unicornware/.env

## .env
# Environment Variables

CERTBOT_DOMAINS="*.$TLD,*.api.$TLD,*.db.$TLD,*.docs.$TLD,*.redis.$TLD"
CERTBOT_EMAIL=<email-address>
GCLOUD_PROJECT=<project-id>
TLD=<top-level-domain>
VM_IDENTITY_FILE=~/.ssh/ubuntu_rsa
VM_IP=<vm-static-ip>
VM_USER=ubuntu

## certbot-google-dns.sh
#!/bin/zsh

# Certbot x Google Cloud DNS
#
# Prerequesites:
#
# 1. Setup a domain using Cloud DNS
#   - https://cloud.google.com/dns/docs/tutorials/create-domain-tutorial
# 2. Install Google Cloud SDK
#   - brew install --cask google-cloud-sdk
# 3. Install certbot
#   - brew install certbot
# 4. Install python (and pip3)
#   - brew install python
# 5. Install certbot-dns-google plugin
#   - pip3 install certbot-dns-google
#   - https://certbot-dns-google.readthedocs.io/en/stable
# 6. Create service account for certbot
#   - sudo gcloud iam service-accounts create certbot --project $GCLOUD_PROJECT
# 7. Assign dns admin permissions to certbot service account
#   - SA=certbot@$GCLOUD_PROJECT.iam.gserviceaccount.com
#   - sudo gcloud projects add-iam-policy-binding $GCLOUD_PROJECT
#     --role=roles/dns.admin --member=serviceAccount:$SA
#
# Usage:
#
# $ chmod +x ./tools/scripts/certbot-google-dns.sh
# $ CERTBOT_DOMAINS=<certbot-domains-list>
# $ CERTBOT_EMAIL=<email>
# $ GCLOUD_PROJECT=<project-id>
# $ ./tools/scripts/certbot-google-dns.sh
#
# References:
#
# - https://brew.sh
# - https://certbot.eff.org/renewal-setup
# - https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts
# - https://itsmetommy.com/2019/08/03/auto-renew-lets-encrypt-wildcard-certificate-using-google-cloud-dns
# - http://andrewcmaxwell.com/2014/07/how-to-add-a-custom-subdomain-using-google-cloud-dns

certbot_google_dns() {
  # Domains list and letsencrypt account email
  local DOMAINS=$CERTBOT_DOMAINS
  local EMAIL=$CERTBOT_EMAIL

  # Service account email
  local SA=certbot@$GCLOUD_PROJECT.iam.gserviceaccount.com
  GCLOUD_SA_CERTBOT=$SA

  # Path to private key file
  local PK=~/.service-accounts/google/$GCLOUD_SA_CERTBOT.json
  GCLOUD_SA_CERTBOT_PK=$PK

  # 3. Create private key for service account
  [ ! -f $PK ] && gcloud iam service-accounts keys create $PK --iam-account=$SA

  # 4. Create certificate(s)
  sudo certbot certonly --dns-google --dns-google-credentials $PK -d $DOMAINS -m $EMAIL -v $@

  # 5. Fix permissions
  sudo chmod 0755 /etc/letsencrypt/{live,archive}
  sudo chgrp -R staff /etc/letsencrypt/live/$TLD/privkey.pem
  sudo chmod 0640 /etc/letsencrypt/live/$TLD/privkey.pem
}

certbot_google_dns

## certbot-local.sh
#!/bin/zsh

# Certbot x Google Cloud DNS - Local
#
# Usage:
#
# $ chmod +x ./tools/scripts/certbot-local.sh
# $ CERTBOT_DOMAINS=<certbot-domains-list>
# $ CERTBOT_EMAIL=<certbot-email>
# $ ./tools/scripts/certbot-local.sh

certbot_local() {
  local CERTBOT_DIR_VM_USER=/home/$VM_USER/letsencrypt
  local DOMAINS=$CERTBOT_DOMAINS
  local EMAIL=$CERTBOT_EMAIL

  source ./tools/scripts/certbot-google-dns.sh

  sudo rm -rf ./letsencrypt && mkdir ./letsencrypt
  mkdir ./letsencrypt/{archive,live}

