feat: slight refactor of acme.sh
parent
798b194337
commit
9b9e7e28ce
|
@ -22,9 +22,9 @@ ACME_DIR=/srv/certs/acme
|
|||
DOMAIN=monotremata.xyz
|
||||
CERT_PATH=$(ACME_DIR)/$(DOMAIN)
|
||||
|
||||
FULLCHAIN=$(CERT_PATH)/fullchain.cer
|
||||
CERT=$(CERT_PATH)/$(DOMAIN).cer
|
||||
KEY=$(CERT_PATH)/$(DOMAIN).key
|
||||
FULLCHAIN=$(CERT_PATH)/fullchain.pem
|
||||
CERT=$(CERT_PATH)/cert.pem
|
||||
KEY=$(CERT_PATH)/key.pem
|
||||
|
||||
###############################################################################
|
||||
|
||||
|
@ -58,17 +58,11 @@ RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh
|
|||
|
||||
# DNS_ARGS=--dns dns_linode_v4 --dnssleep 900
|
||||
DNS_ARGS=--dns dns_hetzner
|
||||
ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt
|
||||
|
||||
renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf
|
||||
renew_certs: $(HETZNER_TOKEN)
|
||||
@echo "renewing certs"
|
||||
$(ACMESH) $(RENEW_CMD)
|
||||
|
||||
$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN)
|
||||
@echo "issuing certificate and saving acme.sh account configuration"
|
||||
@mkdir -p $(@D)
|
||||
$(ACMESH) $(ISSUE_CMD)
|
||||
|
||||
###############################################################################
|
||||
# Sync the certs to remote hosts and trigger DAGs there
|
||||
|
||||
|
@ -131,25 +125,6 @@ $(LB_TRIGGER): $(LB_SYNC)
|
|||
$(SURICATA_TRIGGER): $(SURICATA_SYNC)
|
||||
$(call remote_dag_trigger,suricata,acme_refresh)
|
||||
|
||||
###############################################################################
|
||||
# Reload the nginx instance running on my reverse proxy docker-compose service
|
||||
# so that it uses the new certificates.
|
||||
# The target is just an empty sentinel target with no meaningful data other
|
||||
# than its modification date.
|
||||
# So far, the nginx instance running on `narwhal` only uses the `monotremata`
|
||||
# and `narwhal` certificates, so it only needs to be reloaded if those are
|
||||
# updated
|
||||
|
||||
NGINX_COMPOSE_FILE=/srv/services/reverse_proxy/docker-compose.yml
|
||||
|
||||
$(NGINX_RELOAD): $(FULLCHAIN) $(KEY)
|
||||
mkdir -p $(@D)
|
||||
docker compose \
|
||||
--file $(NGINX_COMPOSE_FILE) \
|
||||
exec nginx \
|
||||
nginx -s reload
|
||||
touch $@
|
||||
|
||||
###############################################################################
|
||||
# Copy the certificate for the postgresql domain to the folder where postgre
|
||||
# service expects it
|
||||
|
|
|
@ -9,14 +9,50 @@ render:
|
|||
acme_data_dir := "/mnt/docker_volumes/acmesh/data"
|
||||
domain := "monotremata.xyz"
|
||||
certs_path := "/srv/certs/acme"
|
||||
linode_token := `cat /srv/secrets/linode_token`
|
||||
hetzner_token := `cat /srv/secrets/hetzner_token`
|
||||
|
||||
acmesh *args:
|
||||
docker run --rm -it \
|
||||
-v {{acme_data_dir}}:/acme.sh \
|
||||
-v {{certs_path}}/{{domain}}:/acme.sh/{{domain}} \
|
||||
-e "LINODE_V4_API_KEY={{linode_token}}" \
|
||||
-v {{certs_path}}:/certs \
|
||||
-e "HETZNER_Token={{hetzner_token}}" \
|
||||
neilpang/acme.sh \
|
||||
/root/.acme.sh/acme.sh {{args}}
|
||||
|
||||
issue *args:
|
||||
just acmesh \
|
||||
--issue \
|
||||
--dns dns_hetzner \
|
||||
--server letsencrypt \
|
||||
{{args}}
|
||||
|
||||
install-monotremata-xyz:
|
||||
just acmesh \
|
||||
--install-cert \
|
||||
-d {{domain}} \
|
||||
--cert-file /certs/{{domain}}/cert.pem \
|
||||
--key-file /certs/{{domain}}/key.pem \
|
||||
--fullchain-file /certs/{{domain}}/fullchain.pem
|
||||
|
||||
install-vault:
|
||||
just acmesh \
|
||||
--install-cert \
|
||||
-d vault.{{domain}} \
|
||||
--cert-file /certs/vault.{{domain}}/cert.pem \
|
||||
--key-file /certs/vault.{{domain}}/key.pem \
|
||||
--fullchain-file /certs/vault.{{domain}}/fullchain.pem
|
||||
|
||||
issue-monotremata-xyz:
|
||||
just issue \
|
||||
-d {{domain}} \
|
||||
-d '*.{{domain}}' \
|
||||
-d '*.narwhal.{{domain}}' \
|
||||
-d '*.caladan.{{domain}}' \
|
||||
-d '*.xmpp.{{domain}}'
|
||||
just install-monotremata-xyz
|
||||
|
||||
issue-vault:
|
||||
just issue \
|
||||
-d 'vault.{{domain}}' \
|
||||
-d '*.vault.{{domain}}'
|
||||
just install-vault
|
||||
|
|
Loading…
Reference in New Issue