feat: slight refactor of acme.sh

narwhal/acme_renew/Makefile

@@ -22,9 +22,9 @@ ACME_DIR=/srv/certs/acme
 DOMAIN=monotremata.xyz
 CERT_PATH=$(ACME_DIR)/$(DOMAIN)
 
-FULLCHAIN=$(CERT_PATH)/fullchain.cer
+FULLCHAIN=$(CERT_PATH)/fullchain.pem
-CERT=$(CERT_PATH)/$(DOMAIN).cer
+CERT=$(CERT_PATH)/cert.pem
-KEY=$(CERT_PATH)/$(DOMAIN).key
+KEY=$(CERT_PATH)/key.pem
 
 ###############################################################################
 
@@ -58,17 +58,11 @@ RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh
 
 # DNS_ARGS=--dns dns_linode_v4 --dnssleep 900
 DNS_ARGS=--dns dns_hetzner
-ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt
 
-renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf
+renew_certs: $(HETZNER_TOKEN)
 	@echo "renewing certs"
 	$(ACMESH) $(RENEW_CMD)
 
-$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN)
-	@echo "issuing certificate and saving acme.sh account configuration"
-	@mkdir -p $(@D)
-	$(ACMESH) $(ISSUE_CMD)
-
 ###############################################################################
 # Sync the certs to remote hosts and trigger DAGs there
 
@@ -131,25 +125,6 @@ $(LB_TRIGGER): $(LB_SYNC)
 $(SURICATA_TRIGGER): $(SURICATA_SYNC)
 	$(call remote_dag_trigger,suricata,acme_refresh)
 
-###############################################################################
-# Reload the nginx instance running on my reverse proxy docker-compose service
-# so that it uses the new certificates.
-# The target is just an empty sentinel target with no meaningful data other
-# than its modification date.
-# So far, the nginx instance running on `narwhal` only uses the `monotremata`
-# and `narwhal` certificates, so it only needs to be reloaded if those are
-# updated
-
-NGINX_COMPOSE_FILE=/srv/services/reverse_proxy/docker-compose.yml
-
-$(NGINX_RELOAD): $(FULLCHAIN) $(KEY)
-	mkdir -p $(@D)
-	docker compose \
-		--file $(NGINX_COMPOSE_FILE) \
-		exec nginx \
-		nginx -s reload
-	touch $@
-
 ###############################################################################
 # Copy the certificate for the postgresql domain to the folder where postgre
 # service expects it

narwhal/acme_renew/justfile

@@ -9,14 +9,50 @@ render:
 acme_data_dir := "/mnt/docker_volumes/acmesh/data"
 domain := "monotremata.xyz"
 certs_path := "/srv/certs/acme"
-linode_token := `cat /srv/secrets/linode_token`
 hetzner_token := `cat /srv/secrets/hetzner_token`
 
 acmesh *args:
     docker run --rm -it \
         -v {{acme_data_dir}}:/acme.sh \
-        -v {{certs_path}}/{{domain}}:/acme.sh/{{domain}} \
+        -v {{certs_path}}:/certs \
-        -e "LINODE_V4_API_KEY={{linode_token}}" \
         -e "HETZNER_Token={{hetzner_token}}" \
         neilpang/acme.sh \
         /root/.acme.sh/acme.sh {{args}}
+
+issue *args:
+    just acmesh \
+        --issue \
+        --dns dns_hetzner \
+        --server letsencrypt \
+        {{args}}
+
+install-monotremata-xyz:
+    just acmesh \
+        --install-cert \
+        -d {{domain}} \
+        --cert-file /certs/{{domain}}/cert.pem \
+        --key-file /certs/{{domain}}/key.pem \
+        --fullchain-file /certs/{{domain}}/fullchain.pem
+
+install-vault:
+    just acmesh \
+        --install-cert \
+        -d vault.{{domain}} \
+        --cert-file /certs/vault.{{domain}}/cert.pem \
+        --key-file /certs/vault.{{domain}}/key.pem \
+        --fullchain-file /certs/vault.{{domain}}/fullchain.pem
+
+issue-monotremata-xyz:
+    just issue \
+        -d {{domain}} \
+        -d '*.{{domain}}' \
+        -d '*.narwhal.{{domain}}' \
+        -d '*.caladan.{{domain}}' \
+        -d '*.xmpp.{{domain}}'
+    just install-monotremata-xyz
+
+issue-vault:
+    just issue \
+        -d 'vault.{{domain}}' \
+        -d '*.vault.{{domain}}'
+    just install-vault