From 4999474ccef4e6361a371504d6e34fe2029fe255 Mon Sep 17 00:00:00 2001
From: jeaye <contact@jeaye.com>
Date: Sun, 22 Jul 2018 11:56:24 -0700
Subject: [PATCH] install: Add a couple Docker-specific options to the certbot
 scripts.

--agree-tos is useful for the Docker environment, where we won't have
an interactive shell present for agreeing to the ToS.

--deploy-hook is also useful for the Docker environment; it makes it
possible to customize what deploy hook (if any) we pass into the
underlying cerbot command.
---
 scripts/lib/certbot-maybe-renew |  4 +++-
 scripts/setup/setup-certbot     | 27 ++++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/scripts/lib/certbot-maybe-renew b/scripts/lib/certbot-maybe-renew
index 281e8cebe4..a69b2ed352 100755
--- a/scripts/lib/certbot-maybe-renew
+++ b/scripts/lib/certbot-maybe-renew
@@ -15,6 +15,8 @@ if ! zulip_conf_get_boolean certbot auto_renew; then
     exit 0
 fi
 
+deploy_hook="${ZULIP_CERTBOT_DEPLOY_HOOK:-service nginx reload}"
+
 /usr/local/sbin/certbot-auto renew --quiet \
   --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \
-  --deploy-hook 'service nginx reload'
+  --deploy-hook "$deploy_hook"
diff --git a/scripts/setup/setup-certbot b/scripts/setup/setup-certbot
index 2d9139c8fd..db1ff17236 100755
--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@@ -15,7 +15,7 @@ if [ "$EUID" -ne 0 ]; then
 fi
 
 method=webroot
-args="$(getopt -o '' --long help,hostname:,email:,method:,no-zulip-conf -n "$0" -- "$@")"
+args="$(getopt -o '' --long help,hostname:,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
     case "$1" in
@@ -34,6 +34,15 @@ while true; do
             shift
             shift
             ;;
+        --deploy-hook)
+            deploy_hook=(--deploy-hook "$2")
+            shift
+            shift
+            ;;
+        --agree-tos)
+            agree_tos=--agree-tos
+            shift
+            ;;
         --no-zulip-conf)
             no_zulip_conf=1
             shift
@@ -84,7 +93,11 @@ chmod a+x "$CERTBOT_PATH"
 # to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
 # Passing --force-interactive suppresses a warning, but also brings up
 # an annoying prompt we stifle with --no-eff-email.
-"$CERTBOT_PATH" certonly "${method_args[@]}" -d "$DOMAIN" -m "$EMAIL" --force-interactive --no-eff-email
+"$CERTBOT_PATH" certonly "${method_args[@]}" \
+                -d "$DOMAIN" -m "$EMAIL" \
+                $agree_tos --force-renewal \
+                "${deploy_hook[@]}" \
+                --force-interactive --no-eff-email
 
 symlink_with_backup() {
     if [ -e "$2" ]; then
@@ -96,9 +109,13 @@ symlink_with_backup() {
     ln -nsf "$1" "$2"
 }
 
-CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
-symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
-symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
+if [ -z "$deploy_hook" ]; then
+    # If no deploy hook was specified, assume we're deploying to the default
+    # location Zulip wants.
+    CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
+    symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
+    symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
+fi
 
 case "$method" in
     webroot)