#!/bin/bash
# Obtain or renew certificates from letsencrypt, to be used with nginx
# webroot verification.
#
# A certificate will be issued for all server names defined in server
# blocks that contain 'include letsencrypt'.
#
# The pre-hook is used to remove snakeoil certificates that are
# required to bootstrap nginx configurations (nginx fails to start
# without ssl certificates). The hook is required because certbot does
# not overwrite foreign certificates, as described in this issue
# https://github.com/certbot/certbot/issues/3396
set -o exiterr

# TODO: make email configurable
email="jakob@odersky.com"

extra_flags=()
if [ "$1" = --test ]; then
    extra_flags+=("--test-cert")
fi

sites_enabled=($(
    find /etc/nginx/sites-enabled/ \
	 -not -type d -exec \
	 grep -q -e '^[[:space:]]*[^#][[:space:]]*include letsencrypt' {} \; \
	 -print))
host_lines=$(sed -n \
		 's/^[[:space:]]*[^#][[:space:]]*server_name \([^_].*\);/\1/p' \
		 "${sites_enabled[@]}")
hosts=$(echo "${host_lines[@]}" | tr "[:space:]" ",")

certbot certonly "${extra_flags[@]}" \
	--noninteractive \
	--agree-tos \
	--email "$email" \
	--cert-name nginx \
	--webroot --webroot-path /var/www/letsencrypt \
	--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
	--post-hook "systemctl reload nginx" \
	-d "$hosts"