#!/usr/bin/env bash
set -euo pipefail

domains=(${RENEWED_DOMAINS-})

if [ ! ${#domains[@]} -eq 1 ]; then
	chown -R root:nginx /etc/letsencrypt/archive/*/
	chmod -R u=rwX,g=rX,o= /etc/letsencrypt/archive/*/

	chown root:nginx /etc/letsencrypt/live/*/
	chmod u=rwX,g=rX,o= /etc/letsencrypt/live/*/
else
	cert_name="${domains[0]}"

	cert_dir_archive=/etc/letsencrypt/archive/"${cert_name}"/
	if [ -d "${cert_dir_archive}" ]; then
		chown -R root:nginx "${cert_dir_archive}"
		chmod -R u=rwX,g=rX,o= "${cert_dir_archive}"
	else
		echo "${cert_dir_archive} doesn't exist" > /dev/stderr
		exit 1
	fi

	cert_dir_live=/etc/letsencrypt/live/"${cert_name}"/
	if [ -d "${cert_dir_live}" ]; then
		chown root:nginx "${cert_dir_live}"
		chmod u=rwX,g=rX,o= "${cert_dir_live}"
	else
		echo "${cert_dir_live} doesn't exist" > /dev/stderr
		exit 1
	fi
fi