ops/raritan/ssl-renew: init

This commit is contained in:
Luke Granger-Brown 2021-07-17 01:33:01 +00:00
parent 3b21d1e521
commit 74fe28add8
5 changed files with 60 additions and 0 deletions

View file

@ -6,6 +6,7 @@ args: {
nixos = import ./nixos args; nixos = import ./nixos args;
maint = import ./maint args; maint = import ./maint args;
secrets = import ./secrets args; secrets = import ./secrets args;
raritan = import ./raritan args;
home-manager-ext = import ./home-manager-ext.nix args; home-manager-ext = import ./home-manager-ext.nix args;
} }

7
ops/raritan/default.nix Normal file
View file

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
args: {
ssl-renew = import ./ssl-renew args;
}

View file

@ -0,0 +1,14 @@
# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, pkgs, ... }:
pkgs.runCommandNoCC "raritan-update" {
inherit (pkgs) lego curl;
} ''
mkdir $out
substituteAll ${./deploy.sh} $out/deploy.sh
substituteAll ${./lego.sh} $out/lego.sh
chmod +x $out/deploy.sh $out/lego.sh
''

14
ops/raritan/ssl-renew/deploy.sh Executable file
View file

@ -0,0 +1,14 @@
#!/bin/sh
set -euo pipefail
@curl@/bin/curl -k \
--user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \
-F cert_file=@${LEGO_CERT_PATH} \
-F key_file=@${LEGO_CERT_KEY_PATH} \
"https://${RARITAN_IP}/cgi-bin/server_ssl_cert_upload.cgi"
@curl@/bin/curl -k \
--user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \
"https://${RARITAN_IP}/bulk" \
-H 'Content-Type: application/json; charset=UTF-8' \
--data-binary '{"jsonrpc":"2.0","method":"performBulk","params":{"requests":[{"rid":"/server_ssl_cert","json":{"jsonrpc":"2.0","method":"installPendingKeyPair","params":null,"id":1}}]},"id":2}'

24
ops/raritan/ssl-renew/lego.sh Executable file
View file

@ -0,0 +1,24 @@
#!/bin/sh
set -euo pipefail
export LEGO_FLAGS="\
--accept-tos \
--dns cloudflare \
--dns.resolvers 1.1.1.1 \
--domains "${CERTIFICATE_DOMAIN}" \
--key-type rsa4096 \
--email "${LETSENCRYPT_EMAIL}" \
"
if ! [[ -f .lego/certificates/${CERTIFICATE_DOMAIN}.crt ]]; then
exec @lego@/bin/lego \
$LEGO_FLAGS \
run \
--run-hook="@out@/deploy.sh"
fi
exec @lego@/bin/lego \
$LEGO_FLAGS \
renew \
--renew-hook="@out@/deploy.sh"