From f9430a1aeb99d876b8976fc03ad73196fa8b52a8 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Thu, 30 Oct 2025 13:54:34 -0400
Subject: [PATCH] add script for deploying certbot replication setup

---
 certbot-replicate                               | 17 +++++++++++++++++
 deploy-primary                                  | 16 ++++++++++++++++
 .../certbot-renew.service.d/replicate.conf      |  2 ++
 hosts.sh                                        |  8 ++++++++
 4 files changed, 43 insertions(+)
 create mode 100755 certbot-replicate
 create mode 100755 deploy-primary
 create mode 100644 etc/systemd/system/certbot-renew.service.d/replicate.conf

diff --git a/certbot-replicate b/certbot-replicate
new file mode 100755
index 0000000..92962e3
--- /dev/null
+++ b/certbot-replicate
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+status=0
+
+for mirror in $(cat /etc/mirrors); do
+    echo
+    echo Deploying to $mirror
+    echo
+
+    rsync -acv --delete --fsync --preallocate /etc/letsencrypt/ $mirror:/etc/letsencrypt &&
+        ssh root@$mirror nginx -s reload ||
+        status=1
+done
+
+exit $status
diff --git a/deploy-primary b/deploy-primary
new file mode 100755
index 0000000..0713a9f
--- /dev/null
+++ b/deploy-primary
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+. shared.sh
+. hosts.sh
+
+for host in ${hosts_primary[@]}; do
+    remote=root@$host
+
+    echo
+    echo $host
+    echo
+
+    rsync --chmod=F755 certbot-replicate $remote:/usr/local/bin/
+    rsync etc/systemd/system/certbot-renew.service.d/replicate.conf $remote:/etc/systemd/system/certbot-renew.service.d/
+    ssh $remote systemctl daemon-reload
+done
diff --git a/etc/systemd/system/certbot-renew.service.d/replicate.conf b/etc/systemd/system/certbot-renew.service.d/replicate.conf
new file mode 100644
index 0000000..5b7c582
--- /dev/null
+++ b/etc/systemd/system/certbot-renew.service.d/replicate.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPost=/usr/local/bin/certbot-replicate
diff --git a/hosts.sh b/hosts.sh
index 428230d..c4f3354 100644
--- a/hosts.sh
+++ b/hosts.sh
@@ -334,6 +334,14 @@ readonly hosts_certbot=(
     grapheneos.social
 )
 
+readonly hosts_primary=(
+    0.ns1.grapheneos.org
+    0.ns2.grapheneos.org
+    0.grapheneos.org
+    0.grapheneos.network
+    0.releases.grapheneos.org
+)
+
 readonly hosts_backup=(
     mail.grapheneos.org
     staging.attestation.app