From bab4a36ce4c9d1d7381f12c80f45197c178c898c Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Mon, 7 Sep 2020 20:16:49 -0300
Subject: [PATCH] distribute certificates to other nodes

---
 Dockerfile | 5 +++--
 certbot.sh | 5 +++--
 ssh_config | 6 ++++++
 3 files changed, 12 insertions(+), 4 deletions(-)
 create mode 100644 ssh_config

diff --git a/Dockerfile b/Dockerfile
index 863bb75..b8489ce 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,8 +14,9 @@ RUN chmod +x /usr/local/bin/certbot
 # Add ssl group
 RUN addgroup -S -g 777 ssl
 
-# Check monit's config
-RUN monit -t
+RUN apk add --no-cache openssh-client rsync
+RUN install -dm 2750 -o root -g root /root/.ssh
+COPY ./ssh_config /root/.ssh/config
 
 # Access to certificates and challenges
 VOLUME /etc/letsencrypt
diff --git a/certbot.sh b/certbot.sh
index be8e570..05fc399 100644
--- a/certbot.sh
+++ b/certbot.sh
@@ -65,7 +65,8 @@ chgrp -R ssl /etc/letsencrypt
 
 # Push certificates to nodes, we use SSH as a secure transport
 # but this means we're synchronizing from container to host which is
-# awkward.
+# awkward.  A restricted rsync treats / as the remote location for the
+# certificates.
 for NODE in ${NODES}; do
-  rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/srv/sutty/etc/letsencrypt/
+  rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/
 done
diff --git a/ssh_config b/ssh_config
new file mode 100644
index 0000000..fd417ed
--- /dev/null
+++ b/ssh_config
@@ -0,0 +1,6 @@
+Host *
+  Protocol 2
+  IdentityFile /root/certbot
+  VerifyHostKeyDNS yes
+  HashKnownHosts yes
+  StrictHostKeyChecking yes