postgres/rootfs/etc/cont-init.d/02-certificates

#!/usr/bin/with-contenv sh

cd /var/lib/postgresql

SAN_DOMAINS=$(/bin/concat-sans)

if [ ! -f /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt ]; then
    chown -R postgres /var/lib/postgresql/.lego
    s6-setuidgid postgres lego \
        --accept-tos \
        --server="${POSTGRES_CA}" \
        --email="${POSTGRES_ACME_EMAIL}" \
        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
        --dns="${POSTGRES_DNS_PROVIDER}" \
        run
else
    s6-setuidgid postgres lego \
        --accept-tos \
        --server="${POSTGRES_CA}" \
        --email="${POSTGRES_ACME_EMAIL}" \
        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
        --dns="${POSTGRES_DNS_PROVIDER}" \
        renew --days 30
fi