docs

.gitignore

@@ -1,2 +1,4 @@
 .idea/
 .venv/
+.secrets/
+__pycache__/

.secrets.example/certbot/cloudflare.ini

@@ -0,0 +1 @@
+dns_cloudflare_api_token = <API_TOKEN>

Dockerfile

@@ -0,0 +1,8 @@
+FROM python:latest
+
+WORKDIR /app
+COPY . /app
+RUN pip install --no-cache-dir -r requirements.txt
+
+ENTRYPOINT ["python", "certman.py"]
+CMD ["--help"]

certman.py

@@ -0,0 +1,20 @@
+from schemas import DomainRequest
+import subprocess
+
+def request_certificate(domain_request: DomainRequest):
+    domain = domain_request.domain
+    credentials_file = domain_request.credentials_file
+    email = domain_request.email
+    certbot_command = [
+        'certbot', 'certonly',
+        '--dns-cloudflare',
+        '--dns-cloudflare-credentials', credentials_file,
+        '--email', email,
+        '--agree-tos',
+        '--non-interactive',
+        '-d', domain,
+    ]
+    result = subprocess.run(certbot_command, capture_output=True, text=True)
+    if result.returncode != 0:
+        raise RuntimeError(f'Certbot returned non-zero exit code:\n{result.stderr}')
+    return result.stdout

requirements.txt

@@ -0,0 +1,4 @@
+certbot==5.4.0
+certbot-dns-cloudflare==5.4.0
+pydantic==2.12.5
+email-validator==2.3.0

schemas.py

@@ -0,0 +1,6 @@
+from pydantic import BaseModel, FilePath, EmailStr
+
+class DomainRequest(BaseModel):
+    domain: str
+    credentials_file: FilePath
+    email: EmailStr

ssh-restrictions.md

@@ -0,0 +1,4 @@
+allow command `cat /path/to/files/certificate.crt` using the specified SSH key:\
+`command="cat /path/to/files/certificate.crt",restrict ssh-ed25519 AAAAC3Nza...[key_content]... server-a`
+
+make user with no permissions and put ^ in `.ssh/authorized_keys`

test_schemas.py

@@ -0,0 +1,18 @@
+test_domain_request = {
+    'domain': 'example.com',
+    'credentials_file': '.secrets.example/certbot/cloudflare.ini',
+    'email': 'admin@example.com'
+}
+
+if __name__ == '__main__':
+    from schemas import DomainRequest
+    from pydantic import ValidationError
+
+    try:
+        domain_request = DomainRequest(**test_domain_request)
+        print("DomainRequest validation successful:", domain_request)
+    except ValidationError as e:
+        print("DomainRequest validation failed:", e)
+    except Exception as e:
+        print("An unexpected error occurred:", e)
+        raise e