certbot: add cli.ini and deploy hook for permissions

2023-04-26 02:00:38 +02:00 · 2023-04-26 02:00:38 +02:00 · 8785a7935f
parent 157613c5bf
commit 8785a7935f
2 changed files with 45 additions and 0 deletions
--- a/install/certbot-deploy-hook.sh
+++ b/install/certbot-deploy-hook.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+set -euo pipefail
+
+domains=(${RENEWED_DOMAINS-})
+
+if [ ! ${#domains[@]} -eq 1 ]; then
+	chown -R root:nginx /etc/letsencrypt/archive/*/
+	chmod -R u=rwX,g=rX,o= /etc/letsencrypt/archive/*/
+
+	chown root:nginx /etc/letsencrypt/live/*/
+	chmod u=rwX,g=rX,o= /etc/letsencrypt/live/*/
+else
+	cert_name=${domains[0]}
+
+	cert_dir_archive=/etc/letsencrypt/archive/${cert_name}/
+	if [ -d ${cert_dir_archive} ]; then
+		chown -R root:nginx ${cert_dir_archive}
+		chmod -R u=rwX,g=rX,o= ${cert_dir_archive}
+	else
+		echo "${cert_dir_archive} doesn't exist" > /dev/stderr
+		exit 1
+	fi
+
+	cert_dir_live=/etc/letsencrypt/live/${cert_name}/
+	if [ -d ${cert_dir_live} ]; then
+		chown root:nginx ${cert_dir_live}
+		chmod u=rwX,g=rX,o= ${cert_dir_live}
+	else
+		echo "${cert_dir_live} doesn't exist" > /dev/stderr
+		exit 1
+	fi
+fi
--- a/install/certbot.ini
+++ b/install/certbot.ini
@ -0,0 +1,13 @@
+non-interactive
+
+agree-tos
+no-eff-email
+email = "niver+letsencrypt@antopie.org"
+
+webroot
+webroot-path = "/srv/servnest/acme"
+
+key-type = "rsa"
+rsa-key-size = "3072"
+
+deploy-hook = "/root/certbot-deploy-hook.sh"