#!/bin/sh
{% if acme_server == 'zuckerwatte' %}
DOMAINS="{{ inventory_hostname_short }}.{{ http_domain_external }}"
{% else %}
DOMAINS={{ http_domain_external }}
{% endif %}
LOCAL_DIR="/etc/nginx/ssl"

for DOMAIN in $DOMAINS;
do
 #Get Certs
 {% if acme_server == 'zuckerwatte' %}
 rsync --delete -rz -e  'ssh -i /home/admin/.ssh/id_rsa -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN
 {% else %}
 rsync --delete -rz -e  'ssh -i /home/admin/.ssh/id_ed25519 -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN
 {% endif %}

 #Fix Permissions
 chmod 0550 $LOCAL_DIR/$DOMAIN
 chmod 0440 $LOCAL_DIR/$DOMAIN/*
done

#Fix owners
chown -R www-data:admin $LOCAL_DIR

#restart
systemctl reload nginx.service || systemctl start nginx.service