[arch-commits] Commit in (10 files)
Bruno Pagani
archange at gemini.archlinux.org
Sat Apr 9 16:14:20 UTC 2022
Date: Saturday, April 9, 2022 @ 16:14:19
Author: archange
Revision: 1183132
Addition of acme-user to [community]
Added:
acme-user/
acme-user/repos/
acme-user/trunk/
acme-user/trunk/PKGBUILD
acme-user/trunk/acme-post.sh
acme-user/trunk/acme-renew.sh
acme-user/trunk/acme.service
acme-user/trunk/acme.sysusers
acme-user/trunk/acme.timer
acme-user/trunk/acme.tmpfiles
---------------+
PKGBUILD | 30 ++++++++++++++++++++++++++++++
acme-post.sh | 18 ++++++++++++++++++
acme-renew.sh | 8 ++++++++
acme.service | 38 ++++++++++++++++++++++++++++++++++++++
acme.sysusers | 1 +
acme.timer | 10 ++++++++++
acme.tmpfiles | 3 +++
7 files changed, 108 insertions(+)
Added: acme-user/trunk/PKGBUILD
===================================================================
--- acme-user/trunk/PKGBUILD (rev 0)
+++ acme-user/trunk/PKGBUILD 2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,30 @@
+# Maintainer: Bruno Pagani <archange at archlinux.org>
+
+pkgname=acme-user
+pkgver=1.0.0
+pkgrel=1
+pkgdesc="acme-tiny systemd files for running as dedicated user instead of root."
+arch=(any)
+url="https://certbot.eff.org"
+license=(GPL)
+depends=(acme-tiny systemd)
+source=(acme.service
+ acme.timer
+ acme.tmpfiles
+ acme.sysusers
+ acme-renew.sh
+ acme-post.sh)
+sha256sums=(799b67ec34b23004002cc90aa40c639979c155b793f3e4cb1012008163332051
+ c8bf2bf90baaf5630d7a0d1761773fd75b153d39f6d34289e287c862eebead2d
+ 34f0023cef60e11d5ac83b91fe36df7a3b7353c6a70dc4f86128e0d4cec4268a
+ 6b0124bad46fb4f1864b791c57b974e76c25c07e2f8476b7de3757cba7cc4c11
+ 2ebe80ce48fecdf30c5f7a3db173541cc61ff70ccb55d7b1ea4fc31d89b6e933
+ db7881b0ceaab0eb555765b378a4437890d70bffe4f38e64541e0a42eb36f993)
+
+package() {
+ install -Dm755 acme-renew.sh "${pkgdir}"/usr/bin/acme-renew
+ install -Dm755 acme-post.sh "${pkgdir}"/usr/bin/acme-post
+ install -Dm644 acme.{service,timer} -t "${pkgdir}"/usr/lib/systemd/system/
+ install -Dm644 acme.tmpfiles "${pkgdir}"/usr/lib/tmpfiles.d/acme.conf
+ install -Dm644 acme.sysusers "${pkgdir}"/usr/lib/sysusers.d/acme.conf
+}
Added: acme-user/trunk/acme-post.sh
===================================================================
--- acme-user/trunk/acme-post.sh (rev 0)
+++ acme-user/trunk/acme-post.sh 2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,18 @@
+#!/usr/bin/sh
+
+# Read through domains
+for domain in $(find /etc/acme -type d -not -path /etc/acme); do
+ if [ -f ${domain}/fullchain_new.pem ]; then # The certificate was renewed
+ echo "Replacing certificate and fixing permissions for ${domain##*/}…"
+ mv ${domain}/fullchain{_new,}.pem
+ chown root:root ${domain}/fullchain.pem
+ chmod 444 ${domain}/fullchain.pem
+ # Splitting for OCSP needs
+ FULLCHAIN=$(<${domain}/fullchain.pem)
+ echo "${FULLCHAIN%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----" > ${domain}/cert.pem
+ echo -e "${FULLCHAIN#*-----END CERTIFICATE-----}" | sed '/./,$!d' > ${domain}/chain.pem
+ fi
+ # Regenerate answers for OCSP stapling (whether or not the certificate has been renewed)
+ echo "Regenerating OCSP priming for ${domain##*/}…"
+ openssl ocsp -noverify -no_nonce -respout ${domain}/ocsp.der -issuer ${domain}/chain.pem -cert ${domain}/cert.pem -url $(openssl x509 -noout -ocsp_uri -in ${domain}/cert.pem)
+done
Property changes on: acme-user/trunk/acme-post.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: acme-user/trunk/acme-renew.sh
===================================================================
--- acme-user/trunk/acme-renew.sh (rev 0)
+++ acme-user/trunk/acme-renew.sh 2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,8 @@
+#!/usr/bin/sh
+
+for domain in $(find /etc/acme -type d -not -path /etc/acme); do
+ echo "Checking certificate expiry date for ${domain##*/}…"
+ openssl x509 -noout -checkend 2592000 -in ${domain}/fullchain.pem > /dev/null 2>&1 && echo "Certificate not expiring within 30 days, skipping." && continue
+ echo "Renewing certificate for ${domain##*/}…"
+ /usr/bin/acme-tiny --account-key /etc/acme/accountkey.pem --csr ${domain}/csr.pem --acme-dir /var/lib/acme/ > ${domain}/fullchain_new.pem || exit
+done
Property changes on: acme-user/trunk/acme-renew.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: acme-user/trunk/acme.service
===================================================================
--- acme-user/trunk/acme.service (rev 0)
+++ acme-user/trunk/acme.service 2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,38 @@
+[Unit]
+Description=ACME certificate renewal
+
+[Service]
+Type=oneshot
+User=acme
+Group=acme
+PermissionsStartOnly=True
+ExecStart=/usr/bin/acme-renew
+ExecStartPost=!/usr/bin/acme-post
+Restart=on-failure
+StateDirectory=acme
+ReadWritePaths=/etc/acme/
+AmbientCapabilities=
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=yes
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=yes
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+#SecureBits=noroot-locked
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
Added: acme-user/trunk/acme.sysusers
===================================================================
--- acme-user/trunk/acme.sysusers (rev 0)
+++ acme-user/trunk/acme.sysusers 2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1 @@
+u acme - "ACME dedicated user" /var/lib/acme
Added: acme-user/trunk/acme.timer
===================================================================
--- acme-user/trunk/acme.timer (rev 0)
+++ acme-user/trunk/acme.timer 2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,10 @@
+[Unit]
+Description=Renew ACME certificats daily
+
+[Timer]
+OnCalendar=*-*-* 00/12:00:00
+RandomizedDelaySec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
Added: acme-user/trunk/acme.tmpfiles
===================================================================
--- acme-user/trunk/acme.tmpfiles (rev 0)
+++ acme-user/trunk/acme.tmpfiles 2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,3 @@
+d /etc/acme 0750 acme acme
+d /var/lib/acme 0755 acme acme
+d /var/log/acme 0750 acme acme
More information about the arch-commits
mailing list