/usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew -> /matrix/ssl/bin/lets-encrypt-certificates-renew

roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2

@@ -0,0 +1,32 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
+# need to forward requests for `/.well-known/acme-challenge` to the certbot container.
+#
+# This can happen inside the container network by proxying to `http://matrix-certbot:8080`
+# or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`.
+
+docker run \
+	--rm \
+	--name=matrix-certbot \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+	--cap-drop=ALL \
+	--network="{{ matrix_docker_network }}" \
+	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
+	--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \
+	--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \
+	{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \
+	renew \
+		--non-interactive \
+		--work-dir=/tmp \
+		--http-01-port 8080 \
+		{% if matrix_ssl_lets_encrypt_staging %}
+		--staging \
+		{% endif %}
+		--key-type {{ matrix_ssl_lets_encrypt_key_type }} \
+		--standalone \
+		--preferred-challenges http \
+		--agree-tos \
+		--email={{ matrix_ssl_lets_encrypt_support_email }} \
+		--no-random-sleep-on-renew