install: Add a couple Docker-specific options to the certbot scripts.

--agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command.
2018-07-22 11:56:24 -07:00 · 2018-07-22 11:56:24 -07:00 · 4999474cce
parent 08d890e671
commit 4999474cce
2 changed files with 25 additions and 6 deletions
--- a/scripts/lib/certbot-maybe-renew
+++ b/scripts/lib/certbot-maybe-renew
@ -15,6 +15,8 @@ if ! zulip_conf_get_boolean certbot auto_renew; then
    exit 0
 fi

+deploy_hook="${ZULIP_CERTBOT_DEPLOY_HOOK:-service nginx reload}"
+
 /usr/local/sbin/certbot-auto renew --quiet \
  --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \
-  --deploy-hook 'service nginx reload'
+  --deploy-hook "$deploy_hook"
--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@ -15,7 +15,7 @@ if [ "$EUID" -ne 0 ]; then
 fi

 method=webroot
-args="$(getopt -o '' --long help,hostname:,email:,method:,no-zulip-conf -n "$0" -- "$@")"
+args="$(getopt -o '' --long help,hostname:,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
    case "$1" in
@ -34,6 +34,15 @@ while true; do
            shift
            shift
            ;;
+        --deploy-hook)
+            deploy_hook=(--deploy-hook "$2")
+            shift
+            shift
+            ;;
+        --agree-tos)
+            agree_tos=--agree-tos
+            shift
+            ;;
        --no-zulip-conf)
            no_zulip_conf=1
            shift
@ -84,7 +93,11 @@ chmod a+x "$CERTBOT_PATH"
 # to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
 # Passing --force-interactive suppresses a warning, but also brings up
 # an annoying prompt we stifle with --no-eff-email.
-"$CERTBOT_PATH" certonly "${method_args[@]}" -d "$DOMAIN" -m "$EMAIL" --force-interactive --no-eff-email
+"$CERTBOT_PATH" certonly "${method_args[@]}" \
+                -d "$DOMAIN" -m "$EMAIL" \
+                $agree_tos --force-renewal \
+                "${deploy_hook[@]}" \
+                --force-interactive --no-eff-email

 symlink_with_backup() {
    if [ -e "$2" ]; then
@ -96,9 +109,13 @@ symlink_with_backup() {
    ln -nsf "$1" "$2"
 }

+if [ -z "$deploy_hook" ]; then
+    # If no deploy hook was specified, assume we're deploying to the default
+    # location Zulip wants.
    CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
    symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
    symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
+fi

 case "$method" in
    webroot)