Created
March 23, 2022 10:17
-
-
Save langerma/9a7f6a79dd594b0e3190cdf9426d970f to your computer and use it in GitHub Desktop.
job file to create and deploy certs from letsencrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| job "update-certs" { | |
| datacenters = ["hetzner"] | |
| type = "batch" | |
| constraint { | |
| attribute = "${attr.kernel.name}" | |
| value = "linux" | |
| } | |
| periodic { | |
| // Launch every sunday at 00:00 | |
| cron = "0 0 0 * * 0 *" | |
| // Do not allow overlapping runs. | |
| prohibit_overlap = true | |
| } | |
| group "renew-certs" { | |
| restart { | |
| interval = "20s" | |
| attempts = 2 | |
| delay = "5s" | |
| mode = "delay" | |
| } | |
| task "renew-certs" { | |
| driver = "raw_exec" | |
| artifact { | |
| source = "https://github.com/go-acme/lego/releases/download/v4.6.0/lego_v4.6.0_linux_amd64.tar.gz" | |
| options { | |
| checksum = "sha256:c0c408788cdec96a4697300211c3944a050bb3d62ed3525a5409c136c94e09cb" | |
| } | |
| } | |
| template { | |
| data = <<EOF | |
| #!/usr/bin/env bash | |
| DOMAINS=$(consul kv get -detailed -keys secrets/letsencrypt/ | sed 's,/,,g' | sed 's,secretsletsencrypt,,g') | |
| for DOMAIN in $DOMAINS | |
| do | |
| echo "renew crt for: $DOMAIN" | |
| /bin/bash local/lego2consul.sh | |
| done | |
| EOF | |
| destination = "local/update-certs.sh" | |
| } | |
| template { | |
| data = <<EOF | |
| #!/usr/bin/env bash | |
| #set -xe | |
| LEGO_PATH=/tmp/cert-$RANDOM | |
| mkdir -p $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys | |
| consul kv get secrets/letsencrypt/$DOMAIN/account.json > /dev/null 2>&1 | |
| if [[ $? -eq 0 ]]; then | |
| echo "Credentials found" | |
| consul kv get secrets/letsencrypt/$DOMAIN/account.json > $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json | |
| consul kv get secrets/letsencrypt/$DOMAIN/account_key > $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key | |
| else | |
| echo "Credentials not found" | |
| fi | |
| mkdir -p $LEGO_PATH/certificates | |
| for file in $DOMAIN.json $DOMAIN.crt $DOMAIN.issuer.crt $DOMAIN.key $DOMAIN.pem; do | |
| consul kv get secrets/letsencrypt/$DOMAIN/$file > /dev/null 2>&1 | |
| if [[ $? -eq 0 ]]; then | |
| echo "$file found in consul" | |
| consul kv get secrets/letsencrypt/$DOMAIN/$file > $LEGO_PATH/certificates/$file | |
| else | |
| echo "$file not found in vault" | |
| fi | |
| done | |
| local/lego -d $DOMAIN -a --email $ACC --dns $PROVIDER --pem --path $LEGO_PATH --dns.resolvers 8.8.8.8 run | |
| if [[ $? -eq 0 ]]; then | |
| consul kv put secrets/letsencrypt/$DOMAIN/account.json @$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json | |
| consul kv put secrets/letsencrypt/$DOMAIN/account_key @$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key | |
| for file in $DOMAIN.json $DOMAIN.crt $DOMAIN.issuer.crt $DOMAIN.key $DOMAIN.pem; do | |
| consul kv put secrets/letsencrypt/$DOMAIN/$file @$LEGO_PATH/certificates/$file | |
| done | |
| TEXT="Updated certificate for $DOMAIN via LetsEncrypt :tada:" | |
| echo $TEXT | |
| else | |
| echo "Lego error" | |
| TEXT="Error updating certificate for $DOMAIN in $ENV via LetsEncrypt :nauseated_face:" | |
| echo $TEXT | |
| fi | |
| rm -rf $LEGO_PATH | |
| EOF | |
| destination = "local/lego2consul.sh" | |
| perms = 777 | |
| } | |
| config { | |
| command = "/bin/bash" | |
| args = ["local/update-certs.sh"] | |
| } | |
| resources { | |
| cpu = 20 # Mhz | |
| memory = 32 # MB | |
| } | |
| env { | |
| HETZNER_API_KEY = "yourapi key" | |
| PROVIDER = "your dns provider" | |
| ACC = "your account email adress" | |
| } | |
| } | |
| } | |
| group "deploy-certs" { | |
| constraint { | |
| operator = "distinct_hosts" | |
| value = "true" | |
| } | |
| count = 8 | |
| task "deploy-certs" { | |
| driver = "raw_exec" | |
| template { | |
| data = <<EOF | |
| #!/usr/bin/env bash | |
| CERT_PATH=/data/traefik | |
| CONFIG=$CERT_PATH/certs.toml | |
| rm $CONFIG | |
| mkdir -p $CERT_PATH | |
| touch $CONFIG | |
| DOMAINS=$(consul kv get -detailed -keys secrets/letsencrypt/ | sed 's,/,,g' | sed 's,secretsletsencrypt,,g') | |
| for domain in $DOMAINS | |
| do | |
| echo "deploying crt for: $domain" | |
| consul kv get secrets/letsencrypt/$domain/$domain.crt > $CERT_PATH/$domain.crt | |
| echo "deploying key for: $domain" | |
| consul kv get secrets/letsencrypt/$domain/$domain.key > $CERT_PATH/$domain.key | |
| echo "creating config for: $domain" | |
| echo "[[tls.certificates]]" >> $CONFIG | |
| echo " certFile = \"/data/$domain.crt\"" >> $CONFIG | |
| echo " keyFile = \"/data/$domain.key\"" >> $CONFIG | |
| echo "" >> $CONFIG | |
| done | |
| EOF | |
| perms = 777 | |
| destination = "local/deploy-certs.sh" | |
| } | |
| config { | |
| command = "/bin/bash" | |
| args = ["local/deploy-certs.sh"] | |
| } | |
| resources { | |
| cpu = 20 # Mhz | |
| memory = 32 # MB | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment