Add certbot set up to bootstrap

bootstrap.sh

@@ -13,7 +13,7 @@ passwd -l root
 
 # Install necessary packages
 echo "------- Installing packages -------"
-pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
+pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot certbot-dns-digitalocean
 
 echo "------- Setting up SSH -------"
 # Remove old SSH keys in case running again
@@ -52,6 +52,27 @@ chmod +x /app/gitea/gitea
 chown -R git /app/gitea/gitea
 chown -R git /var/lib/gitea
 
+if [ $APP_ENV = "production" ]
+then
+    echo "------- Enabling certbot service -------"
+    mkdir -p /root/.secret/certbot
+    tee /root/.secret/certbot/digitalocean.ini <<END
+# DigitalOcean API credentials used by Certbot
+dns_digitalocean_token = $DIGITALOCEAN_TOKEN
+END
+
+    certbot certonly \
+	--dns-digitalocean \
+	--dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
+	-d *.$DOMAIN -d $DOMAIN \
+	-m stofflees@gmail.com \
+	--agree-tos \
+	--no-eff-email
+
+    cp /opt/scarif/certbot/* /etc/systemd/system/
+    systemctl enable --now certbot.timer
+fi
+
 echo "------- Adding config folders for jitsi -------"
 mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
 

certbot/certbot.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Let's Encrypt renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --quiet --agree-tos --deploy-hook "cp /etc/letsencrypt/live/scarif.space/fullchain.pem /opt/ssl/scarif.space.crt && cp /etc/letsencrypt/live/scarif.space/privkey.pem /opt/ssl/scarif.space.key && docker exec scarif_nginx_1 nginx -s reload"

certbot/certbot.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Twice daily renewal of Let's Encrypt's certificates
+
+[Timer]
+OnCalendar=0/12:00:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target