ss/sovereign-stack
ss
/
sovereign-stack
1
1
Fork 1
Code Releases Activity

Certificate renewal updates.

This commit is contained in:
Derek Smith 2022-05-24 14:20:59 -04:00
parent 3b2a3645f8
commit b64f941d93
Signed by: farscapian
GPG Key ID: 8F1CD799CCA516CC
2 changed files with 25 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
deployment/generate_certs.sh
View File

@ -2,25 +2,31 @@
set -e
# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
docker pull certbot/certbot:latest
# when deploying to AWS, www exists on a separate IP address from btcpay, umbrel, etc.
# thus, we structure the certificate accordingly.
if [ "$VPS_HOSTING_TARGET" = aws ]; then
# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
docker pull certbot/certbot
docker run -it --rm \
--name certbot \
-p 80:80 \
-p 443:443 \
-v /etc/letsencrypt:/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/certbot \
certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
-v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
# backup the certs to our SITE_PATH/certs.tar.gz so we have them handy (for local development)
ssh "$FQDN" sudo tar -zcvf "$REMOTE_HOME/certs.tar.gz" -C /etc ./letsencrypt
ssh "$FQDN" sudo chown ubuntu:ubuntu "$REMOTE_HOME/certs.tar.gz"
elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
# at a cachehing reverse proxy that runs nginx.
docker run -it --rm \
--name certbot \
-p 80:80 \
-p 443:443 \
-v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$BTCPAY_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
# now pull the tarballs down the local machine.
scp "$FQDN:$REMOTE_HOME/certs.tar.gz" "$SITE_PATH/certs.tar.gz"
else
echo "INFO: Skipping certificate renewal since we're on hosting provider=lxd."
fi
fi

19
deployment/go_www.sh
View File

@ -24,27 +24,18 @@ fi
# stop services.
if docker stack list --format "{{.Name}}" | grep -q webstack; then
docker stack rm webstack
sleep 20
sleep 15
fi
# this will generate letsencrypt certs and pull them down locally.
if [ "$VPS_HOSTING_TARGET" != lxd ]; then
# if [ "$VPS_HOSTING_TARGET" != lxd ]; then
# really we should change this if clause to some thing like
# "if the perimeter firewall allows port 80/443, then go ahead."
if [ "$VPS_HOSTING_TARGET" = aws ] && [ "$RUN_CERT_RENEWAL" = true ]; then
if [ "$RUN_CERT_RENEWAL" = true ]; then
./generate_certs.sh
fi
else
# restore the certs. If they don't exist in a backup we restore from SITE_PATH
if [ -f "$SITE_PATH/certs.tar.gz" ]; then
scp "$SITE_PATH/certs.tar.gz" "ubuntu@$FQDN:$REMOTE_HOME/certs.tar.gz"
ssh "$FQDN" "sudo tar -xvf $REMOTE_HOME/certs.tar.gz -C /etc"
else
echo "ERROR: Certificates do not exist locally."
exit 1
fi
fi
if [ "$RUN_BACKUP" = true ]; then
./backup_www.sh