  sudo cp -rf /etc/letsencrypt/archive/$TLD ./letsencrypt/archive/$TLD
  sudo cp -rf /etc/letsencrypt/live/$TLD ./letsencrypt/live/$TLD
  sudo cp -rf /etc/letsencrypt/ssl-dhparams.pem ./letsencrypt/ssl-dhparams.pem
}

certbot_local

## certbot-vm.sh
#!/bin/zsh

# Certbot x Google Cloud DNS x VM
#
# Usage:
#
# $ chmod +x ./tools/scripts/certbot-vm.sh
# $ CERTBOT_DOMAINS=<certbot-domains-list>
# $ CERTBOT_EMAIL=<certbot-email>
# $ TLD=<top-level-domain>
# $ VM_IDENTITY_FILE=<path-to-scp-identify-file>
# $ VM_IP=<vm-ip-address>
# $ VM_USER=<vm-ip-address>
# $ ./tools/scripts/certbot-vm.sh

certbot_vm() {
  local CERTBOT_DIR=/etc/letsencrypt
  local DOMAINS=$CERTBOT_DOMAINS
  local EMAIL=$CERTBOT_EMAIL
  local SA_DIR=/Users/$USER/.service-accounts/google
  local VM_ID=$VM_IDENTITY_FILE
  local VM_SA_DIR=/home/$VM_USER/.service-accounts

  source ./tools/scripts/certbot-google-dns.sh

  sudo rm -rf ./letsencrypt && sudo cp -rf $CERTBOT_DIR ./

  sudo sed -i "" -e "s#$SA_DIR#$VM_SA_DIR#g" ./letsencrypt/renewal/$TLD.conf

  sudo scp -i $VM_ID -p $GCLOUD_SA_CERTBOT_PK $VM_USER@$VM_IP:$VM_SA_DIR
  sudo scp -i $VM_ID -r ./letsencrypt $VM_USER@$VM_IP:/home/$VM_USER

  ssh -i $VM_ID -t $VM_USER@$VM_IP sudo rm -rf $CERTBOT_DIR
  ssh -i $VM_ID -t $VM_USER@$VM_IP sudo mv /home/$VM_USER/letsencrypt /etc

  sudo rm -rf ./letsencrypt
}

certbot_vm
	# Environment Variables

	CERTBOT_DOMAINS=".$TLD,.api.$TLD,.db.$TLD,.docs.$TLD,*.redis.$TLD"
	CERTBOT_EMAIL=<email-address>
	GCLOUD_PROJECT=<project-id>
	TLD=<top-level-domain>
	VM_IDENTITY_FILE=~/.ssh/ubuntu_rsa
	VM_IP=<vm-static-ip>
	VM_USER=ubuntu
	#!/bin/zsh

	# Certbot x Google Cloud DNS
	#
	# Prerequesites:
	#
	# 1. Setup a domain using Cloud DNS
	# - https://cloud.google.com/dns/docs/tutorials/create-domain-tutorial
	# 2. Install Google Cloud SDK
	# - brew install --cask google-cloud-sdk
	# 3. Install certbot
	# - brew install certbot
	# 4. Install python (and pip3)
	# - brew install python
	# 5. Install certbot-dns-google plugin
	# - pip3 install certbot-dns-google
	# - https://certbot-dns-google.readthedocs.io/en/stable
	# 6. Create service account for certbot
	# - sudo gcloud iam service-accounts create certbot --project $GCLOUD_PROJECT
	# 7. Assign dns admin permissions to certbot service account
	# - SA=certbot@$GCLOUD_PROJECT.iam.gserviceaccount.com
	# - sudo gcloud projects add-iam-policy-binding $GCLOUD_PROJECT
	# --role=roles/dns.admin --member=serviceAccount:$SA
	#
	# Usage:
	#
	# $ chmod +x ./tools/scripts/certbot-google-dns.sh
	# $ CERTBOT_DOMAINS=<certbot-domains-list>
	# $ CERTBOT_EMAIL=<email>
	# $ GCLOUD_PROJECT=<project-id>
	# $ ./tools/scripts/certbot-google-dns.sh
	#
	# References:
	#
	# - https://brew.sh
	# - https://certbot.eff.org/renewal-setup
	# - https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts
	# - https://itsmetommy.com/2019/08/03/auto-renew-lets-encrypt-wildcard-certificate-using-google-cloud-dns
	# - http://andrewcmaxwell.com/2014/07/how-to-add-a-custom-subdomain-using-google-cloud-dns

	certbot_google_dns() {
	# Domains list and letsencrypt account email
	local DOMAINS=$CERTBOT_DOMAINS
	local EMAIL=$CERTBOT_EMAIL

