project/www/generate_certs.sh

47 lines
2.1 KiB
Bash
Raw Permalink Normal View History

2023-03-06 19:30:56 +00:00
#!/bin/bash
2023-03-06 19:56:45 +00:00
set -e
2023-03-06 19:30:56 +00:00
# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
2023-12-15 21:44:06 +00:00
CERTBOT_IMAGE_NAME="certbot/certbot:latest"
if ! docker image inspect "$CERTBOT_IMAGE_NAME" &> /dev/null; then
docker pull "$CERTBOT_IMAGE_NAME"
fi
2023-03-06 19:30:56 +00:00
# iterate over each domain and call certbot
for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
# source the site path so we know what features it has.
2023-04-07 14:20:15 +00:00
source ../project_defaults.sh
2023-03-13 18:43:23 +00:00
source "$SITE_PATH/site.conf"
2023-03-06 19:30:56 +00:00
source ../domain_env.sh
2023-11-21 21:49:19 +00:00
# with the incus side, we are trying to expose ALL OUR services from one IP address, which terminates
2023-03-06 19:30:56 +00:00
# at a cachehing reverse proxy that runs nginx.
2023-04-04 14:52:09 +00:00
ssh "$PRIMARY_WWW_FQDN" sudo mkdir -p "$REMOTE_DATA_PATH_LETSENCRYPT/$DOMAIN_NAME/_logs"
2023-03-06 19:30:56 +00:00
# this is minimum required; www and btcpay.
DOMAIN_STRING="-d $DOMAIN_NAME -d $WWW_FQDN -d $BTCPAY_USER_FQDN"
if [ "$DEPLOY_NEXTCLOUD" = true ]; then DOMAIN_STRING="$DOMAIN_STRING -d $NEXTCLOUD_FQDN"; fi
if [ "$DEPLOY_GITEA" = true ]; then DOMAIN_STRING="$DOMAIN_STRING -d $GITEA_FQDN"; fi
2023-04-04 14:56:34 +00:00
if [ "$DEPLOY_NOSTR" = true ]; then DOMAIN_STRING="$DOMAIN_STRING -d $NOSTR_FQDN"; fi
2023-03-06 19:30:56 +00:00
# if BTCPAY_ALT_NAMES has been set by the admin, iterate over the list
# and append the domain names to the certbot request
if [ -n "$BTCPAY_ALT_NAMES" ]; then
# let's stub out the rest of our site definitions, if any.
for ALT_NAME in ${BTCPAY_ALT_NAMES//,/ }; do
DOMAIN_STRING="$DOMAIN_STRING -d $ALT_NAME.$DOMAIN_NAME"
done
fi
2023-12-17 21:49:00 +00:00
GENERATE_CERT_STRING="docker run -t --rm --name certbot -p 80:80 -p 443:443 -v $REMOTE_DATA_PATH_LETSENCRYPT/$DOMAIN_NAME:/etc/letsencrypt -v /var/lib/letsencrypt:/var/lib/letsencrypt -v $REMOTE_DATA_PATH_LETSENCRYPT/$DOMAIN_NAME/_logs:/var/log/letsencrypt certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand ${DOMAIN_STRING} --email $CERTIFICATE_EMAIL_ADDRESS"
2023-03-06 19:30:56 +00:00
# execute the certbot command that we dynamically generated.
eval "$GENERATE_CERT_STRING"
done