Dustin C. Hatch
d907b47db1
Since Fedora CoreOS machines are not managed by Ansible, we need another way to keep the HTTPS certificate up-to-date. To that end, I've added the `fetchcert.sh` script, along with a corresponding systemd service and timer unit, that will fetch the latest certificate from the Secret resource managed by the Kubernetes API. The script authenticates with a long-lived bearer token associated with a particular Kubernetes service account and downloads the current Secret to a local file. If the certificate in the Secret is different than the one already in place, the certificate and key files are updated and nginx is reloaded.
29 lines
468 B
Makefile
29 lines
468 B
Makefile
.PHONY: \
|
|
all \
|
|
clean \
|
|
publish
|
|
|
|
.DEFAULT_GOAL := all
|
|
|
|
clean:
|
|
rm -f *.ign
|
|
|
|
define genrules
|
|
$(patsubst %.yaml,%.ign,$(1)): $(1) $$(shell sed -rn 's/.*local: (.*)/\1/p' $(1))
|
|
butane -d . $$< > $$@
|
|
|
|
all: $(patsubst %.yaml,%.ign,$(1))
|
|
endef
|
|
|
|
$(foreach t,$(wildcard *.yaml),$(eval $(call genrules,$(t))))
|
|
|
|
%.env: %.env.gpg
|
|
gpg2 --decrypt $< > $@
|
|
|
|
%.token: %.token.gpg
|
|
gpg2 --decrypt $< > $@
|
|
|
|
publish: \
|
|
nvr1.ign
|
|
rsync -rti $^ files.pyrocufflink.blue:public_html/
|