install.fairie/home/dot_local/bin/setup/executable_setup-certbot.tmpl
2023-12-23 10:18:29 +00:00

43 lines
2.3 KiB
Bash

#!/usr/bin/env bash
# @file Configure HTTPS certificates via Certbot
# @brief Acquires initial Certbot Let's Encrypt certificates and adds a cronjob for certificate renewal
# @description
# This script ensures the system has Let's Encrypt SSL certificates loaded. It leverages the CloudFlare DNS method.
# So long as your `.user.cloudflare.username` value in `home/.chezmoi.yaml.tmpl`, your `CLOUDFLARE_API_TOKEN` variable,
# and your `.host.domain` value in `home/.chezmoi.yaml.tmpl` are available, then this process should work. The API token
# only needs access to `DNS:Zone:Edit` for your `.host.domain` on CloudFlare.
#
# ## Links
#
# * [certbot-dns-cloudflare](https://certbot-dns-cloudflare.readthedocs.io/en/stable/)
# * [CloudFlare API Tokens](https://dash.cloudflare.com/profile/api-tokens)
# TODO: Integrate this into flow
if command -v certbot > /dev/null; then
### Ensure configuration files are in place
if [ -f "$HOME/.local/etc/letsencrypt/dns-cloudflare.ini" ] && [ -f "$HOME/.local/etc/letsencrypt/letsencryptcli.ini" ]; then
logg info 'Copying Lets Encrypt / Certbot configurations to /etc/letsencrypt'
sudo mkdir -p /etc/letsencrypt
sudo cp -f "$HOME/.local/etc/letsencrypt/dns-cloudflare.ini" /etc/letsencrypt/dns-cloudflare.ini
sudo cp -f "$HOME/.local/etc/letsencrypt/letsencryptcli.ini" /etc/letsencrypt/letsencryptcli.ini
fi
### Ensure certificate is present
if [ -f '/etc/letsencrypt/live/{{ .host.domain }}/cert.pem' ]; then
logg info 'LetsEncrypt SSL certificate is already available'
else
logg info 'Acquiring certbot LetsEncrypt SSL certificates'
certbot certonly --noninteractive --dns-cloudflare --agree-tos --email '{{ .user.cloudflare.username }}' --dns-cloudflare-propagation-seconds 14 -d '*.{{ .host.domain }},*.lab.{{ .host.domain }},*.{{ .host.hostname | replace .host.domain "" | replace "." "" }}.{{ .host.domain }}'
fi
### Setup renewal cronjob
if ! sudo crontab -l | grep "$(which certbot) renew --quiet" > /dev/null; then
TMP="$(mktemp)"
echo "30 3 * * * $(which certbot) renew --quiet" > "$TMP"
logg info 'Adding certbot renew entry to crontab'
sudo crontab < "$TMP"
fi
else
logg warn 'certbot is not available. SSL certificate issuance cannot be run without it.'
fi