletions b/‎pkg/consul/config/types.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎pkg/consul/lifecycle/gossip_key.go‎
Lines changed: 98 additions & 0 deletions b/‎pkg/consul/lifecycle/gossip_key.go‎
Lines changed: 98 additions & 0 deletions
@@ -176,3 +176,42 @@ ci: deps fmt-check vet lint test build ## CI pipeline (no auto-fix)
 
 ci-cgo: deps fmt-check vet-cgo lint-cgo test-cgo build ## CI pipeline for CGO packages
 	@echo "[INFO] CGO CI pipeline complete"
+
+##@ Deployment
+
+DEPLOY_SERVERS ?= vhost2
+REMOTE_INSTALL_PATH := /usr/local/bin/eos
+
+deploy: test build ## Deploy to servers (set DEPLOY_SERVERS="host1 host2")
+	@echo "[INFO] Deploying Eos to servers: $(DEPLOY_SERVERS)"
+	@for server in $(DEPLOY_SERVERS); do \
+		echo "[INFO] → Deploying to $$server..."; \
+		scp $(BUILD_DIR)/$(BINARY_NAME) $$server:/tmp/eos-new || exit 1; \
+		ssh $$server "sudo mv /tmp/eos-new $(REMOTE_INSTALL_PATH) && sudo chmod +x $(REMOTE_INSTALL_PATH)" || exit 1; \
+		version=$$(ssh $$server "$(REMOTE_INSTALL_PATH) --version 2>/dev/null || echo 'unknown'"); \
+		echo "[INFO]   ✓ Deployed to $$server (version: $$version)"; \
+	done
+	@echo "[INFO] Deployment complete!"
+
+deploy-check: ## Verify deployment on all servers
+	@echo "[INFO] Checking Eos version on servers..."
+	@for server in $(DEPLOY_SERVERS); do \
+		echo "[INFO] → Checking $$server..."; \
+		ssh $$server "$(REMOTE_INSTALL_PATH) --version" || echo "[ERROR] Failed to get version from $$server"; \
+	done
+
+deploy-all: test build ## Deploy to all production servers
+	@$(MAKE) deploy DEPLOY_SERVERS="vhost2 vhost3 vhost4"
+
+deploy-rollback: ## Rollback to previous version (if backup exists)
+	@echo "[INFO] Rolling back Eos on servers: $(DEPLOY_SERVERS)"
+	@for server in $(DEPLOY_SERVERS); do \
+		echo "[INFO] → Rolling back $$server..."; \
+		backup=$$(ssh $$server "ls -t $(REMOTE_INSTALL_PATH).backup.* 2>/dev/null | head -1"); \
+		if [ -z "$$backup" ]; then \
+			echo "[ERROR] No backup found on $$server"; \
+			exit 1; \
+		fi; \
+		ssh $$server "sudo cp $$backup $(REMOTE_INSTALL_PATH) && sudo chmod +x $(REMOTE_INSTALL_PATH)"; \
+		echo "[INFO]   ✓ Rolled back to $$backup"; \
+	done
@@ -84,6 +84,10 @@ func Generate(rc *eos_io.RuntimeContext, cfg *ConsulConfig) error {
 		bootstrapExpect = 1
 	}
 
+	if cfg.GossipKey == "" {
+		return fmt.Errorf("gossip encryption key is required (set GeneratorConfig.GossipKey)")
+	}
+
 	// Build server mode configuration
 	var serverConfig string
 	if bootstrapExpect == 1 {
@@ -96,6 +100,39 @@ bootstrap = true  # Single-node cluster`
 bootstrap_expect = %d  # Multi-node cluster`, bootstrapExpect)
 	}
 
