Add automated TLS renewal and deployment documentation
Co-Authored-By: Oz <oz-agent@warp.dev>
This commit is contained in:
Raghav
69
scripts/renew-production-tls.sh
Executable file
69
scripts/renew-production-tls.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/usr/bin/env bash
|
||||
# scripts/renew-production-tls.sh
|
||||
# Non-interactive renewal wrapper:
|
||||
# - loads renewal env defaults
|
||||
# - loads Cloudflare token export script
|
||||
# - runs certificate provisioning
|
||||
# - restarts only nextcloud-web when certificate changed
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
DOMAIN="${DOMAIN:-nxt.bhatfamily.in}"
|
||||
SSL_DIR="${REPO_DIR}/nginx/ssl"
|
||||
TLS_ENV_FILE="${TLS_ENV_FILE:-${REPO_DIR}/.tls-renewal.env}"
|
||||
CLOUDFLARE_TOKEN_SCRIPT_DEFAULT="${HOME}/bin/cloudflare-api-usertoken.sh"
|
||||
|
||||
if [ -f "${TLS_ENV_FILE}" ]; then
|
||||
# shellcheck disable=SC1090
|
||||
set -a
|
||||
source "${TLS_ENV_FILE}"
|
||||
set +a
|
||||
fi
|
||||
|
||||
CLOUDFLARE_TOKEN_SCRIPT="${CLOUDFLARE_TOKEN_SCRIPT:-${CLOUDFLARE_TOKEN_SCRIPT_DEFAULT}}"
|
||||
|
||||
if [ -z "${CF_DNS_API_TOKEN:-}" ] && [ -f "${CLOUDFLARE_TOKEN_SCRIPT}" ]; then
|
||||
# shellcheck disable=SC1090
|
||||
source "${CLOUDFLARE_TOKEN_SCRIPT}"
|
||||
fi
|
||||
|
||||
if [ -z "${CF_DNS_API_TOKEN:-}" ]; then
|
||||
echo "ERROR: CF_DNS_API_TOKEN is not set and could not be loaded from ${CLOUDFLARE_TOKEN_SCRIPT}."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "${LETSENCRYPT_EMAIL:-}" ]; then
|
||||
echo "ERROR: LETSENCRYPT_EMAIL is not set."
|
||||
echo "Set it in ${TLS_ENV_FILE} or export it in the shell before running this script."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "${REPO_DIR}/logs"
|
||||
|
||||
CERT_FILE="${SSL_DIR}/${DOMAIN}.crt"
|
||||
BEFORE_SHA=""
|
||||
if [ -f "${CERT_FILE}" ]; then
|
||||
BEFORE_SHA="$(sha256sum "${CERT_FILE}" | awk '{print $1}')"
|
||||
fi
|
||||
|
||||
echo "==> Running production TLS provisioning/renewal..."
|
||||
"${REPO_DIR}/scripts/provision-production-tls.sh"
|
||||
|
||||
AFTER_SHA=""
|
||||
if [ -f "${CERT_FILE}" ]; then
|
||||
AFTER_SHA="$(sha256sum "${CERT_FILE}" | awk '{print $1}')"
|
||||
fi
|
||||
|
||||
if [ "${BEFORE_SHA}" != "${AFTER_SHA}" ]; then
|
||||
echo "==> Certificate changed; restarting nextcloud-web..."
|
||||
if command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
|
||||
docker compose -f "${REPO_DIR}/docker-compose.yml" restart web
|
||||
else
|
||||
docker-compose -f "${REPO_DIR}/docker-compose.yml" restart web
|
||||
fi
|
||||
else
|
||||
echo "==> Certificate unchanged; no container restart required."
|
||||
fi
|
||||
|
||||
echo "==> Renewal workflow complete."
|
||||
Reference in New Issue
Block a user