[arch-commits] Commit in acme-user/repos (8 files)

Bruno Pagani archange at gemini.archlinux.org
Sat Apr 9 16:15:20 UTC 2022 

    Date: Saturday, April 9, 2022 @ 16:15:19
  Author: archange
Revision: 1183133

archrelease: copy trunk to community-any

Added:
  acme-user/repos/community-any/
  acme-user/repos/community-any/PKGBUILD
    (from rev 1183132, acme-user/trunk/PKGBUILD)
  acme-user/repos/community-any/acme-post.sh
    (from rev 1183132, acme-user/trunk/acme-post.sh)
  acme-user/repos/community-any/acme-renew.sh
    (from rev 1183132, acme-user/trunk/acme-renew.sh)
  acme-user/repos/community-any/acme.service
    (from rev 1183132, acme-user/trunk/acme.service)
  acme-user/repos/community-any/acme.sysusers
    (from rev 1183132, acme-user/trunk/acme.sysusers)
  acme-user/repos/community-any/acme.timer
    (from rev 1183132, acme-user/trunk/acme.timer)
  acme-user/repos/community-any/acme.tmpfiles
    (from rev 1183132, acme-user/trunk/acme.tmpfiles)

---------------+
 PKGBUILD      |   30 ++++++++++++++++++++++++++++++
 acme-post.sh  |   18 ++++++++++++++++++
 acme-renew.sh |    8 ++++++++
 acme.service  |   38 ++++++++++++++++++++++++++++++++++++++
 acme.sysusers |    1 +
 acme.timer    |   10 ++++++++++
 acme.tmpfiles |    3 +++
 7 files changed, 108 insertions(+)

Copied: acme-user/repos/community-any/PKGBUILD (from rev 1183132, acme-user/trunk/PKGBUILD)
===================================================================
--- community-any/PKGBUILD	                        (rev 0)
+++ community-any/PKGBUILD	2022-04-09 16:15:19 UTC (rev 1183133)
@@ -0,0 +1,30 @@
+# Maintainer: Bruno Pagani <archange at archlinux.org>
+
+pkgname=acme-user
+pkgver=1.0.0
+pkgrel=1
+pkgdesc="acme-tiny systemd files for running as dedicated user instead of root."
+arch=(any)
+url="https://certbot.eff.org"
+license=(GPL)
+depends=(acme-tiny systemd)
+source=(acme.service
+        acme.timer
+        acme.tmpfiles
+        acme.sysusers
+        acme-renew.sh
+        acme-post.sh)
+sha256sums=(799b67ec34b23004002cc90aa40c639979c155b793f3e4cb1012008163332051
+            c8bf2bf90baaf5630d7a0d1761773fd75b153d39f6d34289e287c862eebead2d
+            34f0023cef60e11d5ac83b91fe36df7a3b7353c6a70dc4f86128e0d4cec4268a
+            6b0124bad46fb4f1864b791c57b974e76c25c07e2f8476b7de3757cba7cc4c11
+            2ebe80ce48fecdf30c5f7a3db173541cc61ff70ccb55d7b1ea4fc31d89b6e933
+            db7881b0ceaab0eb555765b378a4437890d70bffe4f38e64541e0a42eb36f993)
+
+package() {
+    install -Dm755 acme-renew.sh "${pkgdir}"/usr/bin/acme-renew
+    install -Dm755 acme-post.sh "${pkgdir}"/usr/bin/acme-post
+    install -Dm644 acme.{service,timer} -t "${pkgdir}"/usr/lib/systemd/system/
+    install -Dm644 acme.tmpfiles "${pkgdir}"/usr/lib/tmpfiles.d/acme.conf
+    install -Dm644 acme.sysusers "${pkgdir}"/usr/lib/sysusers.d/acme.conf
+}

