scripts/init-letsencrypt.sh

#!/bin/bash
# Obtain TLS certificates from Let's Encrypt.
# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh
# Requires nginx running on the host with acme-challenge location configured.
# Set DOMAIN in .env or export it before running:
#   DOMAIN=example.com sudo -E ./scripts/init-letsencrypt.sh

set -euo pipefail

# Load DOMAIN from .env if not already set in environment
if [ -f .env ]; then
  # Extract DOMAIN line, strip quotes and export
  DOMAIN_FROM_ENV=$(grep -E '^DOMAIN=' .env | cut -d= -f2- | tr -d '"'"'" | head -1)
  DOMAIN="${DOMAIN:-$DOMAIN_FROM_ENV}"
fi

if [ -z "${DOMAIN:-}" ]; then
  echo "ERROR: DOMAIN is not set. Add DOMAIN=yourdomain.com to .env or export it." >&2
  exit 1
fi

EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"
CERTBOT_DIR="./certbot"
ACME_DIR="/var/www/certbot"

echo "==> Creating certbot directories..."
mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"

echo "==> Ensuring acme-challenge directory exists on host..."
sudo mkdir -p "$ACME_DIR"
sudo chmod 755 "$ACME_DIR"

echo "==> Requesting certificate from Let's Encrypt..."
sudo certbot certonly \
    --webroot \
    --webroot-path="$ACME_DIR" \
    --email "$EMAIL" \
    --agree-tos \
    --no-eff-email \
    -d "$DOMAIN" \
    -d "www.$DOMAIN"

echo "==> Copying certificates to project directory..."
sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$CERTBOT_DIR/conf/fullchain.pem"
sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$CERTBOT_DIR/conf/privkey.pem"
sudo chown "$(whoami):$(whoami)" "$CERTBOT_DIR/conf"/*.pem

echo "==> Done! TLS certificate installed for $DOMAIN"
echo ""
echo "Regenerate nginx config from template:"
echo "  DOMAIN=$DOMAIN envsubst '\$DOMAIN' < nginx/nginx.conf.template > nginx/nginx.conf"
echo ""
echo "Certificate files:"
echo "  - $CERTBOT_DIR/conf/fullchain.pem"
echo "  - $CERTBOT_DIR/conf/privkey.pem"
echo ""
echo "Configure nginx:"
echo "  ssl_certificate $CERTBOT_DIR/conf/fullchain.pem;"
echo "  ssl_certificate_key $CERTBOT_DIR/conf/privkey.pem;"
echo ""
echo "Set up auto-renewal with: sudo crontab -e"
echo "Add: 0 3 * * * certbot renew --quiet && systemctl reload nginx"
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`#!/bin/bash`
config: make domain configurable via DOMAIN env var Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-12 14:01:38 +03:00			`# Obtain TLS certificates from Let's Encrypt.`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh`
config: make domain configurable via DOMAIN env var Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-12 14:01:38 +03:00			`# Requires nginx running on the host with acme-challenge location configured.`
			`# Set DOMAIN in .env or export it before running:`
			`# DOMAIN=example.com sudo -E ./scripts/init-letsencrypt.sh`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
			`set -euo pipefail`

config: make domain configurable via DOMAIN env var Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-12 14:01:38 +03:00			`# Load DOMAIN from .env if not already set in environment`
			`if [ -f .env ]; then`
			`# Extract DOMAIN line, strip quotes and export`
			`DOMAIN_FROM_ENV=$(grep -E '^DOMAIN=' .env \| cut -d= -f2- \| tr -d '"'"'" \| head -1)`
			`DOMAIN="${DOMAIN:-$DOMAIN_FROM_ENV}"`
			`fi`

			`if [ -z "${DOMAIN:-}" ]; then`
			`echo "ERROR: DOMAIN is not set. Add DOMAIN=yourdomain.com to .env or export it." >&2`
			`exit 1`
			`fi`

			`EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`CERTBOT_DIR="./certbot"`
Fix tls script. 2026-03-09 16:11:03 +03:00			`ACME_DIR="/var/www/certbot"`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
			`echo "==> Creating certbot directories..."`
			`mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"`

Fix tls script. 2026-03-09 16:11:03 +03:00			`echo "==> Ensuring acme-challenge directory exists on host..."`
			`sudo mkdir -p "$ACME_DIR"`
			`sudo chmod 755 "$ACME_DIR"`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
			`echo "==> Requesting certificate from Let's Encrypt..."`
Fix tls script. 2026-03-09 16:11:03 +03:00			`sudo certbot certonly \`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`--webroot \`
Fix tls script. 2026-03-09 16:11:03 +03:00			`--webroot-path="$ACME_DIR" \`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00			`--email "$EMAIL" \`
			`--agree-tos \`
			`--no-eff-email \`
			`-d "$DOMAIN" \`
			`-d "www.$DOMAIN"`

Fix tls script. 2026-03-09 16:11:03 +03:00			`echo "==> Copying certificates to project directory..."`
			`sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$CERTBOT_DIR/conf/fullchain.pem"`
			`sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$CERTBOT_DIR/conf/privkey.pem"`
			`sudo chown "$(whoami):$(whoami)" "$CERTBOT_DIR/conf"/*.pem`
feat: add nginx reverse proxy and Let's Encrypt TLS setup - Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> 2026-03-06 16:57:46 +03:00
			`echo "==> Done! TLS certificate installed for $DOMAIN"`
Fix tls script. 2026-03-09 16:11:03 +03:00			`echo ""`
config: make domain configurable via DOMAIN env var Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-12 14:01:38 +03:00			`echo "Regenerate nginx config from template:"`
			`echo " DOMAIN=$DOMAIN envsubst '\$DOMAIN' < nginx/nginx.conf.template > nginx/nginx.conf"`
			`echo ""`
Fix tls script. 2026-03-09 16:11:03 +03:00			`echo "Certificate files:"`
			`echo " - $CERTBOT_DIR/conf/fullchain.pem"`
			`echo " - $CERTBOT_DIR/conf/privkey.pem"`
			`echo ""`
			`echo "Configure nginx:"`
			`echo " ssl_certificate $CERTBOT_DIR/conf/fullchain.pem;"`
			`echo " ssl_certificate_key $CERTBOT_DIR/conf/privkey.pem;"`
			`echo ""`
			`echo "Set up auto-renewal with: sudo crontab -e"`
			`echo "Add: 0 3 * * * certbot renew --quiet && systemctl reload nginx"`