+	clientAddr := cfg.ClientAddr
+	if clientAddr == "" {
+		clientAddr = "127.0.0.1"
+	}
+	if clientAddr != "127.0.0.1" {
+		log.Warn("Consul client_addr overrides secure default",
+			zap.String("client_addr", clientAddr),
+			zap.String("recommendation", "Use 127.0.0.1 unless ACLs/TLS are enforced"))
+	}
+
+	scriptCheckConfig := "enable_script_checks = false\n"
+	if cfg.EnableLocalScriptChecks {
+		scriptCheckConfig += "enable_local_script_checks = true\n"
+	}
+
+	watcherConfig := ""
+	if cfg.EnableVaultWatcher && !cfg.EnableLocalScriptChecks {
+		log.Warn("Vault watcher requires local script checks; disabling watcher for security",
+			zap.String("handler", "consul-vault-helper"),
+			zap.Bool("requested", cfg.EnableVaultWatcher))
+	}
+	if cfg.EnableVaultWatcher && cfg.EnableLocalScriptChecks {
+		watcherConfig = fmt.Sprintf(`# Watches for external integration
+watches = [
+  {
+    type = "services"
+    handler_type = "script"
+    args = ["%s", "watch"]
+  }
+]
+`, consulVaultHelperPath)
+	}
+
 	config := fmt.Sprintf(`# Consul Configuration for Scaling and Service Discovery
 # Generated by Eos at %s
 
@@ -120,9 +157,9 @@ ports {
   server = %d    # Keep default for RPC
 }
 
-# Network configuration
-client_addr = "0.0.0.0"  # Accept connections from anywhere
-bind_addr = "%s"  # Primary interface IP
+	# Network configuration
+	client_addr = "%s"  # Default: localhost only for security
+	bind_addr = "%s"  # Primary interface IP
 
 # Advertise addresses for when you add more nodes
 advertise_addr = "%s"
@@ -177,8 +214,7 @@ autopilot {
 }
 
 # Script checks disabled for security (enable only with ACLs)
-# enable_script_checks = false  # Use enable_local_script_checks instead
-enable_local_script_checks = true
+%s
 
 # Security settings
 # ACLs enabled by default for secure token management and Vault integration
@@ -191,7 +227,7 @@ acl = {
 }
 
 # Encryption settings (prepared for production)
-# encrypt = "base64-key-here"  # Uncomment and set for production
+encrypt = "%s"  # Gossip encryption key
 
 # TLS settings (prepared for production)
 # tls {
@@ -204,17 +240,9 @@ acl = {
 #   }
 # }
 
-# Watches for external integration
-watches = [
-  {
-    type = "services"
-    handler_type = "script"
-    args = ["%s", "watch"]
-  }
-]
-`, time.Now().Format(time.RFC3339), cfg.DatacenterName, nodeName, consulDefaultDataDir, serverConfig,
+%s`, time.Now().Format(time.RFC3339), cfg.DatacenterName, nodeName, consulDefaultDataDir, serverConfig,
 		shared.PortConsul, portHTTP, portgRPC, portDNS, portSerfLAN, portSerfWAN, portServer,
-		iface.IP, iface.IP, iface.IP, logLevel, shared.GetInternalHostname(), consulVaultHelperPath)
+		clientAddr, iface.IP, iface.IP, iface.IP, logLevel, shared.GetInternalHostname(), cfg.GossipKey, scriptCheckConfig, watcherConfig)
 
