Add getcert.py

pojedynczy cert (via rfc2136)

getcert.py

@@ -0,0 +1,105 @@
+import subprocess
+import os
+import sys
+
+# Konfiguracja
+DOMAIN = "ldns1.linuxiarz.pl"
+WILDCARD_DOMAIN = f"*.{DOMAIN}"
+INSTALL_DIR = "/root/.acme.sh/"
+DNS_SERVER = "linuxiarz.pl"
+KEY_FILE = "/root/tsig.key"
+KEY_NAME = "certbot-key"
+KEY_ALGO = "hmac-sha512"
+SYSTEMD_SERVICE = "AdGuardHome.service"
+CERT_DIR = "/etc/ssl/wildcard-linuxiarz.pl"
+CERT_KEY_PATH = f"{CERT_DIR}/key.key"
+CERT_FULLCHAIN_PATH = f"{CERT_DIR}/cert.crt"
+
+def set_env():
+    os.environ["NSUPDATE_SERVER"] = DNS_SERVER
+    os.environ["NSUPDATE_KEY"] = KEY_FILE
+    os.environ["NSUPDATE_KEY_NAME"] = KEY_NAME
+    os.environ["NSUPDATE_KEY_ALGO"] = KEY_ALGO
+    os.environ["NSUPDATE_TIMEOUT"] = "120"
+    os.environ["RFC2136_SERVER"] = DNS_SERVER
+    os.environ["RFC2136_KEY"] = KEY_FILE
+    os.environ["RFC2136_KEY_NAME"] = KEY_NAME
+    os.environ["RFC2136_KEY_ALGO"] = KEY_ALGO
+    os.environ["RFC2136_TIMEOUT"] = "120"
+
+def run_command(cmd):
+    result = subprocess.run(cmd, shell=True, text=True, capture_output=True)
+    output = result.stdout + result.stderr
+
+    # Rozpoznaj "Skipping" jako nie-błąd
+    if result.returncode != 0:
+        if "Skipping. Next renewal time is" in output:
+            print(output)
+            print("ℹ️  Certyfikat jeszcze nie wymaga odnowienia. Pominięto.")
+            return False  # ← cert nieodnowiony
+        else:
+            print(f"❌ Błąd wykonania komendy [{cmd}]:\n{output}")
+            sys.exit(1)
+
+    print(output)
+    return True
+
+def issue_cert():
+    print(f"Generowanie certyfikatu {DOMAIN}")
+    cmd = (
+        f"{INSTALL_DIR}/acme.sh --log --set-default-ca --server letsencrypt "
+        f"--issue --dns dns_nsupdate "
+        f"-d {DOMAIN} "
+        f"--yes-I-know-dns-manual-mode-enough-go-ahead-please"
+    )
+    run_command(cmd)
+    install_cert()
+
+def renew_cert(force=False):
+    print(f"Odnawianie certyfikatu {DOMAIN}")
+    cmd = (
+        f"{INSTALL_DIR}/acme.sh --renew "
+        f"-d {DOMAIN} "
+        f"--dns dns_nsupdate"
+    )
+    if force:
+        cmd += " --force"
+
+    updated = run_command(cmd)
+    if updated or force:
+        install_cert()
+    else:
+        print("⏭️  Pominięto instalację, certyfikat nie został zmieniony.")
+
+
+def install_cert():
+    print("Instalacja certyfikatu...")
+    os.makedirs(CERT_DIR, exist_ok=True)
+    cmd = (
+        f"{INSTALL_DIR}/acme.sh --install-cert "
+        f"-d {DOMAIN} "
+        f"--key-file {CERT_KEY_PATH} "
+        f"--fullchain-file {CERT_FULLCHAIN_PATH} "
+        f"--reloadcmd \"systemctl restart {SYSTEMD_SERVICE}\""
+    )
+    run_command(cmd)
+
+def main():
+    if len(sys.argv) < 2:
+        print("Użycie: python getcert.py [issue|renew] [force]")
+        sys.exit(1)
+
+    set_env()
+    action = sys.argv[1]
+    force = len(sys.argv) > 2 and sys.argv[2] == "force"
+
+    if action == "issue":
+        issue_cert()
+    elif action == "renew":
+        renew_cert(force)
+    else:
+        print("Nieznane polecenie. Użyj: issue lub renew")
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()