44 lines
2.3 KiB
Bash
44 lines
2.3 KiB
Bash
#!/usr/bin/env bash
|
|
# @file Configure HTTPS certificates via Certbot
|
|
# @brief Acquires initial Certbot Let's Encrypt certificates and adds a cronjob for certificate renewal
|
|
# @description
|
|
# This script ensures the system has Let's Encrypt SSL certificates loaded. It leverages the CloudFlare DNS method.
|
|
# So long as your `.user.cloudflare.username` value in `home/.chezmoi.yaml.tmpl`, your `CLOUDFLARE_API_TOKEN` variable,
|
|
# and your `.host.domain` value in `home/.chezmoi.yaml.tmpl` are available, then this process should work. The API token
|
|
# only needs access to `DNS:Zone:Edit` for your `.host.domain` on CloudFlare.
|
|
#
|
|
# ## Links
|
|
#
|
|
# * [certbot-dns-cloudflare](https://certbot-dns-cloudflare.readthedocs.io/en/stable/)
|
|
# * [CloudFlare API Tokens](https://dash.cloudflare.com/profile/api-tokens)
|
|
|
|
# TODO: Integrate this into flow
|
|
# TODO: Replace templated logic with live calls using yq
|
|
|
|
if command -v certbot > /dev/null; then
|
|
### Ensure configuration files are in place
|
|
if [ -f "$HOME/.local/etc/letsencrypt/dns-cloudflare.ini" ] && [ -f "$HOME/.local/etc/letsencrypt/letsencryptcli.ini" ]; then
|
|
logg info 'Copying Lets Encrypt / Certbot configurations to /etc/letsencrypt'
|
|
sudo mkdir -p /etc/letsencrypt
|
|
sudo cp -f "$HOME/.local/etc/letsencrypt/dns-cloudflare.ini" /etc/letsencrypt/dns-cloudflare.ini
|
|
sudo cp -f "$HOME/.local/etc/letsencrypt/letsencryptcli.ini" /etc/letsencrypt/letsencryptcli.ini
|
|
fi
|
|
|
|
### Ensure certificate is present
|
|
if [ -f '/etc/letsencrypt/live/{{ .host.domain }}/cert.pem' ]; then
|
|
logg info 'LetsEncrypt SSL certificate is already available'
|
|
else
|
|
logg info 'Acquiring certbot LetsEncrypt SSL certificates'
|
|
certbot certonly --noninteractive --dns-cloudflare --agree-tos --email '{{ .user.cloudflare.username }}' --dns-cloudflare-propagation-seconds 14 -d '*.{{ .host.domain }},*.lab.{{ .host.domain }},*.{{ .host.hostname | replace .host.domain "" | replace "." "" }}.{{ .host.domain }}'
|
|
fi
|
|
|
|
### Setup renewal cronjob
|
|
if ! sudo crontab -l | grep "$(which certbot) renew --quiet" > /dev/null; then
|
|
TMP="$(mktemp)"
|
|
echo "30 3 * * * $(which certbot) renew --quiet" > "$TMP"
|
|
logg info 'Adding certbot renew entry to crontab'
|
|
sudo crontab < "$TMP"
|
|
fi
|
|
else
|
|
logg warn 'certbot is not available. SSL certificate issuance cannot be run without it.'
|
|
fi
|