production-openbsd/scripts/cert-renew-check.sh

#!/bin/sh
# cert-renew-check.sh — weekly via cron; renew LE certs near expiry
# Logs to /var/log/cert-renew.log

LOG=/var/log/cert-renew.log
echo "[$(date -u +%FT%TZ)] cert-renew-check start" >>"$LOG"

DOMAINS="s8n.ru veilor.uk"
RC=0

for d in $DOMAINS; do
    if /usr/local/sbin/acme-client -v "$d" >>"$LOG" 2>&1; then
        echo "[$(date -u +%FT%TZ)] $d: renewed" >>"$LOG"
    else
        rc=$?
        echo "[$(date -u +%FT%TZ)] $d: acme-client exit=$rc (likely no renewal needed; harmless if &gt;30d to expiry)" >>"$LOG"
        # Don't fail the script for "no renewal needed"
    fi
done

# Reload relayd if any cert files changed in last 5 minutes
if find /etc/ssl -name '*.fullchain.pem' -mmin -5 | grep -q .; then
    rcctl reload relayd
    echo "[$(date -u +%FT%TZ)] relayd reloaded for new certs" >>"$LOG"
fi

echo "[$(date -u +%FT%TZ)] cert-renew-check done" >>"$LOG"
exit $RC
feat: production-openbsd v0.1 scaffold Sister to s8n/production-deb. Edge-box config + provision script for running the OpenBSD-edge role per s8n/production-setup-audit Topology 02. v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision from onyx. Autoinstall ISO build deferred to v0.2. Layout: README.md workflow + service mapping (Debian → OpenBSD) flash.sh burn stock install76.iso to USB etc/ pf / relayd / acme-client / unbound / hostname.wg0.example / sshd_config / doas.conf scripts/ provision.sh from onyx: SSH+git clone+run install.sh install.sh on edge: copy /etc/, validate, restart, cron cert-renew-check.sh weekly LE renewal read-logs.sh pull /var/log/ for offline diagnostics docs/ setup-checklist.md 7-phase first-time install walkthrough Hardware target: Dell Precision T5600 per s8n/production-setup-audit/hardware/dell-t5600.md WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820. Keys generated per-host (NEVER committed to repo). Public traffic flow after migration: Internet → router → edge T5600 (relayd TLS term) → wg0 → nullstone Traefik (10.10.10.2:8443, private only) CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated; public IP runs OpenBSD base only — no systemd, no glibc, no Docker. 2026-05-08 14:10:29 +01:00			`#!/bin/sh`
			`# cert-renew-check.sh — weekly via cron; renew LE certs near expiry`
			`# Logs to /var/log/cert-renew.log`

			`LOG=/var/log/cert-renew.log`
			`echo "[$(date -u +%FT%TZ)] cert-renew-check start" >>"$LOG"`

			`DOMAINS="s8n.ru veilor.uk"`
			`RC=0`

			`for d in $DOMAINS; do`
			`if /usr/local/sbin/acme-client -v "$d" >>"$LOG" 2>&1; then`
			`echo "[$(date -u +%FT%TZ)] $d: renewed" >>"$LOG"`
			`else`
			`rc=$?`
			`echo "[$(date -u +%FT%TZ)] $d: acme-client exit=$rc (likely no renewal needed; harmless if >30d to expiry)" >>"$LOG"`
			`# Don't fail the script for "no renewal needed"`
			`fi`
			`done`

			`# Reload relayd if any cert files changed in last 5 minutes`
			`if find /etc/ssl -name '*.fullchain.pem' -mmin -5 \| grep -q .; then`
			`rcctl reload relayd`
			`echo "[$(date -u +%FT%TZ)] relayd reloaded for new certs" >>"$LOG"`
			`fi`

			`echo "[$(date -u +%FT%TZ)] cert-renew-check done" >>"$LOG"`
			`exit $RC`