Init.

2026-02-02 20:12:50 +03:00
parent b8f89cd286
commit 6b54303482
11 changed files with 4276 additions and 1 deletions
--- a/install-certs.sh
+++ b/install-certs.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# Let's Encrypt SSL Certificate Installation Script for xmpp.guschin.info
+# This script installs SSL certificates via Let's Encrypt (certbot)
+
+set -e
+
+DOMAIN="xmpp.guschin.info"
+CERT_PATH="/etc/letsencrypt/live/${DOMAIN}"
+EMAIL="${EMAIL:-admin@mguschin.info}"  # Default email or use EMAIL env var
+WEBROOT="/var/www/letsencrypt"
+
+echo "========================================"
+echo "Let's Encrypt Certificate Installation"
+echo "========================================"
+echo "Domain: $DOMAIN"
+echo "Email: $EMAIL"
+echo "Certificate Path: $CERT_PATH"
+echo ""
+
+# Check if certbot is installed
+if ! command -v certbot &> /dev/null; then
+    echo "Installing certbot..."
+    apt-get update
+    apt-get install -y certbot
+fi
+
+# Create webroot directory for ACME challenges
+if [ ! -d "$WEBROOT" ]; then
+    echo "Creating webroot directory: $WEBROOT"
+    mkdir -p "$WEBROOT"
+    chmod 755 "$WEBROOT"
+fi
+
+# Check if certificate already exists
+if [ -d "$CERT_PATH" ]; then
+    echo "Certificate already exists at $CERT_PATH"
+    read -p "Do you want to renew it? (y/n) " -n 1 -r
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        echo "Renewing certificate..."
+        certbot renew --force-renewal --non-interactive
+    else
+        echo "Skipping certificate installation."
+        exit 0
+    fi
+else
+    echo "Generating new certificate for $DOMAIN..."
+    
+    # Install certificate using webroot authenticator
+    # Nginx must be configured to serve $WEBROOT/.well-known/acme-challenge/
+    certbot certonly \
+        --webroot \
+        --webroot-path "$WEBROOT" \
+        --non-interactive \
+        --agree-tos \
+        --email "$EMAIL" \
+        -d "$DOMAIN"
+    
+    echo ""
+    echo "✓ Certificate installed successfully!"
+    echo "  Fullchain: $CERT_PATH/fullchain.pem"
+    echo "  Private Key: $CERT_PATH/privkey.pem"
+fi
+
+# Set proper permissions for nginx
+if id "www-data" &>/dev/null; then
+    chmod 755 $CERT_PATH
+    chmod 755 $CERT_PATH/..
+fi
+
+# Optional: Set up automatic renewal via cron
+echo ""
+echo "Setting up automatic renewal (optional)..."
+if ! grep -q "certbot renew" /etc/cron.d/certbot 2>/dev/null; then
+    echo "Configuring automatic certificate renewal..."
+    # Certbot automatically installs cron job on most systems
+    # But you can manually add it:
+    # (crontab -l 2>/dev/null; echo "0 3 * * * certbot renew --quiet") | crontab -
+fi
+
+echo ""
+echo "========================================"
+echo "Certificate installation complete!"
+echo "========================================"
+echo ""
+echo "Next steps:"
+echo "1. Ensure your nginx config points to:"
+echo "   - ssl_certificate: $CERT_PATH/fullchain.pem"
+echo "   - ssl_certificate_key: $CERT_PATH/privkey.pem"
+echo "2. Reload nginx: nginx -s reload"
+echo "3. Test your SSL setup: https://www.ssllabs.com/ssltest/"
+echo ""