From 428d5c288fcb947f52b13585f862f118c784baab Mon Sep 17 00:00:00 2001
From: Philip Henning <philip.henning@base23.de>
Date: Tue, 19 Nov 2024 13:11:40 +0100
Subject: [PATCH] make renew hook executable; add systemd units and timer to
 renew certificates

---
 scripts/cert_renew_hook.sh |  0
 scripts/init.sh            | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 mode change 100644 => 100755 scripts/cert_renew_hook.sh

diff --git a/scripts/cert_renew_hook.sh b/scripts/cert_renew_hook.sh
old mode 100644
new mode 100755
diff --git a/scripts/init.sh b/scripts/init.sh
index 4072cc8..cc45d41 100755
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -65,3 +65,35 @@ if [[ ! -d ./data/.lego ]]; then
 fi
 
 # Setup cronjob to automatically renew certificates
+[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.service ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.service && systemctl daemon-reload
+[Unit]
+Description=SSL Certificate renewal for sso.base23.de with LEGO
+Documentation=https://go-acme.github.io/lego/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/var/lib/apps/sso.base23.de/scripts/cert_renew.sh
+WorkingDirectory=/var/lib/apps/sso.base23.de/
+User=root
+Group=root
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.timer ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-sso-base23-de.timer
+[Unit]
+Description=SSL Certificate renewal for sso.base23.de with LEGO Timer
+
+[Timer]
+OnCalendar=*-*-* 01:32:00
+# add extra delay, here up to 1 hour:
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF