From b93ca3c0fa6e4c68815bacd4dca30c2c6777664a Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Fri, 9 Aug 2019 17:32:40 +0300
Subject: [PATCH] acmesh-ssl.sh: demand root, add variables, create dirs

Resolves: #15
---
 bash/acmesh-ssl.sh | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)
 mode change 100644 => 100755 bash/acmesh-ssl.sh

diff --git a/bash/acmesh-ssl.sh b/bash/acmesh-ssl.sh
old mode 100644
new mode 100755
index 772a262..8b1b511
--- a/bash/acmesh-ssl.sh
+++ b/bash/acmesh-ssl.sh
@@ -5,28 +5,40 @@
 # WARNING!
 # Check file permissions very carefully so other users cannot access the
 # certificate copies.
-# Used with crontab.
+# Used with crontab as root, remember `@daily bash /root/acmesh-ssl.sh >/dev/null 2>&1`
+
+if [ "$(id -u)" != "0" ]; then
+   echo "acme.sh prefers root, this script demands it." 1>&2
+   exit 1
+fi
 
 # The domain the certs are mainly issued for
 DOMAINNAME=relpda.mikaela.info
+# Directories
+SYNCPLAYDIR=/opt/syncplay/ssl
+MUMBLEDIR=/var/lib/mumble-server/ssl
+ZNCDIR=/home/znc/.znc/ssl
 
 # Where is acme.sh + flags applying to them all
 ACMESH="/root/.acme.sh/acme.sh --install-cert -d $DOMAINNAME"
 
+# Start by creating the directories if they don't exist
+/bin/mkdir -p $SYNCPLAYDIR $MUMBLEDIR $ZNCDIR
+
 # Syncplay - TODO https://github.com/Syncplay/syncplay/issues/250
-$ACMESH --cert-file /opt/syncplay/ssl/cert.pem --key-file /opt/syncplay/ssl/privkey.pem --fullchain-file /opt/syncplay/ssl/chain.pem --reloadcmd "systemctl restart syncplay-server --quiet"
-chmod -R 700 /opt/syncplay/ssl
-chown -R syncplay:root /opt/syncplay/ssl
+$ACMESH --cert-file $SYNCPLAYDIR/cert.pem --key-file $SYNCPLAYDIR/privkey.pem --fullchain-file $SYNCPLAYDIR/chain.pem --reloadcmd "systemctl restart syncplay-server --quiet"
+chmod -R 700 $SYNCPLAYDIR
+chown -R syncplay:root $SYNCPLAYDIR
 
 # Mumble
-$ACMESH --fullchain-file /var/lib/mumble-server/ssl/fullchain.cer --key-file /var/lib/mumble-server/ssl/$DOMAINNAME.key --reloadcmd "systemctl restart mumble-server --quiet"
+$ACMESH --fullchain-file $MUMBLEDIR/fullchain.cer --key-file $MUMBLEDIR/$DOMAINNAME.key --reloadcmd "systemctl restart mumble-server --quiet"
 # future on 1.3.0 +
 # --reloadcmd "pkill $(cat /var/run/mumble-server/mumble-server.pid) -USR1"
-chmod -R 700 /var/lib/mumble-server/ssl/
-chown -R mumble-server:mumble-server /var/lib/mumble-server/ssl/
+chmod -R 700 $MUMBLEDIR/
+chown -R mumble-server:mumble-server $MUMBLEDIR/
 
 # ZNC 1.7.0 (SSLCertFile & SSLKeyFile in znc.conf)
-# znc.conf's SSLDHParamFile is created by `openssl dhparam 2048 > /home/znc/.znc/ssl/dh.pem`
-$ACMESH --fullchain-file /home/znc/.znc/ssl/fullchain.cer --key-file /home/znc/.znc/ssl/$DOMAINNAME.key
-chmod -R 700 /home/znc/.znc/ssl/
-chown -R znc:znc /home/znc/.znc/ssl/
+# znc.conf's SSLDHParamFile is created by `openssl dhparam 2048 > $ZNCDIRdh.pem`
+$ACMESH --fullchain-file $ZNCDIR/fullchain.cer --key-file $ZNCDIR/$DOMAINNAME.key
+chmod -R 700 $ZNCDIR
+chown -R znc:znc $ZNCDIR