sstent/NomadBackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync

Browse Source
This commit is contained in:
sstent
2025-11-22 09:57:32 -08:00
parent 17a31e8b56
commit 8b4591482c
75 changed files with 4977 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
consul_backup/scripts/acme.sh Normal file
View File

@@ -0,0 +1,122 @@
#!/bin/sh
set -x
ls -la
pwd
whoami
# Define active DuckDNS variables
DUCKDNS_DOMAIN="*.fbleagh.duckdns.org"
DUCKDNS_BASE="fbleagh.duckdns.org"
# CONSUL_URL is set externally by Nomad: ${attr.unique.network.ip-address}
# --- ACME Setup (Switching BACK to Let's Encrypt) ---
# Using a specific email to register a fresh account context
/usr/local/bin/acme.sh --register-account --server letsencrypt -m "admin-${DUCKDNS_BASE}@mailinator.com"
/usr/local/bin/acme.sh --set-default-ca --server letsencrypt
sleep 10
# --- 🎯 Dynamic Service Discovery ---
SERVICES=""
CHALLENGE_ALIAS_ARGS=""
for service in $(curl -s "http://$CONSUL_URL:8500/v1/catalog/services" | jq -r 'to_entries[] | select(.value | index("sslcert")) | .key'); do
SERVICE_DOMAIN="${service}.service.dc1.fbleagh.duckdns.org"
SERVICES="$SERVICES -d $SERVICE_DOMAIN"
# Correct pipe syntax for service domain alias
CHALLENGE_ALIAS_ARGS="$CHALLENGE_ALIAS_ARGS --challenge-alias $SERVICE_DOMAIN|$DUCKDNS_BASE"
done
# Build the complete domain list for logging/reference
DOMAIN_ARGS="-d $DUCKDNS_DOMAIN $SERVICES"
echo "Requesting certificate for: $DOMAIN_ARGS"
echo "--- Starting 2-STEP ISSUANCE (Back to Let's Encrypt) ---"
# ----------------------------------------------------------------------------------
## ➡️ STEP 1: Issue Wildcard Domain
# Note: We removed the explicit alias for the wildcard to simplify the request.
# The dns_duckdns hook naturally handles the root domain for the wildcard.
echo "--- STEP 1: Issuing Wildcard Domain ---"
/usr/local/bin/acme.sh --insecure --issue --dns dns_duckdns \
-d "$DUCKDNS_DOMAIN" \
--ecc --force --dnssleep 60
ACME_STATUS_1=$?
if [ $ACME_STATUS_1 -ne 0 ]; then
echo "🚨 ERROR: acme.sh STEP 1 (Wildcard) failed with exit code $ACME_STATUS_1."
# If step 1 fails on Let's Encrypt, we cannot proceed.
exit $ACME_STATUS_1
fi
echo "✅ STEP 1 (Wildcard) completed successfully."
# ----------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------
## ➡️ STEP 2: Issue Wildcard + Service Domains
echo "--- STEP 2: Issuing Wildcard + Service Domains ---"
/usr/local/bin/acme.sh --insecure --issue --dns dns_duckdns \
-d "$DUCKDNS_DOMAIN" \
$SERVICES \
$CHALLENGE_ALIAS_ARGS \
--ecc --force --dnssleep 60
ACME_STATUS_2=$?
if [ $ACME_STATUS_2 -ne 0 ]; then
echo "🚨 ERROR: acme.sh STEP 2 (Wildcard + Services) failed with exit code $ACME_STATUS_2."
exit $ACME_STATUS_2
fi
echo "✅ STEP 2 (Wildcard + Services) completed successfully. Proceeding to upload."
# ----------------------------------------------------------------------------------
# --- Upload to Consul ---
CERT_DIR="/acme.sh/${DUCKDNS_DOMAIN}_ecc"
CONSUL_KV_PATH="/v1/kv/letsconsul/${DUCKDNS_DOMAIN}"
upload_to_consul () {
FILE_PATH="$1"
KV_KEY="$2"
CURL_RESPONSE=$(curl -XPUT --data-binary "@$FILE_PATH" "http://$CONSUL_URL:8500$KV_KEY" 2>&1)
if echo "$CURL_RESPONSE" | grep -q "^true$"; then
echo "✅ Consul upload SUCCESS: $KV_KEY"
else
echo "❌ Consul upload FAILED: $KV_KEY"
echo "--- Full CURL Output ---"
echo "$CURL_RESPONSE"
exit 1
fi
}
echo "Starting Consul Uploads for ${DUCKDNS_DOMAIN}..."
upload_to_consul "$CERT_DIR/${DUCKDNS_DOMAIN}.key" "${CONSUL_KV_PATH}/${DUCKDNS_DOMAIN}.key"
upload_to_consul "$CERT_DIR/fullchain.cer" "${CONSUL_KV_PATH}/fullchain.cer"
upload_to_consul "$CERT_DIR/${DUCKDNS_DOMAIN}.cer" "${CONSUL_KV_PATH}/${DUCKDNS_DOMAIN}.cer"
upload_to_consul "$CERT_DIR/ca.cer" "${CONSUL_KV_PATH}/ca.cer"
# --- Verification ---
echo "--- Starting Certificate and Consul Verification ---"
echo "1. Checking SANs in local fullchain.cer..."
if [ -f "$CERT_DIR/fullchain.cer" ]; then
openssl x509 -in "$CERT_DIR/fullchain.cer" -text -noout | grep -A1 "X509v3 Subject Alternative Name"
echo "✅ Local SAN check complete."
else
echo "❌ ERROR: fullchain.cer not found."
exit 1
fi
CONSUL_CHECK_KEY="${CONSUL_KV_PATH}/fullchain.cer"
echo "2. Checking existence of ${CONSUL_CHECK_KEY} in Consul..."
CONSUL_METADATA=$(curl -s "http://$CONSUL_URL:8500${CONSUL_CHECK_KEY}?stale&keys&index=1")
CERT_VALUE_LENGTH=$(echo "$CONSUL_METADATA" | jq -r '.[0].Value' | wc -c)
if [ "$CERT_VALUE_LENGTH" -gt 100 ]; then
echo "✅ Consul upload verification SUCCESS."
else
echo "❌ Consul upload verification FAILED."
exit 1
fi
exit 0

