feat: slight refactor of acme.sh

main
Ricard Illa 2023-07-12 15:28:46 +02:00
parent 798b194337
commit 9b9e7e28ce
2 changed files with 43 additions and 32 deletions

View File

@ -22,9 +22,9 @@ ACME_DIR=/srv/certs/acme
DOMAIN=monotremata.xyz
CERT_PATH=$(ACME_DIR)/$(DOMAIN)
FULLCHAIN=$(CERT_PATH)/fullchain.cer
CERT=$(CERT_PATH)/$(DOMAIN).cer
KEY=$(CERT_PATH)/$(DOMAIN).key
FULLCHAIN=$(CERT_PATH)/fullchain.pem
CERT=$(CERT_PATH)/cert.pem
KEY=$(CERT_PATH)/key.pem
###############################################################################
@ -58,17 +58,11 @@ RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh
# DNS_ARGS=--dns dns_linode_v4 --dnssleep 900
DNS_ARGS=--dns dns_hetzner
ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt
renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf
renew_certs: $(HETZNER_TOKEN)
@echo "renewing certs"
$(ACMESH) $(RENEW_CMD)
$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN)
@echo "issuing certificate and saving acme.sh account configuration"
@mkdir -p $(@D)
$(ACMESH) $(ISSUE_CMD)
###############################################################################
# Sync the certs to remote hosts and trigger DAGs there
@ -131,25 +125,6 @@ $(LB_TRIGGER): $(LB_SYNC)
$(SURICATA_TRIGGER): $(SURICATA_SYNC)
$(call remote_dag_trigger,suricata,acme_refresh)
###############################################################################
# Reload the nginx instance running on my reverse proxy docker-compose service
# so that it uses the new certificates.
# The target is just an empty sentinel target with no meaningful data other
# than its modification date.
# So far, the nginx instance running on `narwhal` only uses the `monotremata`
# and `narwhal` certificates, so it only needs to be reloaded if those are
# updated
NGINX_COMPOSE_FILE=/srv/services/reverse_proxy/docker-compose.yml
$(NGINX_RELOAD): $(FULLCHAIN) $(KEY)
mkdir -p $(@D)
docker compose \
--file $(NGINX_COMPOSE_FILE) \
exec nginx \
nginx -s reload
touch $@
###############################################################################
# Copy the certificate for the postgresql domain to the folder where postgre
# service expects it

View File

@ -9,14 +9,50 @@ render:
acme_data_dir := "/mnt/docker_volumes/acmesh/data"
domain := "monotremata.xyz"
certs_path := "/srv/certs/acme"
linode_token := `cat /srv/secrets/linode_token`
hetzner_token := `cat /srv/secrets/hetzner_token`
acmesh *args:
docker run --rm -it \
-v {{acme_data_dir}}:/acme.sh \
-v {{certs_path}}/{{domain}}:/acme.sh/{{domain}} \
-e "LINODE_V4_API_KEY={{linode_token}}" \
-v {{certs_path}}:/certs \
-e "HETZNER_Token={{hetzner_token}}" \
neilpang/acme.sh \
/root/.acme.sh/acme.sh {{args}}
issue *args:
just acmesh \
--issue \
--dns dns_hetzner \
--server letsencrypt \
{{args}}
install-monotremata-xyz:
just acmesh \
--install-cert \
-d {{domain}} \
--cert-file /certs/{{domain}}/cert.pem \
--key-file /certs/{{domain}}/key.pem \
--fullchain-file /certs/{{domain}}/fullchain.pem
install-vault:
just acmesh \
--install-cert \
-d vault.{{domain}} \
--cert-file /certs/vault.{{domain}}/cert.pem \
--key-file /certs/vault.{{domain}}/key.pem \
--fullchain-file /certs/vault.{{domain}}/fullchain.pem
issue-monotremata-xyz:
just issue \
-d {{domain}} \
-d '*.{{domain}}' \
-d '*.narwhal.{{domain}}' \
-d '*.caladan.{{domain}}' \
-d '*.xmpp.{{domain}}'
just install-monotremata-xyz
issue-vault:
just issue \
-d 'vault.{{domain}}' \
-d '*.vault.{{domain}}'
just install-vault