#!/bin/sh -eu
# vim: ai ts=4 sts=4 et sw=4

if [ -r /etc/default/ntpsec ]
then
    . /etc/default/ntpsec
fi

if [ -z "${NTPSEC_CERTBOT_CERT_NAME-}" ]
then
    exit 0
fi

# If the certificate being deployed is not the one for ntpd, exit.
found=0
for domain in $RENEWED_DOMAINS
do
    if [ "$domain" = "$NTPSEC_CERTBOT_CERT_NAME" ]
    then
        found=1
    fi
done
if [ "$found" = "0" ]
then
    exit 0
fi

# Copy the certificate (including chain) and key so ntpd can read them
# after dropping privileges.
install -m 644 /etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/fullchain.pem \
    /etc/ntpsec/cert-chain.pem
install -m 640 -g ntpsec \
    /etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/privkey.pem \
    /etc/ntpsec/key.pem

# Tell ntpd to reload the certificate and key.
killall -HUP ntpd 2>/dev/null || true