#!/bin/sh

{% if pg_letsencrypt_cert is defined %}

if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
  cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/fullchain.pem /var/lib/pgsql/ssl/server.crt
  cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/privkey.pem /var/lib/pgsql/ssl/server.key
  chown root:postgres /var/lib/pgsql/ssl/server.key
  chown root:root /var/lib/pgsql/ssl/server.crt
  chmod 640 /var/lib/pgsql/ssl/server.key
  chmod 644 /var/lib/pgsql/ssl/server.crt
  systemctl reload postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }}
fi

{% else %}

# No Let's Encrypt cert configured, nothing to do
exit 0

{% endif %}