From e50f6822379d6d78ad4db0c733d1ab31c949b4b3 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 11 Mar 2022 03:46:31 +0000 Subject: [PATCH] totoro: remove cloudflare credentials from raritan-sslrenew --- ops/nixos/totoro/default.nix | 3 +-- ops/raritan/ssl-renew/default.nix | 2 +- ops/raritan/ssl-renew/lego.sh | 41 ++++++++++++++++++------------- 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix index f5486424c0..77dd0bf84c 100644 --- a/ops/nixos/totoro/default.nix +++ b/ops/nixos/totoro/default.nix @@ -481,8 +481,7 @@ in { ExecStart = "${depot.ops.raritan.ssl-renew}/lego.sh"; EnvironmentFile = pkgs.writeText "sslrenew-secret" '' CERTIFICATE_DOMAIN=kvm.lukegb.xyz - LETSENCRYPT_EMAIL=letsencrypt@lukegb.com - CF_DNS_API_TOKEN=${secrets.cloudflareCredentials.token} + CERTIFICATE_ROLE=letsencrypt-cloudflare RARITAN_IP=192.168.1.50 RARITAN_USERNAME=${secrets.raritan.sslrenew.username} RARITAN_PASSWORD=${secrets.raritan.sslrenew.password} diff --git a/ops/raritan/ssl-renew/default.nix b/ops/raritan/ssl-renew/default.nix index 907fe10d13..4cccdfbc6e 100644 --- a/ops/raritan/ssl-renew/default.nix +++ b/ops/raritan/ssl-renew/default.nix @@ -5,7 +5,7 @@ { depot, pkgs, ... }: pkgs.runCommandNoCC "raritan-update" { - inherit (pkgs) lego curl; + inherit (pkgs) curl jq; } '' mkdir $out substituteAll ${./deploy.sh} $out/deploy.sh diff --git a/ops/raritan/ssl-renew/lego.sh b/ops/raritan/ssl-renew/lego.sh index 31c1aaf277..1b295fb77f 100755 --- a/ops/raritan/ssl-renew/lego.sh +++ b/ops/raritan/ssl-renew/lego.sh @@ -2,23 +2,30 @@ set -euo pipefail -export LEGO_FLAGS="\ - --accept-tos \ - --dns cloudflare \ - --dns.resolvers 1.1.1.1 \ - --domains "${CERTIFICATE_DOMAIN}" \ - --key-type rsa4096 \ - --email "${LETSENCRYPT_EMAIL}" \ - " +CERTIFICATE_JSON="$(@curl@/bin/curl \ + -H "X-Vault-Request: true" \ + -X PUT \ + -d "{\"common_name\": \"${CERTIFICATE_DOMAIN}\"}" \ + "http://localhost:8200/v1/acme/certs/${CERTIFICATE_ROLE}")" -if ! [[ -f .lego/certificates/${CERTIFICATE_DOMAIN}.crt ]]; then - exec @lego@/bin/lego \ - $LEGO_FLAGS \ - run \ - --run-hook="@out@/deploy.sh" +if [[ "$(@jq@/bin/jq .errors <(echo "$CERTIFICATE_JSON") 2>/dev/null)" != "null" ]]; then + @jq@/bin/jq .errors <(echo "$CERTIFICATE_JSON") >&2 + exit 1 fi -exec @lego@/bin/lego \ - $LEGO_FLAGS \ - renew \ - --renew-hook="@out@/deploy.sh" +temp_dir=$(mktemp -d) +trap "rm -rf $temp_dir" INT TERM HUP EXIT + +@jq@/bin/jq -r .data.cert <(echo "$CERTIFICATE_JSON") > "$temp_dir/cert.pem" +@jq@/bin/jq -r .data.private_key <(echo "$CERTIFICATE_JSON") > "$temp_dir/pkey.pem" + +@curl@/bin/curl -k \ + --user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \ + -F cert_file=@"$temp_dir/cert.pem" \ + -F key_file=@"$temp_dir/pkey.pem" \ + "https://${RARITAN_IP}/cgi-bin/server_ssl_cert_upload.cgi" +@curl@/bin/curl -k \ + --user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \ + "https://${RARITAN_IP}/bulk" \ + -H 'Content-Type: application/json; charset=UTF-8' \ + --data-binary '{"jsonrpc":"2.0","method":"performBulk","params":{"requests":[{"rid":"/server_ssl_cert","json":{"jsonrpc":"2.0","method":"installPendingKeyPair","params":null,"id":1}}]},"id":2}'