services/pkg/lego: Add a lego service container

the-maldridge · the-maldridge · commit e0ef776ee1a0 · 2021-09-23T22:07:17.000-05:00
diff --git a/.github/workflows/pkg-lego.yml b/.github/workflows/pkg-lego.yml
@@ -0,0 +1,33 @@
+name: LEGO Service Container
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version tag"
+        required: true
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@master
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to GCHR
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: services/pkg/lego
+          push: true
+          tags: "ghcr.io/void-linux/infra-lego:${{ github.event.inputs.version }}"
+          labels: |
+            org.opencontainers.image.source=${{ github.repositoryUrl }}
diff --git a/services/pkg/lego/Dockerfile b/services/pkg/lego/Dockerfile
@@ -0,0 +1,10 @@
+FROM  ghcr.io/void-linux/void-linux:latest-thin-x86_64
+
+RUN xbps-install -Sy && xbps-install -y lego vault binutils upx findutils diffutils && \
+        strip /usr/bin/vault && upx /usr/bin/vault && \
+        xbps-remove -Roy binutils upx && \
+        rm -rf /var/cache/xbps
+WORKDIR /lego
+ENV ACTION=renew
+COPY lego.sh /entrypoint
+ENTRYPOINT ["/entrypoint"]
diff --git a/services/pkg/lego/lego.sh b/services/pkg/lego/lego.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+: "${ACTION:=renew}"
+: "${SERVER:=https://acme-v02.api.letsencrypt.org/directory}"
+
+handle_path() {
+    vault kv list "$1" | tail -n +3 | while read -r path ; do
+        case "$path" in
+            */)
+                mkdir -p "$1/$path"
+                handle_path "$1/$path"
+                ;;
+            *)
+                vault kv get -field contents "$1$path" > "$1$path"
+                ;;
+        esac
+    done
+}
+
+printf "Retrieving existing data from Vault\n"
+mkdir -p secret/lego/data
+handle_path secret/lego/data
+cp -r secret/lego/data pre-run
+
+
+# Need to dynamically choose whether to run or renew here.  Plausibly
+# easier to just run it once and then change the arguments.
+lego \
+    --accept-tos \
+    --email maldridge@voidlinux.org \
+    --path secret/lego/data \
+    --dns digitalocean \
+    --domains '*.voidlinux.org' \
+    --domains '*.s.voidlinux.org' \
+    --server $SERVER \
+    $ACTION
+
+if ! diff -rq pre-run secret/lego/data ; then
+    printf "Uploading new data to Vault\n"
+    find secret/lego/data -type f -exec vault kv put {} contents=@{} \;
+fi
