#!/usr/bin/env bash # @file Configure HTTPS certificates via Certbot # @brief Acquires initial Certbot Let's Encrypt certificates and adds a cronjob for certificate renewal # @description # This script ensures the system has Let's Encrypt SSL certificates loaded. It leverages the CloudFlare DNS method. # So long as your `.user.cloudflare.username` value in `home/.chezmoi.yaml.tmpl`, your `CLOUDFLARE_API_TOKEN` variable, # and your `.host.domain` value in `home/.chezmoi.yaml.tmpl` are available, then this process should work. The API token # only needs access to `DNS:Zone:Edit` for your `.host.domain` on CloudFlare. # # ## Links # # * [certbot-dns-cloudflare](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) # * [CloudFlare API Tokens](https://dash.cloudflare.com/profile/api-tokens) # TODO: Integrate this into flow # TODO: Replace templated logic with live calls using yq if command -v certbot > /dev/null; then ### Ensure configuration files are in place if [ -f "$HOME/.local/etc/letsencrypt/dns-cloudflare.ini" ] && [ -f "$HOME/.local/etc/letsencrypt/letsencryptcli.ini" ]; then logg info 'Copying Lets Encrypt / Certbot configurations to /etc/letsencrypt' sudo mkdir -p /etc/letsencrypt sudo cp -f "$HOME/.local/etc/letsencrypt/dns-cloudflare.ini" /etc/letsencrypt/dns-cloudflare.ini sudo cp -f "$HOME/.local/etc/letsencrypt/letsencryptcli.ini" /etc/letsencrypt/letsencryptcli.ini fi ### Ensure certificate is present if [ -f '/etc/letsencrypt/live/{{ .host.domain }}/cert.pem' ]; then logg info 'LetsEncrypt SSL certificate is already available' else logg info 'Acquiring certbot LetsEncrypt SSL certificates' certbot certonly --noninteractive --dns-cloudflare --agree-tos --email '{{ .user.cloudflare.username }}' --dns-cloudflare-propagation-seconds 14 -d '*.{{ .host.domain }},*.lab.{{ .host.domain }},*.{{ .host.hostname | replace .host.domain "" | replace "." "" }}.{{ .host.domain }}' fi ### Setup renewal cronjob if ! sudo crontab -l | grep "$(which certbot) renew --quiet" > /dev/null; then TMP="$(mktemp)" echo "30 3 * * * $(which certbot) renew --quiet" > "$TMP" logg info 'Adding certbot renew entry to crontab' sudo crontab < "$TMP" fi else logg warn 'certbot is not available. SSL certificate issuance cannot be run without it.' fi