Use certbot with --nginx

Makefile

@@ -28,7 +28,5 @@ tarball: $(RPM_TARBALL_PATH)
 
 .PHONY: install
 install:
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d/ conf/security.conf
 	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot
 	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini.tpl

conf/ovh.ini.tpl

@@ -1,6 +1,9 @@
 # OVH API credentials used by Certbot
-# Name referenced in OVH: rasp.netoik.io
-dns_ovh_endpoint = $DNS_OVH_ENDPOINT
-dns_ovh_application_key = $DNS_OVH_APPLICATION_KEY
-dns_ovh_application_secret = $DNS_OVH_APPLICATION_SECRET
-dns_ovh_consumer_key = $DNS_OVH_CONSUMER_KEY
+# To generate a new token, go to: https://www.ovh.com/auth/api/createToken
+
+dns_ovh_endpoint = "$OVH_ENDPOINT"
+dns_ovh_application_name = "$OVH_APPLICATION_NAME"
+dns_ovh_application_description = "$OVH_APPLICATION_DESCRIPTION"
+dns_ovh_application_key = "$OVH_APPLICATION_KEY"
+dns_ovh_application_secret = "$OVH_APPLICATION_SECRET"
+dns_ovh_consumer_key = "$OVH_CONSUMER_KEY"

conf/security.conf

@@ -1,11 +0,0 @@
-# Configure ssl module
-# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html 
-include                   /etc/letsencrypt/options-ssl-nginx.conf;
-ssl_certificate           /etc/letsencrypt/live/netoik.io/fullchain.pem;
-ssl_certificate_key       /etc/letsencrypt/live/netoik.io/privkey.pem;
-ssl_dhparam               /etc/letsencrypt/ssl-dhparams.pem;
-
-# Configure headers
-# See: https://nginx.org/en/docs/http/ngx_http_headers_module.html
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
-

netoik-rp.spec

@@ -22,7 +22,7 @@ Install the reverse proxy called nginx with a predefined configuration and with
 %make_install
 
 %post
-# On install
+# After install
 if [ $1 == 1 ]; then
   # Replace secrets in ovh.ini
   %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini.tpl > %{_sysconfdir}/certbot/ovh.ini
@@ -30,9 +30,9 @@ if [ $1 == 1 ]; then
 
   # Create virutal env with certbot cli
   %{_bindir}/env python3 -m venv /opt/certbot
-  /opt/certbot/bin/pip install --upgrade pip certbot certbot-dns-ovh
+  /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
 	%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
-  %{_bindir}/env certbot certonly --non-interactive	--agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
+  %{_bindir}/env certbot --nginx --non-interactive	--agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
   %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
 
   # Stop nginx to be sure changes are taken in account
@@ -42,19 +42,20 @@ fi
 %{_bindir}/env systemctl start nginx
 
 %postun
-# On uninstall
+# After uninstall
 if [ $1 == 0 ]; then
   %{_bindir}/env rm --recursive --force /opt/certbot
   %{_bindir}/env rm --recursive --force %{_sysconfdir}/certbot
+  %{_bindir}/env rm --recursive --force %{_sysconfdir}/letsencrypt
 fi
 
 %files
-%attr(644, root, root) %config %{_sysconfdir}/nginx/conf.d/security.conf
 %attr(755, root, root) %dir %{_sysconfdir}/certbot
 %attr(600, root, root) %config %ghost %{_sysconfdir}/certbot/ovh.ini
 %attr(644, root, root) %{_sysconfdir}/certbot/ovh.ini.tpl
 %attr(755, root, root) %dir %ghost /opt/certbot
 %attr(755, root, root) %ghost %{_sbindir}/certbot
+%attr(755, root, root) %dir %ghost %{_sysconfdir}/letsencrypt
 
 %changelog
 %autochangelog