migrated DNS provider from linode to hetzner
parent
d7dcde0e78
commit
42d78fc5ed
|
@ -33,26 +33,39 @@ SSH_KEY=/srv/certs/ssh/users/dags/id_ed25519
|
|||
# target, it will be run each time, but the certificate files will only be
|
||||
# updated if a renewal happens
|
||||
|
||||
CERT_DOMAINS=-d $(DOMAIN) -d '*.$(DOMAIN)' -d '*.narwhal.$(DOMAIN)' -d '*.caladan.$(DOMAIN)' -d '*.xmpp.$(DOMAIN)'
|
||||
|
||||
$(FULLCHAIN): renew_certs
|
||||
$(CERT): renew_certs
|
||||
$(KEY): renew_certs
|
||||
|
||||
GOPASS=doas -u gopass gopass
|
||||
LINODE_TOKEN = $(shell $(GOPASS) linode.com/token)
|
||||
HETZNER_TOKEN=/srv/secrets/hetzner_token
|
||||
|
||||
DOCKER_IMAGE=neilpang/acme.sh
|
||||
ACME_DATA_DIR=/mnt/docker_volumes/acmesh/data
|
||||
|
||||
RENEW_CMD="/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home "/acme.sh"
|
||||
|
||||
renew_certs:
|
||||
@echo "renewing certs"
|
||||
@docker run --rm -it \
|
||||
ACMESH=docker run --rm -it \
|
||||
-v $(ACME_DATA_DIR):/acme.sh \
|
||||
-v $(CERT_PATH):/acme.sh/$(DOMAIN) \
|
||||
-e "LINODE_V4_API_KEY=$(LINODE_TOKEN)" \
|
||||
-e "HETZNER_Token=$$(cat $(HETZNER_TOKEN))" \
|
||||
$(DOCKER_IMAGE) \
|
||||
$(RENEW_CMD)
|
||||
/root/.acme.sh/acme.sh
|
||||
|
||||
|
||||
RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh
|
||||
|
||||
# DNS_ARGS=--dns dns_linode_v4 --dnssleep 900
|
||||
DNS_ARGS=--dns dns_hetzner
|
||||
ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt
|
||||
|
||||
renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf
|
||||
@echo "renewing certs"
|
||||
$(ACMESH) $(RENEW_CMD)
|
||||
|
||||
$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN)
|
||||
@echo "issuing certificate and saving acme.sh account configuration"
|
||||
@mkdir -p $(@D)
|
||||
$(ACMESH) $(ISSUE_CMD)
|
||||
|
||||
###############################################################################
|
||||
# Sync the certs to remote hosts and trigger DAGs there
|
||||
|
@ -77,7 +90,7 @@ $(FUGU_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
|
|||
dags@fugu:$(CERT_PATH)
|
||||
touch $@
|
||||
|
||||
KVMD_PST_DATA = /var/lib/kvmd/pst/data
|
||||
KVMD_PST_DATA=/var/lib/kvmd/pst/data
|
||||
|
||||
$(PIKVM_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
|
||||
mkdir -p $(@D)
|
||||
|
|
|
@ -5,3 +5,18 @@ run:
|
|||
|
||||
render:
|
||||
make --file ../../common/render-dag.make
|
||||
|
||||
acme_data_dir := "/mnt/docker_volumes/acmesh/data"
|
||||
domain := "monotremata.xyz"
|
||||
certs_path := "/srv/certs/acme"
|
||||
linode_token := `cat /srv/secrets/linode_token`
|
||||
hetzner_token := `cat /srv/secrets/hetzner_token`
|
||||
|
||||
acmesh *args:
|
||||
docker run --rm -it \
|
||||
-v {{acme_data_dir}}:/acme.sh \
|
||||
-v {{certs_path}}/{{domain}}:/acme.sh/{{domain}} \
|
||||
-e "LINODE_V4_API_KEY={{linode_token}}" \
|
||||
-e "HETZNER_Token={{hetzner_token}}" \
|
||||
neilpang/acme.sh \
|
||||
/root/.acme.sh/acme.sh {{args}}
|
||||
|
|
|
@ -5,72 +5,34 @@ TTL ?= 300
|
|||
WD=/var/lib/dags/ddns
|
||||
|
||||
GET_IP_URL = ifconfig.me/ip
|
||||
