#!/usr/bin/env bash # scripts/renew-production-tls.sh # Non-interactive renewal wrapper: # - loads renewal env defaults # - loads Cloudflare token export script # - runs certificate provisioning # - restarts only nextcloud-web when certificate changed set -euo pipefail REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" DOMAIN="${DOMAIN:-nxt.bhatfamily.in}" SSL_DIR="${REPO_DIR}/nginx/ssl" TLS_ENV_FILE="${TLS_ENV_FILE:-${REPO_DIR}/.tls-renewal.env}" CLOUDFLARE_TOKEN_SCRIPT_DEFAULT="${HOME}/bin/cloudflare-api-usertoken.sh" if [ -f "${TLS_ENV_FILE}" ]; then # shellcheck disable=SC1090 set -a source "${TLS_ENV_FILE}" set +a fi CLOUDFLARE_TOKEN_SCRIPT="${CLOUDFLARE_TOKEN_SCRIPT:-${CLOUDFLARE_TOKEN_SCRIPT_DEFAULT}}" if [ -z "${CF_DNS_API_TOKEN:-}" ] && [ -f "${CLOUDFLARE_TOKEN_SCRIPT}" ]; then # shellcheck disable=SC1090 source "${CLOUDFLARE_TOKEN_SCRIPT}" fi if [ -z "${CF_DNS_API_TOKEN:-}" ]; then echo "ERROR: CF_DNS_API_TOKEN is not set and could not be loaded from ${CLOUDFLARE_TOKEN_SCRIPT}." exit 1 fi if [ -z "${LETSENCRYPT_EMAIL:-}" ]; then echo "ERROR: LETSENCRYPT_EMAIL is not set." echo "Set it in ${TLS_ENV_FILE} or export it in the shell before running this script." exit 1 fi mkdir -p "${REPO_DIR}/logs" CERT_FILE="${SSL_DIR}/${DOMAIN}.crt" BEFORE_SHA="" if [ -f "${CERT_FILE}" ]; then BEFORE_SHA="$(sha256sum "${CERT_FILE}" | awk '{print $1}')" fi echo "==> Running production TLS provisioning/renewal..." "${REPO_DIR}/scripts/provision-production-tls.sh" AFTER_SHA="" if [ -f "${CERT_FILE}" ]; then AFTER_SHA="$(sha256sum "${CERT_FILE}" | awk '{print $1}')" fi if [ "${BEFORE_SHA}" != "${AFTER_SHA}" ]; then echo "==> Certificate changed; restarting nextcloud-web..." if command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then docker compose -f "${REPO_DIR}/docker-compose.yml" restart web else docker-compose -f "${REPO_DIR}/docker-compose.yml" restart web fi else echo "==> Certificate unchanged; no container restart required." fi echo "==> Renewal workflow complete."