+
+ #### begin mail cert setup ###
+ f=/usr/local/bin/mail-cert-cron
+ cat >$f <<'EOF'
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
+
+f=/a/bin/bash_unpublished/source-semi-priv
+if [[ -e $f ]]; then
+ source $f
+fi
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
+ local_mx=mail.iankelling.org
+ rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+ ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+ ${rsync_common}privkey.pem /etc/exim4/exim.key
+fi
+EOF
+ chmod 755 $f
+
+ cat >/etc/systemd/system/mailcert.service <<'EOF'
+[Unit]
+Description=Mail cert rsync
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
+EOF
+
+ cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
+EOF
+ systemctl daemon-reload
+ systemctl start mailcert
+ systemctl restart mailcert.timer
+ systemctl enable mailcert.timer
+
+ ##### end mailcert setup #####
+
+
+