infra-setup only handled the internal (newsfeed.internal) cert and vhost and just printed a generic "set it up yourself" note for the WAN name. Now it also, on the web host: - issues the Let's Encrypt cert for rob.fyi idempotently (certbot, Cloudflare DNS-01, ECDSA, --keep-until-expiring), skipping cleanly if the CF token or certbot is absent; - installs the certbot renew deploy-hook (reload nginx); - installs the public vhost, gated on the cert existing so a missing cert can't break `nginx -t` for all of nginx (external-tls.md §4). PUBLIC_FQDN/CERT_EMAIL/CF_CREDS are infra-truth vars at the top; set PUBLIC_FQDN empty to skip. Cloudflare A record + OPNsense :443 forward remain manual and are called out in the closing output. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016fKZzDpvjiJ9eYbPGgJvUP
12 KiB
Executable File
12 KiB
Executable File