From 111e41b2df9c6f198b433e821001bb5df574d5ee Mon Sep 17 00:00:00 2001 From: Ricard Illa Date: Fri, 16 Sep 2022 15:26:21 +0000 Subject: [PATCH] fugu acme rsync dag --- acme_rsync_fugu/Makefile | 65 ++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/acme_rsync_fugu/Makefile b/acme_rsync_fugu/Makefile index dc73887..bdd975e 100644 --- a/acme_rsync_fugu/Makefile +++ b/acme_rsync_fugu/Makefile @@ -1,8 +1,16 @@ +# Note: since I am assuming GNU Make and this host run OpenBSD, remember to run +# this dag using `gmake` instead of `make` + WD=/var/lib/dags/acme_rsync +SMTPD_RESTART=$(WD)/smtpd_restart +DOVECOT_RELOAD=$(WD)/dovecot_reload +SYNC_CERTS=$(WD)/sync_certs + .PHONY: all sync_certs -all: sync_certs +all: sync_certs $(SMTPD_RESTART) $(DOVECOT_RELOAD) + ############################################################################### @@ -13,38 +21,17 @@ MONOTREMATA_PATH=$(CERTS_PATH)/$(MONOTREMATA_DOMAIN) MONOTREMATA_CERT=$(MONOTREMATA_PATH)/fullchain.cer MONOTREMATA_KEY=$(MONOTREMATA_PATH)/$(MONOTREMATA_DOMAIN).key -NARWHAL_DOMAIN=narwhal.monotremata.xyz -NARWHAL_PATH=$(CERTS_PATH)/$(NARWHAL_DOMAIN) -NARWHAL_CERT=$(NARWHAL_PATH)/fullchain.cer -NARWHAL_KEY=$(NARWHAL_PATH)/$(NARWHAL_DOMAIN).key - -CALADAN_DOMAIN=caladan.monotremata.xyz -CALADAN_PATH=$(CERTS_PATH)/$(CALADAN_DOMAIN) -CALADAN_CERT=$(CALADAN_PATH)/fullchain.cer -CALADAN_KEY=$(CALADAN_PATH)/$(CALADAN_DOMAIN).key - -XMPP_DOMAIN=xmpp.monotremata.xyz -XMPP_PATH=$(CERTS_PATH)/$(XMPP_DOMAIN) -XMPP_CERT=$(XMPP_PATH)/fullchain.cer -XMPP_KEY=$(XMPP_PATH)/$(XMPP_DOMAIN).key - ############################################################################### # Sync the certificates using rsync. Because `sync` is a phony # target, it will be run each time, but the certificate files will only be # updated if a renewal happens -$(MONOTREMATA_CERT): sync_certs -$(MONOTREMATA_KEY): sync_certs -$(NARWHAL_CERT): sync_certs -$(NARWHAL_KEY): sync_certs -$(CALADAN_CERT): sync_certs -$(CALADAN_KEY): sync_certs -$(XMPP_CERT): sync_certs -$(XMPP_KEY): sync_certs +$(MONOTREMATA_CERT): $(SYNC_CERTS) +$(MONOTREMATA_KEY): $(SYNC_CERTS) REMOTE_ACME_PATH=rsync://user@narwhal/acme RSYNCD_PASSWD=/srv/secrets/rsyncd_password -RSYNC_OPTS=--archive --delete --acls --xattrs --compress --verbose --human-readable +RSYNC_OPTS=--archive --delete --compress --verbose --human-readable sync_certs: mkdir -p $(CERTS_PATH) @@ -53,3 +40,31 @@ sync_certs: --password-file=$(RSYNCD_PASSWD) \ $(REMOTE_ACME_PATH) \ $(CERTS_PATH) + +############################################################################### + +SSL_PATH=/etc/ssl +CERT_DEST=$(SSL_PATH)/monotremata.xyz.fullchain.pem +KEY_DEST=$(SSL_PATH)/private/monotremata.xyz.key + +$(CERT_DEST): $(MONOTREMATA_CERT) + install -m 444 $< $@ + +$(KEY_DEST): $(MONOTREMATA_KEY) + install -m 400 $< $@ + +############################################################################### + +$(SMTPD_RESTART): $(CERT_DEST) $(KEY_DEST) + mkdir -p $(@D) + rcctl restart smtpd + touch $@ + +############################################################################### + +$(DOVECOT_RELOAD): $(CERT_DEST) $(KEY_DEST) + mkdir -p $(@D) + rcctl reload dovecot + touch $@ + +###############################################################################