rsync_letsencrypt DAG
parent
6954c8dcfe
commit
2a72b9ea20
|
|
@ -0,0 +1,64 @@
|
||||||
|
.PHONY: all fetch_certs reload_nginx refresh_pg
|
||||||
|
|
||||||
|
all: fetch_certs reload_nginx refresh_pg
|
||||||
|
|
||||||
|
LETSENCRYPT_PATH=/mnt/letsencrypt
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Fetch the certificates from my remote server using rsync
|
||||||
|
#
|
||||||
|
# The combination of `--info=NAME` and pipe into grep means this target will
|
||||||
|
# have a non-zero exit code if nothing has been updated.
|
||||||
|
# This way, the other targets will run only when some certificate has been
|
||||||
|
# updated
|
||||||
|
|
||||||
|
REMOTE_LETSENCRYPT_PATH=rsync://user@caladan/letsencrypt
|
||||||
|
RSYNCD_PASSWD=/mnt/secrets/rsyncd_password
|
||||||
|
RSYNC_OPTS=--archive --delete --acls --xattrs --compress --human-readable
|
||||||
|
|
||||||
|
fetch_certs:
|
||||||
|
rsync \
|
||||||
|
$(RSYNC_OPTS) \
|
||||||
|
--info=NAME \
|
||||||
|
--password-file=$(RSYNCD_PASSWD) \
|
||||||
|
$(REMOTE_LETSENCRYPT_PATH) \
|
||||||
|
$(LETSENCRYPT_PATH) | \
|
||||||
|
grep .
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Reload the nginx instance running on my reverse proxy docker-compose service
|
||||||
|
# so that it uses the new certificates
|
||||||
|
|
||||||
|
NGINX_COMPOSE_FILE=/srv/services/reverse_proxy/docker-compose.yml
|
||||||
|
|
||||||
|
reload_nginx: fetch_certs
|
||||||
|
docker-compose \
|
||||||
|
--file $(NGINX_COMPOSE_FILE) \
|
||||||
|
exec nginx \
|
||||||
|
nginx -s reload
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Copy the certificate for the postgresql domain to the folder where postgre
|
||||||
|
# service expects it
|
||||||
|
# After running the fetch_certs target, the postgresql fullchain.pem and
|
||||||
|
# privkey.pem should be available. Copy those to the postgre SSL folder.
|
||||||
|
|
||||||
|
PG_DOMAIN=pg.monotremata.xyz
|
||||||
|
PG_SSL_PATH=/mnt/docker_volumes/postgres/ssl
|
||||||
|
|
||||||
|
$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/fullchain.pem: fetch_certs
|
||||||
|
$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/privkey.pem: fetch_certs
|
||||||
|
|
||||||
|
$(PG_SSL_PATH)/server.crt: $(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/fullchain.pem
|
||||||
|
mkdir -p $(PG_SSL_PATH)
|
||||||
|
rsync --copy-links \
|
||||||
|
$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/fullchain.pem \
|
||||||
|
$(PG_SSL_PATH)/server.crt
|
||||||
|
|
||||||
|
$(PG_SSL_PATH)/server.key: $(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/privkey.pem
|
||||||
|
mkdir -p $(PG_SSL_PATH)
|
||||||
|
rsync --copy-links \
|
||||||
|
$(LETSENCRYPT_PATH)/live/$(PG_DOMAIN)/privkey.pem \
|
||||||
|
$(PG_SSL_PATH)/server.key
|
||||||
|
|
||||||
|
refresh_pg: $(PG_SSL_PATH)/server.crt $(PG_SSL_PATH)/server.key
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
# rsync letsencrypt
|
||||||
|
|
||||||
|
This DAG pulls my letsencrypt certificates from my public server that issues
|
||||||
|
and renews them using rsync.
|
||||||
|
|
||||||
|
If any certificate has been updated, it reloads my Nginx reverse proxy
|
||||||
|
instance and updates the certificates for my PostgreSQL instance.
|
||||||
Loading…
Reference in New Issue