migrated DNS provider from linode to hetzner

main
Ricard Illa 2023-05-28 18:16:52 +02:00
parent d7dcde0e78
commit 42d78fc5ed
3 changed files with 42 additions and 52 deletions

View File

@ -33,26 +33,39 @@ SSH_KEY=/srv/certs/ssh/users/dags/id_ed25519
# target, it will be run each time, but the certificate files will only be
# updated if a renewal happens
CERT_DOMAINS=-d $(DOMAIN) -d '*.$(DOMAIN)' -d '*.narwhal.$(DOMAIN)' -d '*.caladan.$(DOMAIN)' -d '*.xmpp.$(DOMAIN)'
$(FULLCHAIN): renew_certs
$(CERT): renew_certs
$(KEY): renew_certs
GOPASS=doas -u gopass gopass
LINODE_TOKEN = $(shell $(GOPASS) linode.com/token)
HETZNER_TOKEN=/srv/secrets/hetzner_token
DOCKER_IMAGE=neilpang/acme.sh
ACME_DATA_DIR=/mnt/docker_volumes/acmesh/data
RENEW_CMD="/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home "/acme.sh"
ACMESH=docker run --rm -it \
-v $(ACME_DATA_DIR):/acme.sh \
-v $(CERT_PATH):/acme.sh/$(DOMAIN) \
-e "HETZNER_Token=$$(cat $(HETZNER_TOKEN))" \
$(DOCKER_IMAGE) \
/root/.acme.sh/acme.sh
renew_certs:
RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh
# DNS_ARGS=--dns dns_linode_v4 --dnssleep 900
DNS_ARGS=--dns dns_hetzner
ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt
renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf
@echo "renewing certs"
@docker run --rm -it \
-v $(ACME_DATA_DIR):/acme.sh \
-v $(CERT_PATH):/acme.sh/$(DOMAIN) \
-e "LINODE_V4_API_KEY=$(LINODE_TOKEN)" \
$(DOCKER_IMAGE) \
$(RENEW_CMD)
$(ACMESH) $(RENEW_CMD)
$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN)
@echo "issuing certificate and saving acme.sh account configuration"
@mkdir -p $(@D)
$(ACMESH) $(ISSUE_CMD)
###############################################################################
# Sync the certs to remote hosts and trigger DAGs there
@ -77,7 +90,7 @@ $(FUGU_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
dags@fugu:$(CERT_PATH)
touch $@
KVMD_PST_DATA = /var/lib/kvmd/pst/data
KVMD_PST_DATA=/var/lib/kvmd/pst/data
$(PIKVM_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
mkdir -p $(@D)

View File

@ -5,3 +5,18 @@ run:
render:
make --file ../../common/render-dag.make
acme_data_dir := "/mnt/docker_volumes/acmesh/data"
domain := "monotremata.xyz"
certs_path := "/srv/certs/acme"
linode_token := `cat /srv/secrets/linode_token`
hetzner_token := `cat /srv/secrets/hetzner_token`
acmesh *args:
docker run --rm -it \
-v {{acme_data_dir}}:/acme.sh \
-v {{certs_path}}/{{domain}}:/acme.sh/{{domain}} \
-e "LINODE_V4_API_KEY={{linode_token}}" \
-e "HETZNER_Token={{hetzner_token}}" \
neilpang/acme.sh \
/root/.acme.sh/acme.sh {{args}}

View File

@ -5,72 +5,34 @@ TTL ?= 300
WD=/var/lib/dags/ddns
GET_IP_URL = ifconfig.me/ip
LINODE_API_URL = https://api.linode.com/v4
HETZNER_API_URL = https://dns.hetzner.com/api/v1
STATE_DIR = $(WD)/$(RECORD_NAME).$(DOMAIN_NAME)
HOST_IP = $(STATE_DIR)/host_ip.txt
UPDATE_RECORD_LINODE = $(STATE_DIR)/updated_record_linode
UPDATE_RECORD_HETZNER = $(STATE_DIR)/updated_record_hetzner
GOPASS=doas -u gopass gopass
CURL = curl --silent
LINODE_TOKEN = $(shell cat /srv/secrets/linode_token)
AUTH_CURL_LINODE = $(CURL) -H "Authorization: Bearer $(LINODE_TOKEN)"
LINODE_DOMAIN_ID = $(STATE_DIR)/linode_domain_id.txt
LINODE_RECORD_ID = $(STATE_DIR)/linode_record_id.txt
HETZNER_TOKEN = $(shell cat /srv/secrets/hetzner_token)
AUTH_CURL_HETZNER = $(CURL) -H 'Auth-API-Token: $(HETZNER_TOKEN)'
HETZNER_ZONE_ID = $(STATE_DIR)/hetzner_zone_id.txt
HETZNER_RECORD_ID = $(STATE_DIR)/hetzner_record_id.txt
HETZNER_UPDATE_BODY = $(STATE_DIR)/hetzner_update_body.json
define get_id_linode
jq --raw-output '.["data"][] | select(.["$(1)"] == "$(2)")["id"]'
endef
define get_id_hetzner
jq --raw-output '.["$(1)"][] | select(.["name"] == "$(2)")["id"]'
endef
.PHONY: all force clean
all: $(UPDATE_RECORD_LINODE) $(UPDATE_RECORD_HETZNER)
# Linode-specific #############################################################
# because the ip state is only updated when the IP changes, we should only need
# to update the record when that happens
$(UPDATE_RECORD_LINODE): $(HOST_IP) $(LINODE_DOMAIN_ID) $(LINODE_RECORD_ID)
@echo "updating linode record"
@$(AUTH_CURL_LINODE) \
-H "Content-Type: application/json" \
-X PUT -d '{ "target": "'"$$(cat $<)"'" }' \
"$(LINODE_API_URL)/domains/$$(cat $(LINODE_DOMAIN_ID))/records/$$(cat $(LINODE_RECORD_ID))"
@touch $@
# the domain id should not change and this should only ever need to run once
$(LINODE_DOMAIN_ID):
@echo "fetching linode domain id"
@mkdir -p $(@D)
@$(AUTH_CURL_LINODE) $(LINODE_API_URL)/domains | \
$(call get_id_linode,domain,$(DOMAIN_NAME)) | \
tee $@
# the register id should not change and this should only ever need to run once
$(LINODE_RECORD_ID): $(LINODE_DOMAIN_ID)
@echo "fetching linode record id"
@mkdir -p $(@D)
@$(AUTH_CURL_LINODE) $(LINODE_API_URL)/domains/$$(cat $<)/records | \
$(call get_id_linode,name,$(RECORD_NAME)) | \
tee $@
all: $(UPDATE_RECORD_HETZNER)
# Hetzner-specific #############################################################
# because the ip state is only updated when the IP changes, we should only need
# to update the record when that happens
$(UPDATE_RECORD_HETZNER): $(HETZNER_UPDATE_BODY) $(HETZNER_RECORD_ID)
@echo "updating hetzner record"
@mkdir -p $(@D)