Copied: acme-user/repos/community-any/acme-post.sh (from rev 1183132, acme-user/trunk/acme-post.sh)
===================================================================
--- community-any/acme-post.sh	                        (rev 0)
+++ community-any/acme-post.sh	2022-04-09 16:15:19 UTC (rev 1183133)
@@ -0,0 +1,18 @@
+#!/usr/bin/sh
+
+# Read through domains
+for domain in $(find /etc/acme -type d -not -path /etc/acme); do
+    if [ -f ${domain}/fullchain_new.pem ]; then # The certificate was renewed
+        echo "Replacing certificate and fixing permissions for ${domain##*/}…"
+        mv ${domain}/fullchain{_new,}.pem
+        chown root:root ${domain}/fullchain.pem
+        chmod 444 ${domain}/fullchain.pem
+        # Splitting for OCSP needs
+        FULLCHAIN=$(<${domain}/fullchain.pem)
+        echo "${FULLCHAIN%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----" > ${domain}/cert.pem
+        echo -e "${FULLCHAIN#*-----END CERTIFICATE-----}" | sed '/./,$!d' > ${domain}/chain.pem
+    fi
+    # Regenerate answers for OCSP stapling (whether or not the certificate has been renewed)
+    echo "Regenerating OCSP priming for ${domain##*/}…"
+    openssl ocsp -noverify -no_nonce -respout ${domain}/ocsp.der -issuer ${domain}/chain.pem -cert ${domain}/cert.pem -url $(openssl x509 -noout -ocsp_uri -in ${domain}/cert.pem)
+done

Copied: acme-user/repos/community-any/acme-renew.sh (from rev 1183132, acme-user/trunk/acme-renew.sh)
===================================================================
--- community-any/acme-renew.sh	                        (rev 0)
+++ community-any/acme-renew.sh	2022-04-09 16:15:19 UTC (rev 1183133)
@@ -0,0 +1,8 @@
+#!/usr/bin/sh
+
+for domain in $(find /etc/acme -type d -not -path /etc/acme); do
+    echo "Checking certificate expiry date for ${domain##*/}…"
+    openssl x509 -noout -checkend 2592000 -in ${domain}/fullchain.pem > /dev/null 2>&1 && echo "Certificate not expiring within 30 days, skipping." && continue
+    echo "Renewing certificate for ${domain##*/}…"
+    /usr/bin/acme-tiny --account-key /etc/acme/accountkey.pem --csr ${domain}/csr.pem --acme-dir /var/lib/acme/ > ${domain}/fullchain_new.pem || exit
+done

Copied: acme-user/repos/community-any/acme.service (from rev 1183132, acme-user/trunk/acme.service)
===================================================================
--- community-any/acme.service	                        (rev 0)
+++ community-any/acme.service	2022-04-09 16:15:19 UTC (rev 1183133)
@@ -0,0 +1,38 @@
+[Unit]
+Description=ACME certificate renewal
+
+[Service]
+Type=oneshot
+User=acme
+Group=acme
+PermissionsStartOnly=True
+ExecStart=/usr/bin/acme-renew
+ExecStartPost=!/usr/bin/acme-post
+Restart=on-failure
+StateDirectory=acme
+ReadWritePaths=/etc/acme/
+AmbientCapabilities=
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=yes
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=yes
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+#SecureBits=noroot-locked
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM

Copied: acme-user/repos/community-any/acme.sysusers (from rev 1183132, acme-user/trunk/acme.sysusers)
===================================================================
--- community-any/acme.sysusers	                        (rev 0)
+++ community-any/acme.sysusers	2022-04-09 16:15:19 UTC (rev 1183133)
@@ -0,0 +1 @@
+u acme - "ACME dedicated user" /var/lib/acme

Copied: acme-user/repos/community-any/acme.timer (from rev 1183132, acme-user/trunk/acme.timer)
===================================================================
--- community-any/acme.timer	                        (rev 0)
+++ community-any/acme.timer	2022-04-09 16:15:19 UTC (rev 1183133)
@@ -0,0 +1,10 @@
+[Unit]
+Description=Renew ACME certificats daily
+
+[Timer]
+OnCalendar=*-*-* 00/12:00:00
+RandomizedDelaySec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

Copied: acme-user/repos/community-any/acme.tmpfiles (from rev 1183132, acme-user/trunk/acme.tmpfiles)
===================================================================
--- community-any/acme.tmpfiles	                        (rev 0)
+++ community-any/acme.tmpfiles	2022-04-09 16:15:19 UTC (rev 1183133)
@@ -0,0 +1,3 @@
+d /etc/acme       0750 acme acme
+d /var/lib/acme   0755 acme acme
+d /var/log/acme   0750 acme acme

More information about the arch-commits mailing list