Replace lego with acme_sh

2026-03-28 20:21:42 +01:00 · 2026-03-28 20:21:42 +01:00 · 0237271b65
commit 0237271b65
parent 82f65d396f
24 changed files with 176 additions and 247 deletions
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@ -34,6 +34,12 @@ services = {
    database = true
  },

+  "acme_sh" = {
+    host = "*"
+    auth = false
+    database = false
+  },
+
  "authentik" = {
    host = "node001"
    dns = [{
@ -43,7 +49,16 @@ services = {
      url = "/-/health/live/"
      group = "3-services"
    }
-    certificates = ["auth.serguzim.me"]
+    certificates = [{
+      domain = "auth.serguzim.me"
+      hook = "docker"
+      parameters = {
+        DEPLOY_DOCKER_CONTAINER_LABEL = "sh.acme.autoload.domain=auth.serguzim.me"
+        DEPLOY_DOCKER_CONTAINER_KEY_FILE = "/certs/auth.serguzim.me.key"
+        DEPLOY_DOCKER_CONTAINER_CERT_FILE = "/certs/auth.serguzim.me.pem"
+        DEPLOY_DOCKER_CONTAINER_RELOAD_CMD = "ak import_certificate --certificate /certs/auth.serguzim.me.pem --private-key /certs/auth.serguzim.me.key --name auth.serguzim.me"
+      }
+    }]
    auth = false
    database = true
    mail = "auth@serguzim.me"
@ -409,12 +424,6 @@ services = {
    database = false
  }

-  "lego" = {
-    host = "*"
-    auth = false
-    database = false
-  },
-
  mailcowdockerized = {
    host = "node003"
    dns = [{
@ -670,7 +679,15 @@ services = {
        "[CONNECTED] == true"
      ]
    }
-    certificates = ["db.serguzim.me"]
+    certificates = [{
+      domain = "db.serguzim.me"
+      hook = "localcopy"
+      parameters = {
+        DEPLOY_LOCALCOPY_CERTKEY = "/etc/postgresql/cert.key"
+        DEPLOY_LOCALCOPY_FULLCHAIN = "/etc/postgresql/cert.crt"
+        DEPLOY_LOCALCOPY_RELOADCMD = "systemctl reload postgresql"
+      }
+    }]
    auth = false
    database = false
  },