#!/bin/bash
# Pre-hook для certbot: проверка beget.ini перед renew
# Путь: /etc/letsencrypt/renewal-hooks/pre/check-beget-credentials.sh
# При отсутствии файла или неверных правах — exit 1, certbot не выполнит renew.

BEGET_INI="/root/.secrets/certbot/beget.ini"

if [ ! -f "$BEGET_INI" ]; then
  echo "check-beget-credentials: $BEGET_INI not found" >&2
  exit 1
fi

mode=$(stat -c '%a' "$BEGET_INI" 2>/dev/null)
owner=$(stat -c '%u' "$BEGET_INI" 2>/dev/null)

if [ "$mode" != "600" ]; then
  echo "check-beget-credentials: $BEGET_INI has mode $mode, expected 600" >&2
  exit 1
fi

if [ "$owner" != "0" ]; then
  echo "check-beget-credentials: $BEGET_INI owner $owner, expected root (0)" >&2
  exit 1
fi

exit 0