vpn: Add cert updater

docs/assets/vpn/vpn-cert-updater.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# outside, call docker
+if command -v docker >/dev/null 2>&1; then
+  exec docker run --rm \
+    --name=vpn-cert-updater \
+    --net=none \
+    -v "$(realpath "$0")":/update.sh:ro \
+    -v vpn-certs:/vpn-certs \
+    -v /etc/ssl/private:/ssl-certs:ro \
+    alpine \
+    /update.sh
+  exit 1 # exec failed
+fi
+
+set -eux
+
+SSL_CERTS="/ssl-certs"
+VPN_CERTS="/vpn-certs"
+
+cp -p "${SSL_CERTS}/lugvpn/fullchain.pem" "${VPN_CERTS}/certs/vpn.ustclug.org.crt"
+cp -p "${SSL_CERTS}/lugvpn/privkey.pem" "${VPN_CERTS}/private/vpn.ustclug.org.key"
+echo "Cert Update Complete"

docs/infrastructure/ssl.md

@@ -11,6 +11,9 @@ _acme-challenge.lug.ustc.edu.cn    ->  lug.ssl-digitalocean.ustclug.org
 _acme-challenge.ustclug.org        ->  lug.ssl-digitalocean.ustclug.org
 _acme-challenge.proxy.ustclug.org  ->  lug.ssl-digitalocean.ustclug.org
 
+_acme-challenge.vpn.lug.ustc.edu.cn  ->  lugvpn.ssl-digitalocean.ustclug.org
+_acme-challenge.vpn.ustclug.org      ->  lugvpn.ssl-digitalocean.ustclug.org
+
 _acme-challenge.mirrors.ustc.edu.cn  ->  mirrors.ssl-digitalocean.ustclug.org
 ```
 

docs/services/vpn.md

@@ -8,3 +8,13 @@
     - mirrors4
     - gateway-el
     - gateway-nic
+
+## SSL Certificates {#ssl-certs}
+
+The certificate for `*.vpn.lug.ustc.edu.cn` + `*.vpn.ustclug.org` is acquired with our [certificate infrastructure](../infrastructure/ssl.md) and the vpn server runs `updater.sh` with cron.
+
+Two services running in Docker (strongswan and ocserv) use the certificate, so another cron job exists to copy the certificate files into the Docker volume (`vpn-certs`). The second updater script is listed below:
+
+```shell title="/usr/local/docker_sh/vpn-cert-updater.sh"
+--8<-- "vpn/vpn-cert-updater.sh"
+```