Initial

6 files changed, 160 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..732cc35c00b9
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,25 @@
+pkgbase = acme-client-git
+	pkgdesc = Yet another ACME client, specifically for Let's Encrypt, but one with a strong focus on security. Written in C.
+	pkgver = 0.1.11.r4.ge15995f
+	pkgrel = 1
+	url = https://kristaps.bsd.lv/acme-client/
+	arch = any
+	license = custom
+	makedepends = git
+	depends = libbsd
+	provides = acme-client
+	conflicts = acme-client
+	options = emptydirs
+	source = acme-client-git::git+https://github.com/kristapsdz/acme-client-portable.git
+	source = http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.2.tar.gz
+	source = acme@.timer
+	source = acme@.service
+	source = example.conf
+	sha256sums = SKIP
+	sha256sums = 5f87d778e5d62822d60e38fa9621c1c5648fc559d198ba314bd9d89cbf67d9e3
+	sha256sums = c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73
+	sha256sums = 2fbe99262986b4e4d84e659bc868e1e616c3b150190d50994f4184b1d606dc60
+	sha256sums = b441b83feda96286a932add31237abfccb9f7bed7d13a3c6d85886e6a62fcc8f
+
+pkgname = acme-client-git
+
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000000..c470a9e7ae07
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+acme-client-git/
+*.tgz
+*.tar.gz
+*.tar.xz
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..893efde6caf1
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,65 @@
+# Maintainer: surefire@cryptomile.net
+
+pkgname=acme-client-git
+_pkgname=acme-client
+pkgver=0.1.11.r4.ge15995f
+pkgrel=1
+arch=('x86_64' 'i686')
+license=('custom')
+pkgdesc="Yet another ACME client, specifically for Let's Encrypt, but one with a strong focus on security. Written in C."
+url='https://kristaps.bsd.lv/acme-client/'
+
+_sslver=2.4.2
+
+source=(${pkgname}::'git+https://github.com/kristapsdz/acme-client-portable.git'
+		"http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${_sslver}.tar.gz"
+        'acme@.timer'
+        'acme@.service'
+        'example.conf')
+
+sha256sums=('SKIP'
+            '5f87d778e5d62822d60e38fa9621c1c5648fc559d198ba314bd9d89cbf67d9e3'
+            'c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73'
+            '2fbe99262986b4e4d84e659bc868e1e616c3b150190d50994f4184b1d606dc60'
+            'b441b83feda96286a932add31237abfccb9f7bed7d13a3c6d85886e6a62fcc8f')
+
+depends=('libbsd')
+makedepends=('git')
+
+conflicts=('acme-client')
+provides=('acme-client')
+
+options=('emptydirs')
+
+pkgver() {
+	cd "${pkgname}"
+	git describe --long --tags | sed 's/VERSION_//;s/\([^-]*-g\)/r\1/;s/[-_]/./g'
+}
+
+build() {
+	pushd "libressl-${_sslver}"
+	./configure --disable-shared --disable-static --enable-static=tls,ssl,crypto
+	make
+
+	popd
+
+	pushd "${pkgname}"
+	make \
+		LIBBSD='-Wl,-dy -lbsd' \
+		CFLAGS="-g -W -Wall -DHAVE_CONFIG_H -I../libressl-${_sslver}/include" \
+		LDFLAGS="-L../libressl-${_sslver}/{tls,ssl,crypto}/.libs -Wl,-dn"
+}
+
+package() {
+	cd "${pkgname}"
+
+	install -Dm755 -t "${pkgdir}/usr/bin" acme-client
+	install -Dm644 -t "${pkgdir}/usr/share/man/man1" acme-client.1
+	install -Dm644 -t "${pkgdir}/usr/share/licenses/${_pkgname}" LICENSE.md
+
+	install -Dm644 -t "${pkgdir}/usr/lib/systemd/system" ../acme@.{timer,service}
+	install -Dm644 -t "${pkgdir}/etc/acme" ../example.conf
+
+	install -dm0755 "${pkgdir}/var/lib/acme/accounts" "${pkgdir}/var/lib/acme/certs"
+
+}
diff --git a/acme@.service b/acme@.service
new file mode 100644
index 000000000000..b2f16e6ddbc9
--- /dev/null
+++ b/acme@.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=Check and renew ACME TLS certificates
+After=network.target
+Requires=network.target
+
+[Service]
+# You need to configure http server so that directory "/run/acme-challenge" was the alias of "/.well-known/acme-challenge"
+#
+# Nginx example:
+#
+#  location /.well-known/acme-challenge {
+#    alias /run/acme-challenge;
+#  }
+
+RuntimeDirectory=acme-challenge
+RuntimeDirectoryMode=0755
+
+SuccessExitStatus=2
+
+Environment="ACME_DIR=/var/lib/acme"
+Environment="ACME_ARGS=-vbnN"
+Environment="ACME_ACCOUNT=letsencrypt"
+
+EnvironmentFile=/etc/acme/%I.conf
+
+ExecStartPre=/usr/bin/install -dm0700 "${ACME_DIR}/certs/%I"
+
+ExecStart=/usr/bin/acme-client $ACME_ARGS -f "${ACME_DIR}/accounts/${ACME_ACCOUNT}.pem" -c "${ACME_DIR}/certs/%I" -k "${ACME_DIR}/certs/%I/privkey.pem" -C /run/acme-challenge $ACME_DOMAINS
diff --git a/acme@.timer b/acme@.timer
new file mode 100644
index 000000000000..3b954c3ae74e
--- /dev/null
+++ b/acme@.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Check and renew ACME TLS certificates
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target
diff --git a/example.conf b/example.conf
new file mode 100644
index 000000000000..9ea17221ba09
--- /dev/null
+++ b/example.conf
@@ -0,0 +1,29 @@
+# Before first run you need to configure http server so that directory "/run/acme-challenge" was the alias of "/.well-known/acme-challenge"
+# Nginx example:
+#  location /.well-known/acme-challenge {
+#    alias /run/acme-challenge;
+#  }
+#
+# Manual run:
+#    systemctl start acme@example
+#
+# Show status:
+#    journalctl -e -u acme@example
+#
+# If no errors, then certificate and key will be placed in the directory /var/lib/acme/certs/example
+#
+# Enable daily timer check and renew certs:
+#  systemctl enable --now letsencrypt@example.timer
+
+# List domain names included in certificate separated by space. All domains should work and refer to this server.
+ACME_DOMAINS="example.com www.example.com"
+
+# Directory for acme accounts and certificates
+#ACME_DIR="/var/lib/acme"
+
+#ACME_ACCOUNT="letsencrypt"
+
+#ACME_ARGS="-vbnN"
+
+# See also:
+#    man 1 acme-client