 	configPath := consulConfigFile
 
 
@@ -15,13 +15,14 @@ func TestGenerate(t *testing.T) {
 		wantErr  bool
 		checkFn  func(t *testing.T, cfg *ConsulConfig)
 	}{
-		{
-			name: "valid production config",
-			config: &ConsulConfig{
-				DatacenterName:     "production",
-				EnableDebugLogging: false,
-				VaultAvailable:     true,
-			},
+	{
+		name: "valid production config",
+		config: &ConsulConfig{
+			DatacenterName:     "production",
+			EnableDebugLogging: false,
+			VaultAvailable:     true,
+			GossipKey:          "test-gossip-key",
+		},
 			wantErr: false,
 			checkFn: func(t *testing.T, cfg *ConsulConfig) {
 				assert.Equal(t, "production", cfg.DatacenterName)
@@ -31,11 +32,12 @@ func TestGenerate(t *testing.T) {
 		},
 		{
 			name: "valid development config with debug",
-			config: &ConsulConfig{
-				DatacenterName:     "development",
-				EnableDebugLogging: true,
-				VaultAvailable:     false,
-			},
+		config: &ConsulConfig{
+			DatacenterName:     "development",
+			EnableDebugLogging: true,
+			VaultAvailable:     false,
+			GossipKey:          "test-gossip-key",
+		},
 			wantErr: false,
 			checkFn: func(t *testing.T, cfg *ConsulConfig) {
 				assert.Equal(t, "development", cfg.DatacenterName)
@@ -45,23 +47,25 @@ func TestGenerate(t *testing.T) {
 		},
 		{
 			name: "empty datacenter name",
-			config: &ConsulConfig{
-				DatacenterName:     "",
-				EnableDebugLogging: false,
-				VaultAvailable:     false,
-			},
+		config: &ConsulConfig{
+			DatacenterName:     "",
+			EnableDebugLogging: false,
+			VaultAvailable:     false,
+			GossipKey:          "test-gossip-key",
+		},
 			wantErr: false, // Should handle empty datacenter gracefully
 			checkFn: func(t *testing.T, cfg *ConsulConfig) {
 				assert.Equal(t, "", cfg.DatacenterName)
 			},
 		},
 		{
 			name: "datacenter with special characters",
-			config: &ConsulConfig{
-				DatacenterName:     "test-dc_1",
-				EnableDebugLogging: true,
-				VaultAvailable:     true,
-			},
+		config: &ConsulConfig{
+			DatacenterName:     "test-dc_1",
+			EnableDebugLogging: true,
+			VaultAvailable:     true,
+			GossipKey:          "test-gossip-key",
+		},
 			wantErr: false,
 			checkFn: func(t *testing.T, cfg *ConsulConfig) {
 				assert.Equal(t, "test-dc_1", cfg.DatacenterName)
@@ -94,11 +98,12 @@ func TestGenerate(t *testing.T) {
 
 func TestConsulConfig(t *testing.T) {
 	t.Run("config creation", func(t *testing.T) {
-		cfg := &ConsulConfig{
-			DatacenterName:     "test",
-			EnableDebugLogging: true,
-			VaultAvailable:     false,
-		}
+	cfg := &ConsulConfig{
+		DatacenterName:     "test",
+		EnableDebugLogging: true,
+		VaultAvailable:     false,
+		GossipKey:          "test-gossip-key",
+	}
 
 		assert.Equal(t, "test", cfg.DatacenterName)
 		assert.True(t, cfg.EnableDebugLogging)
@@ -116,11 +121,12 @@ func TestConsulConfig(t *testing.T) {
 		}
 
 		for _, dc := range datacenters {
-			cfg := &ConsulConfig{
-				DatacenterName:     dc,
-				EnableDebugLogging: false,
-				VaultAvailable:     true,
-			}
+		cfg := &ConsulConfig{
+			DatacenterName:     dc,
+			EnableDebugLogging: false,
+			VaultAvailable:     true,
+			GossipKey:          "test-gossip-key",
+		}
 
 			assert.Equal(t, dc, cfg.DatacenterName)
 		}
@@ -135,11 +141,12 @@ func TestGeneratePermissions(t *testing.T) {
 	t.Run("handles permission errors gracefully", func(t *testing.T) {
 		rc := testutil.TestRuntimeContext(t)
 
-		cfg := &ConsulConfig{
-			DatacenterName:     "test",
-			EnableDebugLogging: false,
-			VaultAvailable:     false,
-		}
+	cfg := &ConsulConfig{
+		DatacenterName:     "test",
+		EnableDebugLogging: false,
+		VaultAvailable:     false,
+		GossipKey:          "test-gossip-key",
+	}
 
 		// Function should handle permission errors without panicking
 		err := Generate(rc, cfg)
@@ -165,4 +172,4 @@ func TestGenerateWithNilConfig(t *testing.T) {
 
