#!/bin/bash

PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin

date -R
echo

# it's important to have the time in sync before talking to LE
# assuming either an NTP daemon --or-- the DAILY script has been run before

echo RE-NEWING HTTP01 CERTIFICATES
echo
#dehydrated --cron --keep-going --algo rsa --out /etc/dehydrated/certs/RSA
dehydrated --cron --keep-going --algo prime256v1 --out /etc/dehydrated/certs/ECC
echo

echo RE-NEWING DNS01 CERTIFICATES
echo
#dehydrated --cron --keep-going --algo rsa --out /etc/dehydrated/certs/RSA --config /etc/dehydrated/config-dns01
dehydrated --cron --keep-going --algo secp384r1 --out /etc/dehydrated/certs/ECC --config /etc/dehydrated/config-dns01
echo

# we could otherwise consider reloading only if there's a new cert with hooks
# but this doesn't harm much and we are cleaning up old certs only thereafter
echo RELOADING DAEMONS
echo

# reload is enough
[[ -x `which nginx` ]] && nginx -s reload && echo nginx reloaded

# need to emulate a terminal to get some output
# self-verbose
[[ -x `which postfix` ]] && \
	script --return --command "postfix reload" --append /var/log/typescript.log && \
	echo postfix reloaded

[[ -x `which dovecot` ]] && dovecot reload && echo dovecot reloaded

echo

echo CLEANING-UP UNUSED CERTS
echo
dehydrated --cleanup
dehydrated --cleanup --config /etc/dehydrated/config-dns01
echo

echo RE-SIGNING DNS ZONES
echo
dns01zones=`cut -f1 -d ' ' /etc/dehydrated/domains-dns01 | grep -E '^[a-z0-9]'`
for zone in $dns01zones; do
	echo zone $zone
	echo
	# self-verbose
	/etc/nsd/sign.ksh $zone
	echo
done; unset zone
unset dns01zones

# free-up some space
[[ -f /etc/debian_version ]] && apt clean