add script for deploying certbot replication setup

2025-11-19 22:42:24 -05:00 · 2025-10-30 13:54:34 -04:00 · 2025-10-30 13:54:34 -04:00 · f9430a1aeb
commit f9430a1aeb
parent e6db6a15e6
4 changed files with 43 additions and 0 deletions
--- a/17
+++ b/17
@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+status=0
+
+for mirror in $(cat /etc/mirrors); do
+    echo
+    echo Deploying to $mirror
+    echo
+
+    rsync -acv --delete --fsync --preallocate /etc/letsencrypt/ $mirror:/etc/letsencrypt &&
+        ssh root@$mirror nginx -s reload ||
+        status=1
+done
+
+exit $status
--- a/16
+++ b/16
@ -0,0 +1,16 @@
+#!/bin/bash
+
+. shared.sh
+. hosts.sh
+
+for host in ${hosts_primary[@]}; do
+    remote=root@$host
+
+    echo
+    echo $host
+    echo
+
+    rsync --chmod=F755 certbot-replicate $remote:/usr/local/bin/
+    rsync etc/systemd/system/certbot-renew.service.d/replicate.conf $remote:/etc/systemd/system/certbot-renew.service.d/
+    ssh $remote systemctl daemon-reload
+done
--- a/etc/systemd/system/certbot-renew.service.d/replicate.conf
+++ b/etc/systemd/system/certbot-renew.service.d/replicate.conf
@ -0,0 +1,2 @@
+[Service]
+ExecStartPost=/usr/local/bin/certbot-replicate
--- a/hosts.sh
+++ b/hosts.sh
@ -334,6 +334,14 @@ readonly hosts_certbot=(
    grapheneos.social
 )

+readonly hosts_primary=(
+    0.ns1.grapheneos.org
+    0.ns2.grapheneos.org
+    0.grapheneos.org
+    0.grapheneos.network
+    0.releases.grapheneos.org
+)
+
 readonly hosts_backup=(
    mail.grapheneos.org
    staging.attestation.app