 	// This will currently panic - should be fixed to return error instead
 	_ = Generate(rc, nil)
-}
+}
@@ -8,6 +8,14 @@ type GeneratorConfig struct {
 	EnableDebugLogging bool
 	VaultAvailable     bool
 	BootstrapExpect    int // Number of expected servers (1 = use bootstrap mode, >1 = use bootstrap_expect)
+	ClientAddr         string
+	GossipKey          string
+	// EnableLocalScriptChecks explicitly re-enables local script checks.
+	// Default is false to align with HashiCorp guidance (script checks disabled).
+	EnableLocalScriptChecks bool
+	// EnableVaultWatcher adds the consul-vault-helper script watcher.
+	// Disabled by default because it relies on script handlers.
+	EnableVaultWatcher bool
 }
 
 // DEPRECATED: ConsulConfig is renamed to GeneratorConfig for clarity
 
@@ -0,0 +1,98 @@
+package lifecycle
+
+import (
+	"fmt"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/consul/config"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/consul/secrets"
+	"github.com/uptrace/opentelemetry-go-extra/otelzap"
+	"go.uber.org/zap"
+)
+
+const (
+	consulConfigPath = "/etc/consul.d/consul.hcl"
+	gossipKeyPath    = "/etc/consul.d/gossip.key"
+)
+
+func loadExistingGossipKey(logger otelzap.LoggerWithCtx) string {
+	if data, err := os.ReadFile(gossipKeyPath); err == nil {
+		if key := strings.TrimSpace(string(data)); key != "" {
+			logger.Info("Reusing gossip encryption key from cache file",
+				zap.String("path", gossipKeyPath))
+			return key
+		}
+	}
+
+	if data, err := os.ReadFile(consulConfigPath); err == nil {
+		if parsed, parseErr := config.ParseHCL(string(data)); parseErr == nil && parsed.Encrypt != "" {
+			logger.Info("Reusing gossip encryption key from existing configuration",
+				zap.String("path", consulConfigPath))
+			return parsed.Encrypt
+		}
+	}
+	return ""
+}
+
+func persistGossipKey(logger otelzap.LoggerWithCtx, key string) error {
+	if err := os.WriteFile(gossipKeyPath, []byte(key+"\n"), 0o600); err != nil {
+		return fmt.Errorf("failed to persist gossip key: %w", err)
+	}
+
+	if err := os.Chmod(gossipKeyPath, 0o600); err != nil {
+		logger.Warn("Failed to set gossip key permissions",
+			zap.String("path", gossipKeyPath),
+			zap.Error(err))
+	}
+
+	if err := chownConsul(gossipKeyPath); err != nil {
+		logger.Warn("Failed to set gossip key ownership",
+			zap.String("path", gossipKeyPath),
+			zap.Error(err))
+	}
+
+	return nil
+}
+
+func chownConsul(path string) error {
+	owner, err := user.Lookup("consul")
+	if err != nil {
+		return err
+	}
+	uid, err := strconv.Atoi(owner.Uid)
+	if err != nil {
+		return err
+	}
+	gid, err := strconv.Atoi(owner.Gid)
+	if err != nil {
+		return err
+	}
+	return os.Chown(path, uid, gid)
+}
+
+func ensureGossipKey(logger otelzap.LoggerWithCtx) (string, error) {
+	if key := loadExistingGossipKey(logger); key != "" {
+		return key, nil
+	}
+
+	key, err := secrets.GenerateGossipKey()
+	if err != nil {
+		return "", fmt.Errorf("failed to generate gossip encryption key: %w", err)
+	}
+
+	if err := os.MkdirAll(filepath.Dir(gossipKeyPath), 0o755); err != nil {
+		logger.Warn("Failed to ensure directory for gossip key",
+			zap.Error(err),
+			zap.String("path", gossipKeyPath))
+	} else if err := persistGossipKey(logger, key); err != nil {
+		logger.Warn("Failed to persist gossip key to disk", zap.Error(err))
+	}
+
+	logger.Info("Generated new gossip encryption key",
+		zap.String("path", gossipKeyPath))
+	return key, nil
+}