improve certbot provisioning script

1 files changed, 76 insertions, 0 deletions

diff --git a/modules/certbot/templates/certbot-tozt b/modules/certbot/templates/certbot-tozt
new file mode 100755
index 0000000..bdf1201
--- /dev/null
+++ b/modules/certbot/templates/certbot-tozt
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -eu
+set -o pipefail
+
+config_dir="${1:-}"
+if systemctl is-active -q nginx; then
+    is_running=1
+else
+    is_running=
+fi
+
+cleanup() {
+    if [ -z "$is_running" ]; then
+        systemctl stop nginx
+    fi
+
+    if [ -e /etc/nginx/nginx.conf.backup ]; then
+        mv /etc/nginx/nginx.conf.backup /etc/nginx.conf
+    fi
+}
+trap cleanup EXIT
+
+mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
+cat > /etc/nginx/nginx.conf <<EOF
+worker_processes 1;
+events {
+    worker_connections 1024;
+}
+http {
+    server {
+        listen 80 default;
+        server_name <%= @primary_domain %>;
+        location / {
+            root /tmp;
+        }
+    }
+<%- @secondary_domains.each do |domain| -%>
+    server {
+        listen 80;
+        server_name <%= domain %>;
+        location / {
+            root /tmp;
+        }
+    }
+<%- end -%>
+}
+EOF
+
+if [ -z "$is_running" ]; then
+    systemctl start nginx
+fi
+
+if [ -z "$config_dir" ]; then
+    /usr/bin/certbot run \
+        -n \
+        --agree-tos \
+        -m doy@tozt.net \
+        --cert-name <%= @primary_domain %> \
+        -d <%= @primary_domain %> \
+<%- @secondary_domains.each do |domain| -%>
+        -d <%= domain %> \
+<%- end -%>
+        --nginx
+else
+    /usr/bin/certbot run \
+        -n \
+        --agree-tos \
+        -m doy@tozt.net \
+        --config-dir "$config_dir" \
+        --cert-name <%= @primary_domain %> \
+        -d <%= @primary_domain %> \
+<%- @secondary_domains.each do |domain| -%>
+        -d <%= domain %> \
+<%- end -%>
+        --nginx
+fi