feat: rsync certs to remote hosts

2023-05-08 18:18:41 +02:00 · 2023-05-08 18:18:41 +02:00 · 543d5e271c
parent 4f826767cd
commit 543d5e271c
1 changed files with 31 additions and 2 deletions
--- a/narwhal/acme_renew/Makefile
+++ b/narwhal/acme_renew/Makefile
@ -1,6 +1,6 @@
 WD=/var/lib/dags/acme_renew

-.PHONY: all refresh_pg renew_certs
+.PHONY: all refresh_pg renew_certs caladan_sync

 NGINX_RELOAD=$(WD)/nginx_reload

@ -8,12 +8,17 @@ all: renew_certs $(NGINX_RELOAD) refresh_pg

 ###############################################################################

+ACME_DIR=/srv/certs/acme
 DOMAIN=monotremata.xyz
-CERT_PATH=/mnt/certs/acme/$(DOMAIN)
+CERT_PATH=$(ACME_DIR)/$(DOMAIN)

 CERT=$(CERT_PATH)/fullchain.cer
 KEY=$(CERT_PATH)/$(DOMAIN).key

+###############################################################################
+
+SSH_KEY=/srv/certs/ssh/users/dags/id_ed25519
+
 ###############################################################################
 # Renew the certificates using acme.sh. Because `renew_certs` is a phony
 # target, it will be run each time, but the certificate files will only be
@ -39,6 +44,30 @@ renew_certs:
 		$(DOCKER_IMAGE) \
 		$(RENEW_CMD)

+caladan_sync: renew_certs
+	rsync \
+		--archive \
+		--delete \
+		--compress \
+		--verbose \
+		--human-readable \
+		--rsh "ssh -i $(SSH_KEY)" \
+		--rsync-path="doas rsync" \
+		$(ACME_DIR) \
+		dags@caladan:$(ACME_DIR)
+
+fugu_sync: renew_certs
+	rsync \
+		--archive \
+		--delete \
+		--compress \
+		--verbose \
+		--human-readable \
+		--rsh "ssh -i $(SSH_KEY)" \
+		--rsync-path="doas rsync" \
+		$(ACME_DIR) \
+		dags@fugu:$(ACME_DIR)
+
 ###############################################################################
 # Reload the nginx instance running on my reverse proxy docker-compose service
 # so that it uses the new certificates.