Compare commits

...

5 commits

Author SHA1 Message Date
f
388a19fb84 alpine upgrade
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2022-09-10 17:01:51 -03:00
f
ad905ae41d only synchronize keys and certificates to other nodes 2022-09-10 16:55:46 -03:00
f
ff742db293 prune old keys and certificates 2022-09-10 16:53:29 -03:00
f
6b72006d65 use a lock file to keep track of updates 2022-09-10 16:27:59 -03:00
f
b845464b1f update during bootstrap too 2022-08-16 13:45:16 -03:00
3 changed files with 20 additions and 9 deletions

View file

@ -18,5 +18,4 @@ pipeline:
event: push event: push
matrix: matrix:
ALPINE_VERSION: ALPINE_VERSION:
- 3.16.1 - 3.16.2
- 3.15.5

View file

@ -6,14 +6,16 @@ if test -z "${NODES}"; then
fi fi
lock=/tmp/certbot.lck lock=/tmp/certbot.lck
updated=false updated=/tmp/certbot.updated
ensure() { ensure() {
test -n "$1" && echo "$1 received, exiting gracefully..." test -n "$1" && echo "$1 received, exiting gracefully..."
rm -f "${lock}" rm -f "${lock}"
${updated} || exit 0 test -f "${updated}" || exit 0
rm -f "${updated}"
# Fix permissions, users in group ssl have read access # Fix permissions, users in group ssl have read access
find /etc/letsencrypt -type d | xargs -r chmod 2750 find /etc/letsencrypt -type d | xargs -r chmod 2750
@ -27,7 +29,7 @@ ensure() {
# awkward. A restricted rsync treats / as the remote location for the # awkward. A restricted rsync treats / as the remote location for the
# certificates. # certificates.
for NODE in ${NODES}; do for NODE in ${NODES}; do
rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/ rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}:/live/
done done
} }
@ -41,7 +43,7 @@ case $1 in
# Renew certificates, trust in certbot's algorithms # Renew certificates, trust in certbot's algorithms
renew) renew)
/usr/bin/certbot renew --quiet --agree-tos /usr/bin/certbot renew --quiet --agree-tos
updated=true touch "${updated}"
;; ;;
bootstrap) bootstrap)
for site in ${SUTTY} api.${SUTTY}; do for site in ${SUTTY} api.${SUTTY}; do
@ -57,10 +59,14 @@ case $1 in
cd /etc/letsencrypt/live cd /etc/letsencrypt/live
ln -s ${SUTTY} default ln -s ${SUTTY} default
touch "${updated}"
done done
updated=true ;;
prune)
comm -13 <(realpath /etc/letsencrypt/live/*/*.pem | sort) <(find /etc/letsencrypt/archive/ -name "*.pem" | sort) | xargs rm -v
touch "${updated}"
;; ;;
# Generate certificates # Generate certificates
*) *)
@ -101,7 +107,7 @@ case $1 in
--agree-tos \ --agree-tos \
--webroot-path /var/lib/letsencrypt \ --webroot-path /var/lib/letsencrypt \
-d "${domain}" -d "${domain}"
updated=true touch "${updated}"
done done
esac esac

View file

@ -10,6 +10,12 @@ check program certbot_renew
every "13 5 * * *" every "13 5 * * *"
if status != 0 then alert if status != 0 then alert
# Prune old keys
check program certbot_prune
with path "/usr/local/bin/certbotd prune"
every "13 1 2 * *"
if status != 0 then alert
# Get missing certificates for every cycle. # Get missing certificates for every cycle.
check program certbot check program certbot
with path "/usr/local/bin/certbotd" with path "/usr/local/bin/certbotd"