diff --git a/ops/default.nix b/ops/default.nix index e369afdcde..a28999503c 100644 --- a/ops/default.nix +++ b/ops/default.nix @@ -6,6 +6,7 @@ args: { nixos = import ./nixos args; maint = import ./maint args; secrets = import ./secrets args; + raritan = import ./raritan args; home-manager-ext = import ./home-manager-ext.nix args; } diff --git a/ops/raritan/default.nix b/ops/raritan/default.nix new file mode 100644 index 0000000000..9d605adeed --- /dev/null +++ b/ops/raritan/default.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +args: { + ssl-renew = import ./ssl-renew args; +} diff --git a/ops/raritan/ssl-renew/default.nix b/ops/raritan/ssl-renew/default.nix new file mode 100644 index 0000000000..907fe10d13 --- /dev/null +++ b/ops/raritan/ssl-renew/default.nix @@ -0,0 +1,14 @@ +# SPDX-FileCopyrightText: 2021 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, pkgs, ... }: + +pkgs.runCommandNoCC "raritan-update" { + inherit (pkgs) lego curl; +} '' + mkdir $out + substituteAll ${./deploy.sh} $out/deploy.sh + substituteAll ${./lego.sh} $out/lego.sh + chmod +x $out/deploy.sh $out/lego.sh +'' diff --git a/ops/raritan/ssl-renew/deploy.sh b/ops/raritan/ssl-renew/deploy.sh new file mode 100755 index 0000000000..017cc03deb --- /dev/null +++ b/ops/raritan/ssl-renew/deploy.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +set -euo pipefail + +@curl@/bin/curl -k \ + --user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \ + -F cert_file=@${LEGO_CERT_PATH} \ + -F key_file=@${LEGO_CERT_KEY_PATH} \ + "https://${RARITAN_IP}/cgi-bin/server_ssl_cert_upload.cgi" +@curl@/bin/curl -k \ + --user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \ + "https://${RARITAN_IP}/bulk" \ + -H 'Content-Type: application/json; charset=UTF-8' \ + --data-binary '{"jsonrpc":"2.0","method":"performBulk","params":{"requests":[{"rid":"/server_ssl_cert","json":{"jsonrpc":"2.0","method":"installPendingKeyPair","params":null,"id":1}}]},"id":2}' diff --git a/ops/raritan/ssl-renew/lego.sh b/ops/raritan/ssl-renew/lego.sh new file mode 100755 index 0000000000..31c1aaf277 --- /dev/null +++ b/ops/raritan/ssl-renew/lego.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +set -euo pipefail + +export LEGO_FLAGS="\ + --accept-tos \ + --dns cloudflare \ + --dns.resolvers 1.1.1.1 \ + --domains "${CERTIFICATE_DOMAIN}" \ + --key-type rsa4096 \ + --email "${LETSENCRYPT_EMAIL}" \ + " + +if ! [[ -f .lego/certificates/${CERTIFICATE_DOMAIN}.crt ]]; then + exec @lego@/bin/lego \ + $LEGO_FLAGS \ + run \ + --run-hook="@out@/deploy.sh" +fi + +exec @lego@/bin/lego \ + $LEGO_FLAGS \ + renew \ + --renew-hook="@out@/deploy.sh"