dags/suricata/acme_rsync/Makefile

###############################################################################

WD = /var/lib/dags/acme
CERTS_DIR = $(WD)/certs
DOMAIN = monotremata.xyz
DOMAIN_CERTS_DIR = $(CERTS_DIR)/$(DOMAIN)

###############################################################################

ACME_CA_FILE = $(DOMAIN_CERTS_DIR)/ca.cer
ACME_FULLCHAIN_FILE = $(DOMAIN_CERTS_DIR)/fullchain.cer"
ACME_KEY_FILE = $(DOMAIN_CERTS_DIR)/$(DOMAIN).key"

###############################################################################

JSON_SECRET = $(WD)/secret.json
SECRET_UPDATED = $(WD)/secret_updated

###############################################################################

K8S_CA_FILE = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
K8S_TOKEN_FILE = /var/run/secrets/kubernetes.io/serviceaccount/token)
K8S_TOKEN = $(shell cat $(K8S_TOKEN_FILE))
K8S_APISERVER = $(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT_HTTPS)
K8S_SECRERTS_URL="https://${K8S_APISERVER}/api/v1/namespaces/${CERT_NAMESPACE}/secret

###############################################################################

.PHONY: all sync_certs

all: sync_certs $(SECRET_UPDATED)

###############################################################################

RSYNCD_HOST = narwhal
RSYNCD_USER = user
REMOTE_ACME_PATH=rsync://$(RSYNCD_USER)@$(RSYNCD_HOST)/acme
RSYNC_OPTS=--archive --delete --acls --xattrs --compress --verbose --human-readable

sync_certs:
	mkdir -p $(CERTS_DIR)
	rsync \
		$(RSYNC_OPTS) \
		$(REMOTE_ACME_PATH) \
		$(CERTS_DIR)

$(ACME_CA_FILE): sync_certs
$(ACME_FULLCHAIN_FILE): sync_certs
$(ACME_KEY_FILE): sync_certs

###############################################################################

$(JSON_SECRET): $(ACME_KEY_FILE) $(ACME_FULLCHAIN_FILE) $(ACME_KEY_FILE)
	jq --null-input --raw-output \
		--arg kind "Secret" \
		--arg name "$(SECRET_NAME)" \
		--arg cacert "$$(base64 -w 0 $(ACME_CA_FILE))" \
		--arg tlscert "$$(base64 -w 0 $(ACME_FULLCHAIN_FILE))" \
		--arg tlskey "$$(base64 -w 0 $(ACME_KEY_FILE))" \
		'{
			kind: $$kind,
			metadata: {name: $$name},
			data: {
				"ca.crt": $$cacert,
				"tls.crt": $$tlscert,
				"tls.key": $$tlskey
			}
		}' > $@

###############################################################################

select_status_code = grep 'HTTP/' | awk '{printf $$2}'

define k8s_api
	curl \
		-i \
		-X $(1) \
		--cacert "$(K8S_CA_FILE)" \
		-H "Authorization: Bearer $(K8S_TOKEN)" \
		-H 'Accept: application/json' \
		-H "Content-Type: application/json"
endef

define get_secret
	$(call k8s_api,GET) $(K8S_SECRERTS_URL)/$(SECRET_NAME) | \
	$(select_status_code)
endef

define post_secret
	$(call k8s_api,POST) $(K8S_SECRERTS_URL) --data @$(1) | \
	$(select_status_code)
endef

define put_secret
	$(call k8s_api,PUT) $(K8S_SECRERTS_URL)/$(SECRET_NAME) --data @$(1) |
	$(select_status_code)
endef

$(SECRET_UPDATED): $(JSON_SECRET)
	mkdir -p $(@D)
	GET_STATUS_CODE=$$($(call get_secret)) \
	if [ "$${GET_STATUS_CODE}" = "404" ]; then \
		echo "adding cert" \
		POST_STATUS_CODE=$$($(call post_secret,$^)) \
		[ "$${POST_STATUS_CODE}" = "200" ] && touch $@ \
	elif [ "$${GET_STATUS_CODE}" = "200" ]; then \
		echo "updating existing cert" \
		PUT_STATUS_CODE=$$($(call put_secret,$^)) \
		[ "$${PUT_STATUS_CODE}" = "200" ] && touch $@ \
	fi

###############################################################################
suricata's rsync acme 2023-01-05 18:31:38 +01:00			`###############################################################################`

			`WD = /var/lib/dags/acme`
			`CERTS_DIR = $(WD)/certs`
			`DOMAIN = monotremata.xyz`
			`DOMAIN_CERTS_DIR = $(CERTS_DIR)/$(DOMAIN)`

