lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

totoro: remove cloudflare credentials from raritan-sslrenew

Browse source
This commit is contained in:
Luke Granger-Brown 2022-03-11 03:46:31 +00:00
parent 4be2eaeb6d
commit e50f682237
3 changed files with 26 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ops/nixos/totoro/default.nix
View file

@ -481,8 +481,7 @@ in {
ExecStart = "${depot.ops.raritan.ssl-renew}/lego.sh"; ExecStart = "${depot.ops.raritan.ssl-renew}/lego.sh";
EnvironmentFile = pkgs.writeText "sslrenew-secret" '' EnvironmentFile = pkgs.writeText "sslrenew-secret" ''
CERTIFICATE_DOMAIN=kvm.lukegb.xyz CERTIFICATE_DOMAIN=kvm.lukegb.xyz
LETSENCRYPT_EMAIL=letsencrypt@lukegb.com CERTIFICATE_ROLE=letsencrypt-cloudflare
CF_DNS_API_TOKEN=${secrets.cloudflareCredentials.token}
RARITAN_IP=192.168.1.50 RARITAN_IP=192.168.1.50
RARITAN_USERNAME=${secrets.raritan.sslrenew.username} RARITAN_USERNAME=${secrets.raritan.sslrenew.username}
RARITAN_PASSWORD=${secrets.raritan.sslrenew.password} RARITAN_PASSWORD=${secrets.raritan.sslrenew.password}

2
ops/raritan/ssl-renew/default.nix
View file

@ -5,7 +5,7 @@
{ depot, pkgs, ... }: { depot, pkgs, ... }:
pkgs.runCommandNoCC "raritan-update" { pkgs.runCommandNoCC "raritan-update" {
inherit (pkgs) lego curl; inherit (pkgs) curl jq;
} '' } ''
mkdir $out mkdir $out
substituteAll ${./deploy.sh} $out/deploy.sh substituteAll ${./deploy.sh} $out/deploy.sh

41
ops/raritan/ssl-renew/lego.sh
View file

@ -2,23 +2,30 @@
set -euo pipefail set -euo pipefail
export LEGO_FLAGS="\ CERTIFICATE_JSON="$(@curl@/bin/curl \
--accept-tos \ -H "X-Vault-Request: true" \
--dns cloudflare \ -X PUT \
--dns.resolvers 1.1.1.1 \ -d "{\"common_name\": \"${CERTIFICATE_DOMAIN}\"}" \
--domains "${CERTIFICATE_DOMAIN}" \ "http://localhost:8200/v1/acme/certs/${CERTIFICATE_ROLE}")"
--key-type rsa4096 \
--email "${LETSENCRYPT_EMAIL}" \
"
if ! [[ -f .lego/certificates/${CERTIFICATE_DOMAIN}.crt ]]; then if [[ "$(@jq@/bin/jq .errors <(echo "$CERTIFICATE_JSON") 2>/dev/null)" != "null" ]]; then
exec @lego@/bin/lego \ @jq@/bin/jq .errors <(echo "$CERTIFICATE_JSON") >&2
$LEGO_FLAGS \ exit 1
run \
--run-hook="@out@/deploy.sh"
fi fi
exec @lego@/bin/lego \ temp_dir=$(mktemp -d)
$LEGO_FLAGS \ trap "rm -rf $temp_dir" INT TERM HUP EXIT
renew \
--renew-hook="@out@/deploy.sh" @jq@/bin/jq -r .data.cert <(echo "$CERTIFICATE_JSON") > "$temp_dir/cert.pem"
@jq@/bin/jq -r .data.private_key <(echo "$CERTIFICATE_JSON") > "$temp_dir/pkey.pem"
@curl@/bin/curl -k \
--user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \
-F cert_file=@"$temp_dir/cert.pem" \
-F key_file=@"$temp_dir/pkey.pem" \
"https://${RARITAN_IP}/cgi-bin/server_ssl_cert_upload.cgi"
@curl@/bin/curl -k \
--user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \
"https://${RARITAN_IP}/bulk" \
-H 'Content-Type: application/json; charset=UTF-8' \
--data-binary '{"jsonrpc":"2.0","method":"performBulk","params":{"requests":[{"rid":"/server_ssl_cert","json":{"jsonrpc":"2.0","method":"installPendingKeyPair","params":null,"id":1}}]},"id":2}'