#!/bin/bash
set -euo pipefail

domains=(${RENEWED_DOMAINS-})

if [ ! ${#domains[@]} -eq 1 ]; then
	chown -R root:nginx /etc/letsencrypt/archive/*/
	chmod -R u=rwX,g=rX,o= /etc/letsencrypt/archive/*/

	chown root:nginx /etc/letsencrypt/live/*/
	chmod u=rwX,g=rX,o= /etc/letsencrypt/live/*/
else
	cert_name=${domains[0]}

	cert_dir_archive=/etc/letsencrypt/archive/${cert_name}/
	if [ -d ${cert_dir_archive} ]; then
		chown -R root:nginx ${cert_dir_archive}
		chmod -R u=rwX,g=rX,o= ${cert_dir_archive}
	else
		echo "${cert_dir_archive} doesn't exist" > /dev/stderr
		exit 1
	fi

	cert_dir_live=/etc/letsencrypt/live/${cert_name}/
	if [ -d ${cert_dir_live} ]; then
		chown root:nginx ${cert_dir_live}
		chmod u=rwX,g=rX,o= ${cert_dir_live}
	else
		echo "${cert_dir_live} doesn't exist" > /dev/stderr
		exit 1
	fi
fi