WD=/var/lib/dags/acme_renew

.PHONY: all refresh_pg renew_certs lb_sync

NGINX_RELOAD=$(WD)/nginx_reload

CALADAN_SYNC=$(WD)/caladan_sync
FUGU_SYNC=$(WD)/fugu_sync
PIKVM_SYNC=$(WD)/pikvm_sync
LB_SYNC=$(WD)/lb_sync

CALADAN_TRIGGER=$(WD)/caladan_trigger
FUGU_TRIGGER=$(WD)/fugu_trigger
PIKVM_TRIGGER=$(WD)/pikvm_trigger
LB_TRIGGER=$(WD)/lb_trigger

all: renew_certs $(CALADAN_TRIGGER) $(FUGU_TRIGGER) $(PIKVM_TRIGGER) $(LB_TRIGGER) $(NGINX_RELOAD) refresh_pg

###############################################################################

ACME_DIR=/srv/certs/acme
DOMAIN=monotremata.xyz
CERT_PATH=$(ACME_DIR)/$(DOMAIN)

FULLCHAIN=$(CERT_PATH)/fullchain.cer
CERT=$(CERT_PATH)/$(DOMAIN).cer
KEY=$(CERT_PATH)/$(DOMAIN).key

###############################################################################

SSH_KEY=/srv/certs/ssh/users/dags/id_ed25519

###############################################################################
# Renew the certificates using acme.sh. Because `renew_certs` is a phony
# target, it will be run each time, but the certificate files will only be
# updated if a renewal happens

CERT_DOMAINS=-d $(DOMAIN) -d '*.$(DOMAIN)' -d '*.narwhal.$(DOMAIN)' -d '*.caladan.$(DOMAIN)' -d '*.xmpp.$(DOMAIN)'

$(FULLCHAIN): renew_certs
$(CERT): renew_certs
$(KEY): renew_certs

HETZNER_TOKEN=/srv/secrets/hetzner_token

DOCKER_IMAGE=neilpang/acme.sh
ACME_DATA_DIR=/mnt/docker_volumes/acmesh/data

ACMESH=docker run --rm -it \
	-v $(ACME_DATA_DIR):/acme.sh \
	-v $(CERT_PATH):/acme.sh/$(DOMAIN) \
	-e "HETZNER_Token=$$(cat $(HETZNER_TOKEN))" \
	$(DOCKER_IMAGE) \
	/root/.acme.sh/acme.sh 


RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh

# DNS_ARGS=--dns dns_linode_v4 --dnssleep 900
DNS_ARGS=--dns dns_hetzner
ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt

renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf
	@echo "renewing certs"
	$(ACMESH) $(RENEW_CMD)

$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN)
	@echo "issuing certificate and saving acme.sh account configuration"
	@mkdir -p $(@D)
	$(ACMESH) $(ISSUE_CMD)

###############################################################################
# Sync the certs to remote hosts and trigger DAGs there

RSYNC_ARGS=--archive --delete --compress --verbose --human-readable --rsh "ssh -i $(SSH_KEY)"

$(CALADAN_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
	mkdir -p $(@D)
	rsync \
		$(RSYNC_ARGS) \
		--rsync-path="doas rsync" \
		$^ \
		dags@caladan:$(CERT_PATH)
	touch $@

$(FUGU_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
	mkdir -p $(@D)
	rsync \
		$(RSYNC_ARGS) \
		--rsync-path="doas rsync" \
		$^ \
		dags@fugu:$(CERT_PATH)
	touch $@

$(LB_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
	mkdir -p $(@D)
	rsync \
		$(RSYNC_ARGS) \
		--rsync-path="doas rsync" \
		$^ \
		dags@lb:$(CERT_PATH)
	touch $@

KVMD_PST_DATA=/var/lib/kvmd/pst/data

$(PIKVM_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
	mkdir -p $(@D)
	rsync \
		$(RSYNC_ARGS) \
		--rsync-path="doas kvmd-pstrun -- rsync" \
		$^ \
		dags@pikvm:$(KVMD_PST_DATA)/acme/$(DOMAIN)
	touch $@

define remote_dag_trigger
	mkdir -p $(@D)
	ssh -i $(SSH_KEY) dags@$(1) "doas /srv/dags/$(1)/$(2)/run.sh"
	touch $@
endef

$(CALADAN_TRIGGER): $(CALADAN_SYNC)
	$(call remote_dag_trigger,caladan,acme_refresh)

$(FUGU_TRIGGER): $(FUGU_SYNC)
	$(call remote_dag_trigger,fugu,acme_refresh)

$(PIKVM_TRIGGER): $(PIKVM_SYNC)
	$(call remote_dag_trigger,pikvm,acme_refresh)

$(LB_TRIGGER): $(LB_SYNC)
	$(call remote_dag_trigger,lb,acme_refresh)

###############################################################################
# Reload the nginx instance running on my reverse proxy docker-compose service
# so that it uses the new certificates.
# The target is just an empty sentinel target with no meaningful data other
# than its modification date.
# So far, the nginx instance running on `narwhal` only uses the `monotremata`
# and `narwhal` certificates, so it only needs to be reloaded if those are
# updated

NGINX_COMPOSE_FILE=/srv/services/reverse_proxy/docker-compose.yml

$(NGINX_RELOAD): $(FULLCHAIN) $(KEY)
	mkdir -p $(@D)
	docker-compose \
		--file $(NGINX_COMPOSE_FILE) \
		exec nginx \
		nginx -s reload
	touch $@

###############################################################################
# Copy the certificate for the postgresql domain to the folder where postgre
# service expects it

PG_SSL_PATH=/mnt/docker_volumes/postgres/ssl
PG_CERT=$(PG_SSL_PATH)/server.crt
PG_KEY=$(PG_SSL_PATH)/server.key

$(PG_CERT): $(FULLCHAIN)
	mkdir -p $(@D)
	rsync --copy-links $< $@

$(PG_KEY): $(KEY)
	mkdir -p $(@D)
	rsync --copy-links $< $@

refresh_pg: $(PG_CERT) $(PG_KEY)