--- /dev/null
+#!/bin/bash
+
+# usage: $0 apache2|nginx
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?. PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+t=$1
+
+if apt-cache show python3-certbot-apache &>/dev/null; then
+ pyver=3
+fi
+pkgs=(certbot python${pyver}-certbot-${t%2})
+if ! dpkg -s -- ${pkgs[@]} 2>&1 | grep -Fx "Status: install ok installed" &> /dev/null; then
+ apt-get -y install --purge --auto-remove ${pkgs[@]}
+fi
+# Make a version of the certbot timer that emails me.
+if [[ -e /a/bin/log-quiet/sysd-mail-once ]]; then
+ x=/systemd/system/certbot
+ md5=$(md5sum /lib$x.timer /lib$x.service 2>/dev/null) ||:
+ sed -r -f - /lib$x.timer <<'EOF' >/etc${x}mail.timer
+s,^Description.*,\0 mail version,
+EOF
+ sed -r -f - /lib$x.service <<'EOF' > /etc${x}mail.service
+s,(ExecStart=).*,\1/a/bin/log-quiet/sysd-mail-once certbotmail /usr/bin/certbot renew,
+EOF
+ if [[ $md5sum != "$(md5sum /lib$x.timer /lib$x.service)" ]]; then
+ systemctl daemon-reload
+ fi
+ systemctl stop certbot.timer
+ systemctl disable certbot.timer
+ systemctl start certbotmail.timer
+ systemctl enable certbotmail.timer
+fi