96 lines
2.6 KiB
Go
96 lines
2.6 KiB
Go
package certificates
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/caddyserver/certmagic"
|
|
"github.com/libdns/cloudflare"
|
|
"github.com/rs/zerolog/log"
|
|
"go.uber.org/zap"
|
|
|
|
"git.gay/gitgay/pages/errors"
|
|
"git.gay/gitgay/pages/pagerouter"
|
|
"git.gay/gitgay/pages/utils"
|
|
)
|
|
|
|
var (
|
|
ACME_CA = os.Getenv("ACME_DIRECTORY_URL")
|
|
ACME_EMAIL = os.Getenv("ACME_EMAIL")
|
|
_, ACME_ACCEPT_TERMS = os.LookupEnv("ACME_ACCEPT_TERMS")
|
|
CLOUDFLARE_TOKEN = os.Getenv("CLOUDFLARE_TOKEN")
|
|
|
|
DNS01Solver = &certmagic.DNS01Solver{
|
|
DNSManager: certmagic.DNSManager{
|
|
DNSProvider: &cloudflare.Provider{
|
|
APIToken: CLOUDFLARE_TOKEN,
|
|
},
|
|
},
|
|
}
|
|
)
|
|
|
|
func makeACMEIssuer(magic *certmagic.Config, useDns bool) (issuer *certmagic.ACMEIssuer) {
|
|
issuer = certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{
|
|
CA: ACME_CA,
|
|
Email: ACME_EMAIL,
|
|
Agreed: ACME_ACCEPT_TERMS,
|
|
})
|
|
if useDns {
|
|
issuer.DNS01Solver = DNS01Solver
|
|
}
|
|
return
|
|
}
|
|
|
|
func GetConfig(HTTP_PORT int, HTTPS_PORT int) (*certmagic.ACMEIssuer, *tls.Config) {
|
|
certmagic.HTTPPort = HTTP_PORT
|
|
certmagic.HTTPPort = HTTPS_PORT
|
|
certmagic.DefaultACME.CA = ACME_CA
|
|
certmagic.DefaultACME.AltHTTPPort = HTTP_PORT
|
|
certmagic.DefaultACME.AltTLSALPNPort = HTTPS_PORT
|
|
certmagic.DefaultACME.Email = ACME_EMAIL
|
|
certmagic.DefaultACME.Agreed = ACME_ACCEPT_TERMS
|
|
certmagic.Default.Logger = zap.NewNop()
|
|
certmagic.DefaultACME.Logger = zap.NewNop()
|
|
|
|
certmagic.Default.OnDemand = &certmagic.OnDemandConfig{
|
|
DecisionFunc: func(ctx context.Context, name string) (err error) {
|
|
if !utils.PointingAtUs(name) {
|
|
return errors.NewErrorNotPointedAtUs()
|
|
}
|
|
_, err = pagerouter.GetTarget(name, "")
|
|
if err != nil {
|
|
log.Debug().Err(err).Msg("Not issuing certificate for target as it could not be found on git.gay")
|
|
}
|
|
return
|
|
},
|
|
}
|
|
|
|
magic := certmagic.NewDefault()
|
|
|
|
magic.SubjectTransformer = func(ctx context.Context, name string) string {
|
|
if strings.HasSuffix(name, "."+utils.PAGES_DOMAIN) {
|
|
name = strings.TrimSuffix(name, "."+utils.PAGES_DOMAIN)
|
|
parts := strings.Split(name, ".")
|
|
if len(parts) > 1 {
|
|
parts[0] = "*"
|
|
}
|
|
name = strings.Join(parts, ".") + "." + utils.PAGES_DOMAIN
|
|
}
|
|
return name
|
|
}
|
|
|
|
dnsIssuer := makeACMEIssuer(magic, true)
|
|
defaultIssuer := makeACMEIssuer(magic, false)
|
|
|
|
magic.Issuers = []certmagic.Issuer{defaultIssuer, dnsIssuer}
|
|
tlsConfig := magic.TLSConfig()
|
|
tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)
|
|
|
|
magic.ObtainCertAsync(context.Background(), utils.PAGES_DOMAIN)
|
|
magic.ObtainCertAsync(context.Background(), "*."+utils.PAGES_DOMAIN)
|
|
|
|
return defaultIssuer, tlsConfig
|
|
}
|