27
consul_backup/scripts/letsconsul Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/sh
set -e
set -x
ls -ld $(find /etc/letsencrypt)
apk add curl
#$LETSCONSUL_DOMAIN
certbot certonly \
-v \
--cert-name $LETSCONSUL_DOMAIN \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token e4b5ca33-1f4d-494b-b06d-6dd4600df662 \
--dns-duckdns-propagation-seconds 60 \
--non-interactive \
--agree-tos \
-d *.${LETSCONSUL_DOMAIN} --email "stuart.stent@gmail.com"
curl -XPUT --data-bin "@/etc/letsencrypt/live/$LETSCONSUL_DOMAIN/privkey.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$LETSCONSUL_DOMAIN/privkey
curl -XPUT --data-bin "@/etc/letsencrypt/live/$LETSCONSUL_DOMAIN/fullchain.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$LETSCONSUL_DOMAIN/fullchain
curl -XPUT --data-bin "@/etc/letsencrypt/live/$LETSCONSUL_DOMAIN/cert.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$LETSCONSUL_DOMAIN/cert
curl -XPUT --data-bin "@/etc/letsencrypt/live/$LETSCONSUL_DOMAIN/chain.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$LETSCONSUL_DOMAIN/chain
#curl -XPUT --data-bin @/var/log/letsencrypt/letsencrypt.log http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/letsencrypt.log
/bin/sleep 600

40
consul_backup/scripts/letsconsul_auto Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/sh
set -e
set -x
IFS=";"
apk add curl
for group in $LETSCONSUL_DOMAINS
do
echo
echo "-----------------------"
IFS=" "
domains=""
domain_main=""
for domain in $group
do
if [ "$domain_main" = "" ]
then
domain_main="$domain"
fi
domains="$domains -d $domain"
done
echo certbot certonly \
-vvv \
--test-cert \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token e4b5ca33-1f4d-494b-b06d-6dd4600df662 \
--dns-duckdns-propagation-seconds 120 \
--non-interactive \
--agree-tos \
--renew-by-default \
$domains --email "stuart.stent@gmail.com"
echo curl -XPUT --data-bin "@/etc/letsencrypt/live/\*.${domain_main}/privkey.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$domain_main/privkey
echo curl -XPUT --data-bin "@/etc/letsencrypt/live/\*.${domain_main}/fullchain.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$domain_main/fullchain
done
echo curl -XPUT --data-bin @/var/log/letsencrypt/letsencrypt.log http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/letsencrypt.log

24
consul_backup/scripts/letsconsul_fixed Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
set -e
set -x
IFS=";"
apk add curl
echo certbot certonly \
-vvv \
--test-cert \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token e4b5ca33-1f4d-494b-b06d-6dd4600df662 \
--dns-duckdns-propagation-seconds 120 \
--non-interactive \
--agree-tos \
--renew-by-default \
*.fbleagh-int.duckdns.org --email "stuart.stent@gmail.com"
echo curl -XPUT --data-bin "@/etc/letsencrypt/live/\*.fbleagh-int.duckdns.org/privkey.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$domain_main/privkey
echo curl -XPUT --data-bin "@/etc/letsencrypt/live/\*.fbleagh-int.duckdns.org/fullchain.pem" http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/$domain_main/fullchain
done
echo curl -XPUT --data-bin @/var/log/letsencrypt/letsencrypt.log http://$LETSCONSUL_CONSUL_URL:8500/v1/kv/letsconsul/letsencrypt.log