depot/ops/raritan/ssl-renew/lego.sh

#!/bin/sh

set -euo pipefail

export LEGO_FLAGS="\
  	--accept-tos \
  	--dns cloudflare \
  	--dns.resolvers 1.1.1.1 \
  	--domains "${CERTIFICATE_DOMAIN}" \
  	--key-type rsa4096 \
  	--email "${LETSENCRYPT_EMAIL}" \
	"

if ! [[ -f .lego/certificates/${CERTIFICATE_DOMAIN}.crt ]]; then
  exec @lego@/bin/lego \
	$LEGO_FLAGS \
  	run \
  	--run-hook="@out@/deploy.sh"
fi

exec @lego@/bin/lego \
	$LEGO_FLAGS \
	renew \
	--renew-hook="@out@/deploy.sh"