#!/bin/bash

PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin

echo WEEKLY script starts at `date --rfc-email`
echo

# it's important to have the time in sync before talking to LE
# assuming either an NTP daemon --or-- the DAILY script has been run before

echo RE-NEWING HTTP01 CERTIFICATES
echo
dehydrated --cron --keep-going
dehydrated --cron --keep-going --algo prime256v1 --out /etc/dehydrated/certs/ECC
echo

echo RE-NEWING DNS01 CERTIFICATES
echo
dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01
dehydrated --cron --keep-going --algo secp384r1 --out /etc/dehydrated/certs/ECC --config /etc/dehydrated/config-dns01
echo

# we could otherwise consider reloading only if there's a new cert with hooks
# but this doesn't harm much and we are cleaning up old certs only thereafter
echo RELOADING DAEMONS
echo
# yes, just reload is enough
nginx -s reload && echo nginx reloaded
# need to emulate a terminal to get some output - self-verbose
script --return --command "postfix reload" --append /var/log/typescript.log && echo postfix reloaded
dovecot reload && echo dovecot reloaded
echo

echo CLEANING-UP UNUSED CERTS
echo
dehydrated --cleanup
dehydrated --cleanup --config /etc/dehydrated/config-dns01
echo

echo RE-SIGNING DNS ZONES
echo
dns01zones=`cut -f1 -d ' ' /etc/dehydrated/domains-dns01 | grep -E '^[a-z0-9]'`
for zone in $dns01zones; do
	echo zone $zone
	echo
	# self-verbose
	/etc/nsd/sign.ksh $zone
	echo
done; unset zone
unset dns01zones

# free-up some space
[[ -f /etc/debian_version ]] && apt clean

echo WEEKLY script ends at `date --rfc-email`