From 99b7f7e05b230fbac1b6d714412ef2a426f56cfc Mon Sep 17 00:00:00 2001
From: Chris <stofflees@gmail.com>
Date: Sun, 4 Apr 2021 22:17:13 +0100
Subject: [PATCH] Add certbot set up to bootstrap

---
 bootstrap.sh            | 23 ++++++++++++++++++++++-
 certbot/certbot.service |  6 ++++++
 certbot/certbot.timer   | 10 ++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 certbot/certbot.service
 create mode 100644 certbot/certbot.timer

diff --git a/bootstrap.sh b/bootstrap.sh
index 70501f8..536b832 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -13,7 +13,7 @@ passwd -l root
 
 # Install necessary packages
 echo "------- Installing packages -------"
-pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
+pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot certbot-dns-digitalocean
 
 echo "------- Setting up SSH -------"
 # Remove old SSH keys in case running again
@@ -52,6 +52,27 @@ chmod +x /app/gitea/gitea
 chown -R git /app/gitea/gitea
 chown -R git /var/lib/gitea
 
+if [ $APP_ENV = "production" ]
+then
+    echo "------- Enabling certbot service -------"
+    mkdir -p /root/.secret/certbot
+    tee /root/.secret/certbot/digitalocean.ini <<END
+# DigitalOcean API credentials used by Certbot
+dns_digitalocean_token = $DIGITALOCEAN_TOKEN
+END
+
+    certbot certonly \
+	--dns-digitalocean \
+	--dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
+	-d *.$DOMAIN -d $DOMAIN \
+	-m stofflees@gmail.com \
+	--agree-tos \
+	--no-eff-email
+
+    cp /opt/scarif/certbot/* /etc/systemd/system/
+    systemctl enable --now certbot.timer
+fi
+
 echo "------- Adding config folders for jitsi -------"
 mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
 
diff --git a/certbot/certbot.service b/certbot/certbot.service
new file mode 100644
index 0000000..a216fdc
--- /dev/null
+++ b/certbot/certbot.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Let's Encrypt renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --quiet --agree-tos --deploy-hook "cp /etc/letsencrypt/live/scarif.space/fullchain.pem /opt/ssl/scarif.space.crt && cp /etc/letsencrypt/live/scarif.space/privkey.pem /opt/ssl/scarif.space.key && docker exec scarif_nginx_1 nginx -s reload"
diff --git a/certbot/certbot.timer b/certbot/certbot.timer
new file mode 100644
index 0000000..94c8b8b
--- /dev/null
+++ b/certbot/certbot.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Twice daily renewal of Let's Encrypt's certificates
+
+[Timer]
+OnCalendar=0/12:00:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target