From b32b15b5b76435434c36cd95b08d5283649fad67 Mon Sep 17 00:00:00 2001
From: nervuri <seva@nervuri.net>
Date: Thu, 24 Jun 2021 13:17:02 +0000
Subject: [PATCH] add script for pruning old certificates

---
 main.sh            |  3 +++
 prune-old-certs.sh | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100755 prune-old-certs.sh

diff --git a/main.sh b/main.sh
index 2775bb8..c5662ef 100755
--- a/main.sh
+++ b/main.sh
@@ -19,6 +19,9 @@ else
   ./get-certs.sh
 fi
 
+echo '=== prune old certs ==='
+./prune-old-certs.sh
+
 echo '=== cert details ==='
 ./cert-details.sh
 
diff --git a/prune-old-certs.sh b/prune-old-certs.sh
new file mode 100755
index 0000000..7dfc422
--- /dev/null
+++ b/prune-old-certs.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Remove certificates of hosts that both:
+# - have been down for more than 30 days;
+# - are no longer in the hosts file.
+
+set -o errexit  # (-e) exit immediately if any command has a non-zero exit status
+set -o nounset  # (-u) don't accept undefined variables
+#set -o xtrace  # for debugging
+
+# Go where this script is.
+cd "$(dirname "$0")" || exit
+
+# Go through certs of hosts that have been down for more than 30 days.
+find certs -mtime +30 -type f -execdir sh -c '
+  cert_file="$1"
+  host=$(expr "$cert_file" : "^\.\/\(.*\)\:[0-9]*\.pem$")
+  port=$(expr "$cert_file" : "^\.\/.*\:\([0-9]*\)\.pem$")
+
+  # Append port if not default
+  if [ "$port" != 1965 ]; then
+    host="$host:$port"
+  fi
+
+  # If it is not in the hosts file, delete it.
+  if ! grep -xq "$host" ../hosts; then
+    echo "Pruning $host"
+    rm "$cert_file"
+  fi
+' sh {} \;
+
+echo OK