LINODE_API_URL = https://api.linode.com/v4
|
||||
HETZNER_API_URL = https://dns.hetzner.com/api/v1
|
||||
|
||||
STATE_DIR = $(WD)/$(RECORD_NAME).$(DOMAIN_NAME)
|
||||
|
||||
HOST_IP = $(STATE_DIR)/host_ip.txt
|
||||
|
||||
UPDATE_RECORD_LINODE = $(STATE_DIR)/updated_record_linode
|
||||
UPDATE_RECORD_HETZNER = $(STATE_DIR)/updated_record_hetzner
|
||||
|
||||
GOPASS=doas -u gopass gopass
|
||||
CURL = curl --silent
|
||||
|
||||
LINODE_TOKEN = $(shell cat /srv/secrets/linode_token)
|
||||
AUTH_CURL_LINODE = $(CURL) -H "Authorization: Bearer $(LINODE_TOKEN)"
|
||||
LINODE_DOMAIN_ID = $(STATE_DIR)/linode_domain_id.txt
|
||||
LINODE_RECORD_ID = $(STATE_DIR)/linode_record_id.txt
|
||||
|
||||
HETZNER_TOKEN = $(shell cat /srv/secrets/hetzner_token)
|
||||
AUTH_CURL_HETZNER = $(CURL) -H 'Auth-API-Token: $(HETZNER_TOKEN)'
|
||||
HETZNER_ZONE_ID = $(STATE_DIR)/hetzner_zone_id.txt
|
||||
HETZNER_RECORD_ID = $(STATE_DIR)/hetzner_record_id.txt
|
||||
HETZNER_UPDATE_BODY = $(STATE_DIR)/hetzner_update_body.json
|
||||
|
||||
define get_id_linode
|
||||
jq --raw-output '.["data"][] | select(.["$(1)"] == "$(2)")["id"]'
|
||||
endef
|
||||
|
||||
define get_id_hetzner
|
||||
jq --raw-output '.["$(1)"][] | select(.["name"] == "$(2)")["id"]'
|
||||
endef
|
||||
|
||||
.PHONY: all force clean
|
||||
|
||||
all: $(UPDATE_RECORD_LINODE) $(UPDATE_RECORD_HETZNER)
|
||||
|
||||
# Linode-specific #############################################################
|
||||
|
||||
# because the ip state is only updated when the IP changes, we should only need
|
||||
# to update the record when that happens
|
||||
$(UPDATE_RECORD_LINODE): $(HOST_IP) $(LINODE_DOMAIN_ID) $(LINODE_RECORD_ID)
|
||||
@echo "updating linode record"
|
||||
@$(AUTH_CURL_LINODE) \
|
||||
-H "Content-Type: application/json" \
|
||||
-X PUT -d '{ "target": "'"$$(cat $<)"'" }' \
|
||||
"$(LINODE_API_URL)/domains/$$(cat $(LINODE_DOMAIN_ID))/records/$$(cat $(LINODE_RECORD_ID))"
|
||||
@touch $@
|
||||
|
||||
# the domain id should not change and this should only ever need to run once
|
||||
$(LINODE_DOMAIN_ID):
|
||||
@echo "fetching linode domain id"
|
||||
@mkdir -p $(@D)
|
||||
@$(AUTH_CURL_LINODE) $(LINODE_API_URL)/domains | \
|
||||
$(call get_id_linode,domain,$(DOMAIN_NAME)) | \
|
||||
tee $@
|
||||
|
||||
# the register id should not change and this should only ever need to run once
|
||||
$(LINODE_RECORD_ID): $(LINODE_DOMAIN_ID)
|
||||
@echo "fetching linode record id"
|
||||
@mkdir -p $(@D)
|
||||
@$(AUTH_CURL_LINODE) $(LINODE_API_URL)/domains/$$(cat $<)/records | \
|
||||
$(call get_id_linode,name,$(RECORD_NAME)) | \
|
||||
tee $@
|
||||
all: $(UPDATE_RECORD_HETZNER)
|
||||
|
||||
# Hetzner-specific #############################################################
|
||||
|
||||
# because the ip state is only updated when the IP changes, we should only need
|
||||
# to update the record when that happens
|
||||
$(UPDATE_RECORD_HETZNER): $(HETZNER_UPDATE_BODY) $(HETZNER_RECORD_ID)
|
||||
@echo "updating hetzner record"
|
||||
@mkdir -p $(@D)
|
||||
|
|
Loading…
Reference in New Issue