	# Service account email
	local SA=certbot@$GCLOUD_PROJECT.iam.gserviceaccount.com
	GCLOUD_SA_CERTBOT=$SA

	# Path to private key file
	local PK=~/.service-accounts/google/$GCLOUD_SA_CERTBOT.json
	GCLOUD_SA_CERTBOT_PK=$PK

	# 3. Create private key for service account
	[ ! -f $PK ] && gcloud iam service-accounts keys create $PK --iam-account=$SA

	# 4. Create certificate(s)
	sudo certbot certonly --dns-google --dns-google-credentials $PK -d $DOMAINS -m $EMAIL -v $@

	# 5. Fix permissions
	sudo chmod 0755 /etc/letsencrypt/{live,archive}
	sudo chgrp -R staff /etc/letsencrypt/live/$TLD/privkey.pem
	sudo chmod 0640 /etc/letsencrypt/live/$TLD/privkey.pem
	}

	certbot_google_dns
	#!/bin/zsh

	# Certbot x Google Cloud DNS - Local
	#
	# Usage:
	#
	# $ chmod +x ./tools/scripts/certbot-local.sh
	# $ CERTBOT_DOMAINS=<certbot-domains-list>
	# $ CERTBOT_EMAIL=<certbot-email>
	# $ ./tools/scripts/certbot-local.sh

	certbot_local() {
	local CERTBOT_DIR_VM_USER=/home/$VM_USER/letsencrypt
	local DOMAINS=$CERTBOT_DOMAINS
	local EMAIL=$CERTBOT_EMAIL

	source ./tools/scripts/certbot-google-dns.sh

	sudo rm -rf ./letsencrypt && mkdir ./letsencrypt
	mkdir ./letsencrypt/{archive,live}

	sudo cp -rf /etc/letsencrypt/archive/$TLD ./letsencrypt/archive/$TLD
	sudo cp -rf /etc/letsencrypt/live/$TLD ./letsencrypt/live/$TLD
	sudo cp -rf /etc/letsencrypt/ssl-dhparams.pem ./letsencrypt/ssl-dhparams.pem
	}

	certbot_local
	#!/bin/zsh

	# Certbot x Google Cloud DNS x VM
	#
	# Usage:
	#
	# $ chmod +x ./tools/scripts/certbot-vm.sh
	# $ CERTBOT_DOMAINS=<certbot-domains-list>
	# $ CERTBOT_EMAIL=<certbot-email>
	# $ TLD=<top-level-domain>
	# $ VM_IDENTITY_FILE=<path-to-scp-identify-file>
	# $ VM_IP=<vm-ip-address>
	# $ VM_USER=<vm-ip-address>
	# $ ./tools/scripts/certbot-vm.sh

	certbot_vm() {
	local CERTBOT_DIR=/etc/letsencrypt
	local DOMAINS=$CERTBOT_DOMAINS
	local EMAIL=$CERTBOT_EMAIL
	local SA_DIR=/Users/$USER/.service-accounts/google
	local VM_ID=$VM_IDENTITY_FILE
	local VM_SA_DIR=/home/$VM_USER/.service-accounts

	source ./tools/scripts/certbot-google-dns.sh

	sudo rm -rf ./letsencrypt && sudo cp -rf $CERTBOT_DIR ./

	sudo sed -i "" -e "s#$SA_DIR#$VM_SA_DIR#g" ./letsencrypt/renewal/$TLD.conf

	sudo scp -i $VM_ID -p $GCLOUD_SA_CERTBOT_PK $VM_USER@$VM_IP:$VM_SA_DIR
	sudo scp -i $VM_ID -r ./letsencrypt $VM_USER@$VM_IP:/home/$VM_USER

	ssh -i $VM_ID -t $VM_USER@$VM_IP sudo rm -rf $CERTBOT_DIR
	ssh -i $VM_ID -t $VM_USER@$VM_IP sudo mv /home/$VM_USER/letsencrypt /etc

	sudo rm -rf ./letsencrypt
	}

	certbot_vm