certificados/Makefile

# Especify the domain here or as an argument
domain ?= sutty.local
serial ?= $(shell date +%s)

# Never remove private keys!
.PRECIOUS: %.key

.DEFAULT_GOAL := all

ca_key ?= ca/key.key
ca_crt ?= ca/crt.crt
ca_tpl ?= templates/ca.tpl

domain_key ?= domain/$(domain).key
domain_csr ?= domain/$(domain).csr
domain_crt ?= domain/$(domain).crt
domain_tpl ?= templates/domain.tpl

# Make variables available to templates
export

# Detect distribution
include /etc/os-release

# Render templates
templates/%.tpl: templates/%.tpl.in
	envsubst < $< > $@

# Generate private keys
%.key:
	mkdir -p $(dir $@)
	certtool --generate-privkey --ask-pass --sec-param medium --outfile $@
	chmod 600 $@

# Generates a self-signed key for the CA
$(ca_crt): $(ca_key)
	certtool --generate-self-signed \
	         --load-privkey $< \
	         --template $(ca_tpl) \
	         --outfile $@

# Generates a certificate signing request
domain/%.csr: $(domain_tpl)
	certtool --generate-request --load-privkey $(domain_key) --outfile $@ --template $<

# Generates a site certificate
domain/%.crt:
	certtool --generate-certificate --load-request $(domain_csr) \
	         --load-ca-certificate $(ca_crt) \
	         --load-ca-privkey $(ca_key) \
	         --template $(domain_tpl) \
	         --outfile $@

ca: $(ca_key) $(ca_crt) ## Generate the CA keypair
install-ca: $(ca_crt)   ## Install the CA on system
ifeq ($(ID_LIKE),debian)
	sudo install -Dm 644 $< /usr/share/ca-certificates/extra/sutty.crt
	sudo dpkg-reconfigure ca-certificates
	sudo update-ca-certificates
else
	sudo trust anchor $<
endif
all: ca install-ca      ## Generate and install
domain: $(domain_key) $(domain_csr) $(domain_crt) ## Issue a site certificate
	rm -f templates/domain.tpl
coopcloud: ca domain
	abra app secret insert traefik.$(domain) ssl_cert v1 -f $(domain_crt)
	abra app secret insert traefik.$(domain) ssl_key  v1 -f $(domain_key)