From 9b9e7e28ce371958169b55d99760784864e10aaf Mon Sep 17 00:00:00 2001 From: Ricard Illa Date: Wed, 12 Jul 2023 15:28:46 +0200 Subject: [PATCH] feat: slight refactor of acme.sh --- narwhal/acme_renew/Makefile | 33 ++++------------------------- narwhal/acme_renew/justfile | 42 ++++++++++++++++++++++++++++++++++--- 2 files changed, 43 insertions(+), 32 deletions(-) diff --git a/narwhal/acme_renew/Makefile b/narwhal/acme_renew/Makefile index f199d7d..0c6821e 100644 --- a/narwhal/acme_renew/Makefile +++ b/narwhal/acme_renew/Makefile @@ -22,9 +22,9 @@ ACME_DIR=/srv/certs/acme DOMAIN=monotremata.xyz CERT_PATH=$(ACME_DIR)/$(DOMAIN) -FULLCHAIN=$(CERT_PATH)/fullchain.cer -CERT=$(CERT_PATH)/$(DOMAIN).cer -KEY=$(CERT_PATH)/$(DOMAIN).key +FULLCHAIN=$(CERT_PATH)/fullchain.pem +CERT=$(CERT_PATH)/cert.pem +KEY=$(CERT_PATH)/key.pem ############################################################################### @@ -58,17 +58,11 @@ RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh # DNS_ARGS=--dns dns_linode_v4 --dnssleep 900 DNS_ARGS=--dns dns_hetzner -ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt -renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf +renew_certs: $(HETZNER_TOKEN) @echo "renewing certs" $(ACMESH) $(RENEW_CMD) -$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN) - @echo "issuing certificate and saving acme.sh account configuration" - @mkdir -p $(@D) - $(ACMESH) $(ISSUE_CMD) - ############################################################################### # Sync the certs to remote hosts and trigger DAGs there @@ -131,25 +125,6 @@ $(LB_TRIGGER): $(LB_SYNC) $(SURICATA_TRIGGER): $(SURICATA_SYNC) $(call remote_dag_trigger,suricata,acme_refresh) -############################################################################### -# Reload the nginx instance running on my reverse proxy docker-compose service -# so that it uses the new certificates. -# The target is just an empty sentinel target with no meaningful data other -# than its modification date. -# So far, the nginx instance running on `narwhal` only uses the `monotremata` -# and `narwhal` certificates, so it only needs to be reloaded if those are -# updated - -NGINX_COMPOSE_FILE=/srv/services/reverse_proxy/docker-compose.yml - -$(NGINX_RELOAD): $(FULLCHAIN) $(KEY) - mkdir -p $(@D) - docker compose \ - --file $(NGINX_COMPOSE_FILE) \ - exec nginx \ - nginx -s reload - touch $@ - ############################################################################### # Copy the certificate for the postgresql domain to the folder where postgre # service expects it diff --git a/narwhal/acme_renew/justfile b/narwhal/acme_renew/justfile index 7fbd3a9..98c3ad4 100755 --- a/narwhal/acme_renew/justfile +++ b/narwhal/acme_renew/justfile @@ -9,14 +9,50 @@ render: acme_data_dir := "/mnt/docker_volumes/acmesh/data" domain := "monotremata.xyz" certs_path := "/srv/certs/acme" -linode_token := `cat /srv/secrets/linode_token` hetzner_token := `cat /srv/secrets/hetzner_token` acmesh *args: docker run --rm -it \ -v {{acme_data_dir}}:/acme.sh \ - -v {{certs_path}}/{{domain}}:/acme.sh/{{domain}} \ - -e "LINODE_V4_API_KEY={{linode_token}}" \ + -v {{certs_path}}:/certs \ -e "HETZNER_Token={{hetzner_token}}" \ neilpang/acme.sh \ /root/.acme.sh/acme.sh {{args}} + +issue *args: + just acmesh \ + --issue \ + --dns dns_hetzner \ + --server letsencrypt \ + {{args}} + +install-monotremata-xyz: + just acmesh \ + --install-cert \ + -d {{domain}} \ + --cert-file /certs/{{domain}}/cert.pem \ + --key-file /certs/{{domain}}/key.pem \ + --fullchain-file /certs/{{domain}}/fullchain.pem + +install-vault: + just acmesh \ + --install-cert \ + -d vault.{{domain}} \ + --cert-file /certs/vault.{{domain}}/cert.pem \ + --key-file /certs/vault.{{domain}}/key.pem \ + --fullchain-file /certs/vault.{{domain}}/fullchain.pem + +issue-monotremata-xyz: + just issue \ + -d {{domain}} \ + -d '*.{{domain}}' \ + -d '*.narwhal.{{domain}}' \ + -d '*.caladan.{{domain}}' \ + -d '*.xmpp.{{domain}}' + just install-monotremata-xyz + +issue-vault: + just issue \ + -d 'vault.{{domain}}' \ + -d '*.vault.{{domain}}' + just install-vault