From 8dfe2dc88773c84eb72041ed7fc7a3fcb1bbf3da Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Mon, 29 Jan 2024 00:21:27 +0100
Subject: [PATCH] Improve certificates
Add msrg.cc domain for xmpp on wiuwiu.de
Add sourcing of service.env
---
roles/lego/files/lego.sh | 4 ++++
roles/lego/files/node002/db.serguzim.me | 8 ++++----
roles/lego/files/node002/msrg.cc | 18 ++++++++++++++++++
roles/lego/files/node002/registry.serguzim.me | 8 ++++----
roles/lego/tasks/systemd.yml | 3 ++-
roles/lego/vars/main.yml | 3 +++
6 files changed, 35 insertions(+), 9 deletions(-)
create mode 100755 roles/lego/files/node002/msrg.cc
diff --git a/roles/lego/files/lego.sh b/roles/lego/files/lego.sh
index f6a4a04..98c7060 100755
--- a/roles/lego/files/lego.sh
+++ b/roles/lego/files/lego.sh
@@ -1,5 +1,9 @@
#!/usr/bin/env sh
+set -a
+. ./service.env
+set +a
+
domain="$1"
action="${2:-renew}"
diff --git a/roles/lego/files/node002/db.serguzim.me b/roles/lego/files/node002/db.serguzim.me
index 09602b9..b411f33 100755
--- a/roles/lego/files/node002/db.serguzim.me
+++ b/roles/lego/files/node002/db.serguzim.me
@@ -2,15 +2,15 @@
domain="db.serguzim.me"
-docker compose run --rm app "$1" "$domain"
-
_install() {
install --owner=postgres --group=postgres --mode=600 \
- "/opt/services/_certificates/$domain.$1" \
- "/var/lib/postgresql/server.$1"
+ "$CERTIFICATES_PATH/$domain.$1" \
+ "/var/lib/postgres/data/server.$1"
}
_install crt
_install key
sudo -u postgres pg_ctl -D /var/lib/postgres/data/ reload
+
+# vim: ft=sh
diff --git a/roles/lego/files/node002/msrg.cc b/roles/lego/files/node002/msrg.cc
new file mode 100755
index 0000000..7797db0
--- /dev/null
+++ b/roles/lego/files/node002/msrg.cc
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+domain="msrg.cc"
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf $tmpdir' EXIT
+
+cp "$CERTIFICATES_PATH/$domain.crt" "$tmpdir/fullchain.pem"
+cp "$CERTIFICATES_PATH/$domain.key" "$tmpdir/privkey.pem"
+
+curl \
+ -F submit="submit" \
+ -F token="$WIUWIU_TOKEN" \
+ -F "cert=@$tmpdir/fullchain.pem" \
+ -F "key=@$tmpdir/privkey.pem" \
+ https://cert-upload.wiuwiu.de/
+
+# vim: ft=sh
diff --git a/roles/lego/files/node002/registry.serguzim.me b/roles/lego/files/node002/registry.serguzim.me
index 09e444c..4f564c7 100755
--- a/roles/lego/files/node002/registry.serguzim.me
+++ b/roles/lego/files/node002/registry.serguzim.me
@@ -2,11 +2,9 @@
domain="registry.serguzim.me"
-docker compose run --rm app "$1" "$domain"
-
_install() {
install --owner=root --group=root --mode=600 \
- "/opt/services/_certificates/$domain.$1" \
+ "$CERTIFICATES_PATH/$domain.$1" \
"/opt/services/harbor/server.$1"
}
@@ -14,4 +12,6 @@ _install crt
_install key
export HARBOR_BUNDLE_DIR=/opt/services/harbor
-$HARBOR_BUNDLE_DIR/data/install.sh
+$HARBOR_BUNDLE_DIR/harbor/install.sh
+
+# vim: ft=sh
diff --git a/roles/lego/tasks/systemd.yml b/roles/lego/tasks/systemd.yml
index 21e99bf..d31cb31 100644
--- a/roles/lego/tasks/systemd.yml
+++ b/roles/lego/tasks/systemd.yml
@@ -11,13 +11,14 @@
dest: /etc/systemd/system/lego@.timer
mode: "0644"
become: true
-- name: Enable the system timer for {{ item }}
+- name: Enable the system timers
ansible.builtin.systemd_service:
name: lego@{{ item }}.timer
state: started
enabled: true
daemon_reload: true
loop:
+ - msrg.cc
- db.serguzim.me
- registry.serguzim.me
become: true
diff --git a/roles/lego/vars/main.yml b/roles/lego/vars/main.yml
index 460fb79..3ceec71 100644
--- a/roles/lego/vars/main.yml
+++ b/roles/lego/vars/main.yml
@@ -9,6 +9,9 @@ lego_env:
LEGO_EMAIL: "{{ admin_email }}"
LEGO_PATH: /data
+ CERTIFICATES_PATH: "{{ certificates_path }}"
+ WIUWIU_TOKEN: "{{ vault_wiuwiu_token }}"
+
lego_compose:
watchtower: false
network: false