From af763687107fee217607ce75ee41fd6a176cbf2d Mon Sep 17 00:00:00 2001
From: pvincent <pvincent@artcode.re>
Date: Fri, 27 Mar 2026 14:07:14 +0400
Subject: [PATCH] certbot authenticator nginx

---
 sympa/recipe/sympa.recipe               | 66 ++++++++++++-------------
 sympa/resources/tools/sympa_export.bash |  2 +-
 sympa/resources/tools/sympa_import.bash | 12 ++++-
 3 files changed, 45 insertions(+), 35 deletions(-)

diff --git a/sympa/recipe/sympa.recipe b/sympa/recipe/sympa.recipe
index 4978b45..d251b65 100644
--- a/sympa/recipe/sympa.recipe
+++ b/sympa/recipe/sympa.recipe
@@ -7,33 +7,33 @@ FORCE=${FORCE:-false}
 # FUNCTIONS
 
 function install_postfix {
-    if $FORCE || ! systemctl is-active postfix.service --quiet; then
-        debconf-set-selections <<EOF
+	if $FORCE || ! systemctl is-active postfix.service --quiet; then
+		debconf-set-selections << EOF
 postfix postfix/mailname string $(hostname -f)
 postfix postfix/main_mailer_type string 'Internet Site'
 postfix postfix/mynetworks string '127.0.0.0/8'
 EOF
-        DEBIAN_FRONTEND=noninteractive apt-get install -y postfix postgresql nginx fcgiwrap perl-doc micro debconf-utils
-        postconf -e "inet_protocols = ipv4"
-        systemctl restart postfix
-        echo postfix installed successfully!
-    else
-        echo postfix already installed!
-    fi
+		DEBIAN_FRONTEND=noninteractive apt-get install -y postfix postgresql nginx fcgiwrap perl-doc micro debconf-utils certbot python3-certbot-nginx
+		postconf -e "inet_protocols = ipv4"
+		systemctl restart postfix
+		echo postfix installed successfully!
+	else
+		echo postfix already installed!
+	fi
 }
 
 function alter_sympa_postgres_password_to {
-    password="$1"
-    /opt/miaou-bash/tools/append_or_replace '^db_passwd.*' "db_passwd\tsympa" /etc/sympa/sympa/sympa.conf
-    sudo -u postgres -- psql -c "ALTER USER sympa PASSWORD '$password'"
-    systemctl restart wwsympa.service
+	password="$1"
+	/opt/miaou-bash/tools/append_or_replace '^db_passwd.*' "db_passwd\tsympa" /etc/sympa/sympa/sympa.conf
+	sudo -u postgres -- psql -c "ALTER USER sympa PASSWORD '$password'"
+	systemctl restart wwsympa.service
 }
 
 function install_sympa {
-    if $FORCE || ! systemctl is-active wwsympa.service --quiet; then
-        listmasters="pvincent@artcode.re,jnoel@mithril.re"
-        [[ $(hostname -d) == *.* ]] && listmasters+=",listmaster@$(hostname -d)" || true
-        debconf-set-selections <<EOF
+	if $FORCE || ! systemctl is-active wwsympa.service --quiet; then
+		listmasters="pvincent@artcode.re,jnoel@mithril.re"
+		[[ $(hostname -d) == *.* ]] && listmasters+=",listmaster@$(hostname -d)" || true
+		debconf-set-selections << EOF
 sympa wwsympa/webserver_type select 'Other'
 sympa sympa/database-type string pgsql
 sympa sympa/db_host string localhost
@@ -42,20 +42,20 @@ sympa sympa/db_user string sympa
 sympa sympa/language select fr
 sympa sympa/listmaster string $listmasters
 EOF
-        DEBIAN_FRONTEND=noninteractive apt-get install -y sympa
-        systemctl disable sympasoap.{socket,service}
-        systemctl stop sympasoap.{socket,service}
+		DEBIAN_FRONTEND=noninteractive apt-get install -y sympa
+		systemctl disable sympasoap.{socket,service}
+		systemctl stop sympasoap.{socket,service}
 
-        alter_sympa_postgres_password_to sympa
-        echo sympa.service installed successfully!
-    else
-        echo sympa.service already installed!
-    fi
+		alter_sympa_postgres_password_to sympa
+		echo sympa.service installed successfully!
+	else
+		echo sympa.service already installed!
+	fi
 }
 
 function install_nginx_host {
-    if $FORCE || [[ ! -f /etc/nginx/sites-available/sympa.conf ]]; then
-        cat <<EOF >/etc/nginx/sites-available/sympa.conf
+	if $FORCE || [[ ! -f /etc/nginx/sites-available/sympa.conf ]]; then
+		cat << EOF > /etc/nginx/sites-available/sympa.conf
 server {
     listen 80;
     server_name _;
@@ -80,12 +80,12 @@ server {
     }
 }
 EOF
-        cd /etc/nginx/sites-enabled && rm -f default && ln -sf ../sites-available/sympa.conf && cd
-        systemctl reload nginx
-        echo host for nginx installed successfully!
-    else
-        echo host for nginx already installed!
-    fi
+		cd /etc/nginx/sites-enabled && rm -f default && ln -sf ../sites-available/sympa.conf && cd
+		systemctl reload nginx
+		echo host for nginx installed successfully!
+	else
+		echo host for nginx already installed!
+	fi
 }
 
 # MAIN
diff --git a/sympa/resources/tools/sympa_export.bash b/sympa/resources/tools/sympa_export.bash
index 6d57ffb..3dc5780 100755
--- a/sympa/resources/tools/sympa_export.bash
+++ b/sympa/resources/tools/sympa_export.bash
@@ -36,7 +36,7 @@ function export_files {
 
 function export_certbot {
 	if [[ -d /etc/letsencrypt/live/$SYMPA_DOMAIN ]]; then
-		tar -C / -cf "$temp_dir/certbot.tar" etc/letsencrypt
+		tar -C / --exclude etc/letsencrypt/cli.ini -cf "$temp_dir/certbot.tar" etc/letsencrypt
 	fi
 }
 
diff --git a/sympa/resources/tools/sympa_import.bash b/sympa/resources/tools/sympa_import.bash
index ce63e2c..b98388b 100755
--- a/sympa/resources/tools/sympa_import.bash
+++ b/sympa/resources/tools/sympa_import.bash
@@ -111,10 +111,20 @@ function import_certbot {
 	SYMPA_DOMAIN=$(grep '^domain' /etc/sympa/sympa/sympa.conf | cut -f2)
 
 	if [[ -f "$export_tmp/certbot.tar" ]]; then
-		echo -n "import certbot..."
+		echo "certbot save previous cli.ini"
+		cp /etc/letsencrypt/cli.ini "$export_tmp/
+
+		echo "import certbot..."
 		rm -rf /etc/letsencrypt
 		tar -xf "$export_tmp/certbot.tar" -C /
 		echo OK
+		
+		echo "certbot restore previous cli.ini"
+		mv "$export_tmp/cli.ini /etc/letsencrypt/
+
+		echo "convert certbot apache2 authenticator to certbotx nginx authenticator"
+		/opt/miaou-bash/tools/append_or_replace '^authenticator =.*$' "authenticator = nginx" /etc/letsencrypt/renewal/$SYMPA_DOMAIN.conf
+		/opt/miaou-bash/tools/append_or_replace '^installer =.*$' "installer = nginx" /etc/letsencrypt/renewal/$SYMPA_DOMAIN.conf
 	fi
 
 	# add options-ssl-nginx.conf