# Files needed

- provisioner, certbot and nginx-plain should run on the same node, a master,
  so that they can share a volume
- provisioner would create said volume
- provisioner would create/update the nginx-plain container, since it has a
  dynamic config (accessing the shared volume)
- provisioner would also create/update the certbot container, since it needs
  dynamic access to keys/certs
- certbot would create/update the nging-ssl container(s)
- so only the provisioner is in the compose file

## provisioner
- certbot account (will provision if not exists)
- create docker volume shared between certbot and nginx-plain, if it doesn't exist
    - volume is ephemeral so doesn't need to persiste between reboots
- it itself doesn't need to access the certbot account details since it's not
  accessing the certificate API, only registration
- would always update the certbot container, to make sure it has access to
  all keys

## certbot

- needs to run on master
- needs to be a dynamically created service so that it doesn't collide with git
  source
- would first check if it has access to all keys and if it doesn't, call the
  provisioner and then wait maybe a minute and return a failure.
- renew hook to add the configs/secrets and update the nginx-ssl service

### common vars for all domains:

- certbot account
- main config file (can be generated locally)
- certbot account file (provisioned first time)

### per domain vars:
- keys
- certs
- chains
- full chains
- renewal config (current)
- nginx config (current)

## nginx-plaintext

- shared ephemeral volume with certbot, so they both need to run on the same system
- all nodes should point to it

## nginx-ssl

- dynamically created service
- currently valid private key
- currently valid cert
- currently valid chain
- currently valid full chain
- per domain config