manage rsyncd password with gopass

acme_rsync_fugu/Makefile

@@ -1,5 +1,5 @@
-# Note: since I am assuming GNU Make and this host run OpenBSD, remember to run
+# Note: since I am assuming GNU Make and this host runs OpenBSD, remember to
-# this dag using `gmake` instead of `make`
+# run this dag using `gmake` instead of `make`
 
 WD=/var/lib/dags/acme_rsync
 
@@ -28,15 +28,21 @@ KEY=$(CERT_PATH)/$(DOMAIN).key
 $(CERT): $(SYNC_CERTS)
 $(KEY): $(SYNC_CERTS)
 
-REMOTE_ACME_PATH=rsync://user@narwhal/acme
+RSYNCD_HOST=narwhal
-RSYNCD_PASSWD=/srv/secrets/rsyncd_password
+RSYNCD_USER=user
+
+GOPASS=doas -u gopass gopass
+RSYNC_PASSWORD = $(shell $(GOPASS) $(RSYNCD_HOST)/rsyncd/$(RSYNCD_USER))
+
+REMOTE_ACME_PATH=rsync://$(RSYNCD_USER)@$(RSYNCD_HOST)/acme
 RSYNC_OPTS=--archive --delete --compress --verbose --human-readable
 
 sync_certs:
 	mkdir -p $(ACME_DIR)
+	@echo "running rsync"
+	@export RSYNC_PASSWORD=$(RSYNC_PASSWORD); \
 	rsync \
 		$(RSYNC_OPTS) \
-		--password-file=$(RSYNCD_PASSWD) \
 		$(REMOTE_ACME_PATH) \
 		$(ACME_DIR)