			`###############################################################################`

			`ACME_CA_FILE = $(DOMAIN_CERTS_DIR)/ca.cer`
			`ACME_FULLCHAIN_FILE = $(DOMAIN_CERTS_DIR)/fullchain.cer"`
			`ACME_KEY_FILE = $(DOMAIN_CERTS_DIR)/$(DOMAIN).key"`

			`###############################################################################`

			`JSON_SECRET = $(WD)/secret.json`
			`SECRET_UPDATED = $(WD)/secret_updated`

			`###############################################################################`

			`K8S_CA_FILE = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt`
			`K8S_TOKEN_FILE = /var/run/secrets/kubernetes.io/serviceaccount/token)`
			`K8S_TOKEN = $(shell cat $(K8S_TOKEN_FILE))`
			`K8S_APISERVER = $(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT_HTTPS)`
			`K8S_SECRERTS_URL="https://${K8S_APISERVER}/api/v1/namespaces/${CERT_NAMESPACE}/secret`

			`###############################################################################`

			`.PHONY: all sync_certs`

			`all: sync_certs $(SECRET_UPDATED)`

			`###############################################################################`

			`RSYNCD_HOST = narwhal`
			`RSYNCD_USER = user`
			`REMOTE_ACME_PATH=rsync://$(RSYNCD_USER)@$(RSYNCD_HOST)/acme`
			`RSYNC_OPTS=--archive --delete --acls --xattrs --compress --verbose --human-readable`

			`sync_certs:`
			`mkdir -p $(CERTS_DIR)`
			`rsync \`
			`$(RSYNC_OPTS) \`
			`$(REMOTE_ACME_PATH) \`
			`$(CERTS_DIR)`

			`$(ACME_CA_FILE): sync_certs`
			`$(ACME_FULLCHAIN_FILE): sync_certs`
			`$(ACME_KEY_FILE): sync_certs`

			`###############################################################################`

			`$(JSON_SECRET): $(ACME_KEY_FILE) $(ACME_FULLCHAIN_FILE) $(ACME_KEY_FILE)`
			`jq --null-input --raw-output \`
			`--arg kind "Secret" \`
			`--arg name "$(SECRET_NAME)" \`
			`--arg cacert "$$(base64 -w 0 $(ACME_CA_FILE))" \`
			`--arg tlscert "$$(base64 -w 0 $(ACME_FULLCHAIN_FILE))" \`
			`--arg tlskey "$$(base64 -w 0 $(ACME_KEY_FILE))" \`
			`'{`
			`kind: $$kind,`
			`metadata: {name: $$name},`
			`data: {`
			`"ca.crt": $$cacert,`
			`"tls.crt": $$tlscert,`
			`"tls.key": $$tlskey`
			`}`
			`}' > $@`

			`###############################################################################`

			`select_status_code = grep 'HTTP/' \| awk '{printf $$2}'`

			`define k8s_api`
			`curl \`
			`-i \`
			`-X $(1) \`
			`--cacert "$(K8S_CA_FILE)" \`
			`-H "Authorization: Bearer $(K8S_TOKEN)" \`
			`-H 'Accept: application/json' \`
			`-H "Content-Type: application/json"`
			`endef`

			`define get_secret`
			`$(call k8s_api,GET) $(K8S_SECRERTS_URL)/$(SECRET_NAME) \| \`
			`$(select_status_code)`
			`endef`

			`define post_secret`
			`$(call k8s_api,POST) $(K8S_SECRERTS_URL) --data @$(1) \| \`
			`$(select_status_code)`
			`endef`

			`define put_secret`
			`$(call k8s_api,PUT) $(K8S_SECRERTS_URL)/$(SECRET_NAME) --data @$(1) \|`
			`$(select_status_code)`
			`endef`

			`$(SECRET_UPDATED): $(JSON_SECRET)`
			`mkdir -p $(@D)`
			`GET_STATUS_CODE=$$($(call get_secret)) \`
			`if [ "$${GET_STATUS_CODE}" = "404" ]; then \`
			`echo "adding cert" \`
			`POST_STATUS_CODE=$$($(call post_secret,$^)) \`
			`[ "$${POST_STATUS_CODE}" = "200" ] && touch $@ \`
			`elif [ "$${GET_STATUS_CODE}" = "200" ]; then \`
			`echo "updating existing cert" \`
			`PUT_STATUS_CODE=$$($(call put_secret,$^)) \`
			`[ "$${PUT_STATUS_CODE}" = "200" ] && touch $@ \`
			`fi`

			`###############################################################################`