From 9a642da2f7733cb0451a852d6609facd9e5dd38e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Ra=C5=BAniewski?= <adam@razniewski.eu>
Date: Wed, 9 Oct 2024 13:36:56 +0200
Subject: [PATCH] hetzner dns

---
 Dockerfile.template |  2 +-
 entry.sh            | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/Dockerfile.template b/Dockerfile.template
index f95a1b2..700be4f 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -32,7 +32,7 @@ RUN set -x ; apk add procmail --no-cache --repository http://dl-cdn.alpinelinux.
 	&& apk add --no-cache --allow-untrusted "$(basename "${!url}")" \
 	&& rm "$(basename "${!url}")"
 
-RUN curl -fsSL "https://raw.githubusercontent.com/balena-io/open-balena/master/scripts/_keyid.js" -o /opt/_keyid.js
+RUN curl -fsSL "https://raw.githubusercontent.com/balena-io/open-balena/v3.8.5/scripts/_keyid.js" -o /opt/_keyid.js
 
 WORKDIR /etc/letsencrypt
 
diff --git a/entry.sh b/entry.sh
index e46bbab..c0797f9 100755
--- a/entry.sh
+++ b/entry.sh
@@ -187,6 +187,37 @@ function get_env_var_value {
     echo "${varval}"
 }
 
+function hetzner_issue_public_cert {
+    local balena_device_uuid
+    balena_device_uuid="${1}"
+
+    local dns_tld
+    dns_tld="${2}"
+    [[ -n "${dns_tld}" ]] || return
+
+    hetzner_api_token="$(get_env_var_value "${balena_device_uuid}" HETZNER_API_TOKEN)"
+    [[ -n "${hetzner_api_token}" ]] || return
+
+    mkdir -p ~/.secrets/certbot
+
+    echo "dns_hetzner_api_token = ${hetzner_api_token}" \
+      > ~/.secrets/certbot/hetzner.ini \
+      && chmod 0600 ~/.secrets/certbot/hetzner.ini
+
+    # Install the Hetzner DNS plugin for Certbot
+    pip install certbot-dns-hetzner
+
+    # shellcheck disable=SC2086
+    with_backoff certbot certonly --agree-tos --non-interactive --verbose --expand \
+      --authenticator dns-hetzner \
+      --dns-hetzner-credentials ~/.secrets/certbot/hetzner.ini \
+      --dns-hetzner-propagation-seconds 60 \
+      --cert-name "${dns_tld}" \
+      -m "$(get_acme_email ${balena_device_uuid})" \
+      -d "${dns_tld}" \
+      ${sans}
+}
+
 function cloudflare_issue_public_cert {
     local balena_device_uuid
     balena_device_uuid="${1}"
@@ -300,6 +331,7 @@ function issue_public_certs {
             # chain breaks after first success
             cloudflare_issue_public_cert "${balena_device_uuid}" "${dns_tld}" \
               || gandi_issue_public_cert "${balena_device_uuid}" "${dns_tld}" \
+              || hetzner_issue_public_cert "${balena_device_uuid}" "${dns_tld}" \
               || true
         fi