From 8dfe2dc88773c84eb72041ed7fc7a3fcb1bbf3da Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Mon, 29 Jan 2024 00:21:27 +0100
Subject: [PATCH] Improve certificates

Add msrg.cc domain for xmpp on wiuwiu.de
Add sourcing of service.env
---
 roles/lego/files/lego.sh                      |  4 ++++
 roles/lego/files/node002/db.serguzim.me       |  8 ++++----
 roles/lego/files/node002/msrg.cc              | 18 ++++++++++++++++++
 roles/lego/files/node002/registry.serguzim.me |  8 ++++----
 roles/lego/tasks/systemd.yml                  |  3 ++-
 roles/lego/vars/main.yml                      |  3 +++
 6 files changed, 35 insertions(+), 9 deletions(-)
 create mode 100755 roles/lego/files/node002/msrg.cc

diff --git a/roles/lego/files/lego.sh b/roles/lego/files/lego.sh
index f6a4a04..98c7060 100755
--- a/roles/lego/files/lego.sh
+++ b/roles/lego/files/lego.sh
@@ -1,5 +1,9 @@
 #!/usr/bin/env sh
 
+set -a
+. ./service.env
+set +a
+
 domain="$1"
 action="${2:-renew}"
 
diff --git a/roles/lego/files/node002/db.serguzim.me b/roles/lego/files/node002/db.serguzim.me
index 09602b9..b411f33 100755
--- a/roles/lego/files/node002/db.serguzim.me
+++ b/roles/lego/files/node002/db.serguzim.me
@@ -2,15 +2,15 @@
 
 domain="db.serguzim.me"
 
-docker compose run --rm app "$1" "$domain"
-
 _install() {
   install --owner=postgres --group=postgres --mode=600 \
-	  "/opt/services/_certificates/$domain.$1" \
-	  "/var/lib/postgresql/server.$1"
+	  "$CERTIFICATES_PATH/$domain.$1" \
+	  "/var/lib/postgres/data/server.$1"
 }
 
 _install crt
 _install key
 
 sudo -u postgres pg_ctl -D /var/lib/postgres/data/ reload
+
+# vim: ft=sh
diff --git a/roles/lego/files/node002/msrg.cc b/roles/lego/files/node002/msrg.cc
new file mode 100755
index 0000000..7797db0
--- /dev/null
+++ b/roles/lego/files/node002/msrg.cc
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+domain="msrg.cc"
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf $tmpdir' EXIT
+
+cp "$CERTIFICATES_PATH/$domain.crt" "$tmpdir/fullchain.pem"
+cp "$CERTIFICATES_PATH/$domain.key" "$tmpdir/privkey.pem"
+
+curl \
+	-F submit="submit" \
+	-F token="$WIUWIU_TOKEN" \
+	-F "cert=@$tmpdir/fullchain.pem" \
+	-F "key=@$tmpdir/privkey.pem" \
+	https://cert-upload.wiuwiu.de/
+
+# vim: ft=sh
diff --git a/roles/lego/files/node002/registry.serguzim.me b/roles/lego/files/node002/registry.serguzim.me
index 09e444c..4f564c7 100755
--- a/roles/lego/files/node002/registry.serguzim.me
+++ b/roles/lego/files/node002/registry.serguzim.me
@@ -2,11 +2,9 @@
 
 domain="registry.serguzim.me"
 
-docker compose run --rm app "$1" "$domain"
-
 _install() {
   install --owner=root --group=root --mode=600 \
-	  "/opt/services/_certificates/$domain.$1" \
+	  "$CERTIFICATES_PATH/$domain.$1" \
 	  "/opt/services/harbor/server.$1"
 }
 
@@ -14,4 +12,6 @@ _install crt
 _install key
 
 export HARBOR_BUNDLE_DIR=/opt/services/harbor
-$HARBOR_BUNDLE_DIR/data/install.sh
+$HARBOR_BUNDLE_DIR/harbor/install.sh
+
+# vim: ft=sh
diff --git a/roles/lego/tasks/systemd.yml b/roles/lego/tasks/systemd.yml
index 21e99bf..d31cb31 100644
--- a/roles/lego/tasks/systemd.yml
+++ b/roles/lego/tasks/systemd.yml
@@ -11,13 +11,14 @@
     dest: /etc/systemd/system/lego@.timer
     mode: "0644"
   become: true
-- name: Enable the system timer for {{ item }}
+- name: Enable the system timers
   ansible.builtin.systemd_service:
     name: lego@{{ item }}.timer
     state: started
     enabled: true
     daemon_reload: true
   loop:
+    - msrg.cc
     - db.serguzim.me
     - registry.serguzim.me
   become: true
diff --git a/roles/lego/vars/main.yml b/roles/lego/vars/main.yml
index 460fb79..3ceec71 100644
--- a/roles/lego/vars/main.yml
+++ b/roles/lego/vars/main.yml
@@ -9,6 +9,9 @@ lego_env:
   LEGO_EMAIL: "{{ admin_email }}"
   LEGO_PATH: /data
 
+  CERTIFICATES_PATH: "{{ certificates_path }}"
+  WIUWIU_TOKEN: "{{ vault_wiuwiu_token }}"
+
 lego_compose:
   watchtower: false
   network: false