scripts/init-letsencrypt.sh

#!/bin/bash
# Obtain a TLS certificate from Let's Encrypt for one domain.
#
# Usage:
#   sudo ./scripts/init-letsencrypt.sh my-products.ru
#   sudo ./scripts/init-letsencrypt.sh xn----8sbfwtmcso8g.xn--p1ai
#
# For IDN/Cyrillic domains, pass the punycode form (certbot requires ASCII).
# If no argument is given, DOMAIN is read from .env.
# Run once per domain on first deploy.

set -euo pipefail

# ── resolve domain ────────────────────────────────────────────────────────────
if [ -n "${1:-}" ]; then
  DOMAIN="$1"
else
  if [ -f .env ]; then
    DOMAIN_FROM_ENV=$(grep -E '^DOMAIN=' .env | cut -d= -f2- | tr -d '"'"'" | head -1)
    DOMAIN="${DOMAIN:-${DOMAIN_FROM_ENV:-}}"
  fi
fi

if [ -z "${DOMAIN:-}" ]; then
  echo "ERROR: no domain specified." >&2
  echo "Usage: $0 <domain>  or set DOMAIN= in .env" >&2
  exit 1
fi

EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"
ACME_DIR="/var/www/certbot"

echo "==> Obtaining certificate for: $DOMAIN (www.$DOMAIN)"
echo "    Email: $EMAIL"

echo "==> Ensuring acme-challenge directory exists..."
sudo mkdir -p "$ACME_DIR"
sudo chmod 755 "$ACME_DIR"

echo "==> Requesting certificate from Let's Encrypt..."
sudo certbot certonly \
    --webroot \
    --webroot-path="$ACME_DIR" \
    --email "$EMAIL" \
    --agree-tos \
    --no-eff-email \
    -d "$DOMAIN" \
    -d "www.$DOMAIN"

echo ""
echo "==> Certificate obtained for $DOMAIN"
echo "    /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
echo "    /etc/letsencrypt/live/$DOMAIN/privkey.pem"
echo ""
echo "==> Generate nginx config and reload:"
echo "    sudo ./scripts/generate-nginx-conf.sh $DOMAIN"
echo "    sudo nginx -t && sudo systemctl reload nginx"
echo ""
echo "==> Auto-renewal (add to /etc/cron.d/certbot if not already present):"
echo "    0 3 * * * root certbot renew --quiet && systemctl reload nginx"
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`#!/bin/bash`
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`# Obtain a TLS certificate from Let's Encrypt for one domain.`
			`#`
			`# Usage:`
			`# sudo ./scripts/init-letsencrypt.sh my-products.ru`
refactor: remove IDN auto-conversion, pass punycode directly to TLS scripts Simpler than auto-converting: just pass xn----8sbfwtmcso8g.xn--p1ai directly. Updated usage comments in both scripts to reflect this. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 14:07:29 +03:00			`# sudo ./scripts/init-letsencrypt.sh xn----8sbfwtmcso8g.xn--p1ai`
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`#`
refactor: remove IDN auto-conversion, pass punycode directly to TLS scripts Simpler than auto-converting: just pass xn----8sbfwtmcso8g.xn--p1ai directly. Updated usage comments in both scripts to reflect this. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 14:07:29 +03:00			`# For IDN/Cyrillic domains, pass the punycode form (certbot requires ASCII).`
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`# If no argument is given, DOMAIN is read from .env.`
			`# Run once per domain on first deploy.`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
			`set -euo pipefail`

feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`# ── resolve domain ────────────────────────────────────────────────────────────`
			`if [ -n "${1:-}" ]; then`
			`DOMAIN="$1"`
			`else`
			`if [ -f .env ]; then`
			`DOMAIN_FROM_ENV=$(grep -E '^DOMAIN=' .env \| cut -d= -f2- \| tr -d '"'"'" \| head -1)`
			`DOMAIN="${DOMAIN:-${DOMAIN_FROM_ENV:-}}"`
			`fi`
config: make domain configurable via DOMAIN env var Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-12 14:01:38 +03:00			`fi`

			`if [ -z "${DOMAIN:-}" ]; then`
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`echo "ERROR: no domain specified." >&2`
			`echo "Usage: $0 <domain> or set DOMAIN= in .env" >&2`
config: make domain configurable via DOMAIN env var Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-12 14:01:38 +03:00			`exit 1`
			`fi`

			`EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"`
Fix tls script. 2026-03-09 16:11:03 +03:00			`ACME_DIR="/var/www/certbot"`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`echo "==> Obtaining certificate for: $DOMAIN (www.$DOMAIN)"`
			`echo " Email: $EMAIL"`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`echo "==> Ensuring acme-challenge directory exists..."`
Fix tls script. 2026-03-09 16:11:03 +03:00			`sudo mkdir -p "$ACME_DIR"`
			`sudo chmod 755 "$ACME_DIR"`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
			`echo "==> Requesting certificate from Let's Encrypt..."`
Fix tls script. 2026-03-09 16:11:03 +03:00			`sudo certbot certonly \`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`--webroot \`
Fix tls script. 2026-03-09 16:11:03 +03:00			`--webroot-path="$ACME_DIR" \`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`--email "$EMAIL" \`
			`--agree-tos \`
			`--no-eff-email \`
refactor: remove IDN auto-conversion, pass punycode directly to TLS scripts Simpler than auto-converting: just pass xn----8sbfwtmcso8g.xn--p1ai directly. Updated usage comments in both scripts to reflect this. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 14:07:29 +03:00			`-d "$DOMAIN" \`
			`-d "www.$DOMAIN"`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
config: make domain configurable via DOMAIN env var Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-12 14:01:38 +03:00			`echo ""`
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`echo "==> Certificate obtained for $DOMAIN"`
refactor: remove IDN auto-conversion, pass punycode directly to TLS scripts Simpler than auto-converting: just pass xn----8sbfwtmcso8g.xn--p1ai directly. Updated usage comments in both scripts to reflect this. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 14:07:29 +03:00			`echo " /etc/letsencrypt/live/$DOMAIN/fullchain.pem"`
			`echo " /etc/letsencrypt/live/$DOMAIN/privkey.pem"`
Fix tls script. 2026-03-09 16:11:03 +03:00			`echo ""`
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`echo "==> Generate nginx config and reload:"`
			`echo " sudo ./scripts/generate-nginx-conf.sh $DOMAIN"`
			`echo " sudo nginx -t && sudo systemctl reload nginx"`
Fix tls script. 2026-03-09 16:11:03 +03:00			`echo ""`
feat: multi-domain nginx configs and TLS scripts for мои-товары.рф / my-products.ru - nginx/nginx.conf: pre-generated config for both domains (IDN punycode for .рф) - scripts/generate-nginx-conf.sh: generates sites-available config from template per domain - scripts/init-letsencrypt.sh: accepts domain as arg (falls back to .env) - README.md: updated deploy section, removed stale VK_WEIGHT_PRICE_MULTIPLIER, added sync/logs routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 10:39:02 +03:00			`echo "==> Auto-renewal (add to /etc/cron.d/certbot if not already present):"`
			`echo " 0 3 * * * root certbot renew --quiet && systemctl reload nginx"`