diff options
| author | surefire | 2019-09-05 07:30:42 +0300 |
|---|---|---|
| committer | surefire | 2019-09-05 07:32:53 +0300 |
| commit | 75f711f351bed69cf2e43b336e76fab4447df611 (patch) | |
| tree | acdc3dd3f47546704c5e5e2973070fbcf5873769 | |
| download | aur-75f711f351bed69cf2e43b336e76fab4447df611.tar.gz | |
Initial
| -rw-r--r-- | .SRCINFO | 30 | ||||
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | PKGBUILD | 55 | ||||
| -rw-r--r-- | acme-client.conf | 45 | ||||
| -rw-r--r-- | acme-client@.service | 23 | ||||
| -rw-r--r-- | acme-client@.timer | 9 | ||||
| -rwxr-xr-x | example.org.hook | 14 |
7 files changed, 177 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..ff88412cd237 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,30 @@ +pkgbase = acme-client-portable + pkgdesc = Yet another ACME client, specifically for Let's Encrypt, but one with a strong focus on security. Written in C. + pkgver = 0.2.3 + pkgrel = 1 + url = https://github.com/graywolf/acme-client-portable + arch = x86_64 + arch = i686 + arch = armv7h + license = BSD + makedepends = git + depends = curl + depends = libbsd + depends = openssl + provides = acme-client + conflicts = acme-client + backup = etc/acme-client.conf + source = acme-client-portable::git+https://github.com/graywolf/acme-client-portable.git#tag=v0.2.3 + source = acme-client.conf + source = acme-client@.timer + source = acme-client@.service + source = example.org.hook + validpgpkeys = A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5 + sha256sums = SKIP + sha256sums = ceda6ded73c9273b50a6fa8c1eef1a21ef1fe4565f81ad1ef872cd8ff9d12f6d + sha256sums = c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73 + sha256sums = 1ab1b79d27f13ac25b680209de200702245957b56d875b7ff5ce3660cd2081a2 + sha256sums = 40d7cf2596fdc6f2c94998dd93aba76107828e7cf4dbd77b99fd1b4c36712dc4 + +pkgname = acme-client-portable + diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..a91bd3db02cd --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +acme-client-portable/ diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..7136c8fd13cb --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,55 @@ +# Maintainer: surefire@cryptomile.net +pkgname=acme-client-portable +pkgver=0.2.3 +pkgrel=1 +arch=('x86_64' 'i686' 'armv7h') +license=('BSD') +pkgdesc="Yet another ACME client, specifically for Let's Encrypt, but one with a strong focus on security. Written in C." +url='https://github.com/graywolf/acme-client-portable' + +source=( + "${pkgname}"::"git+https://github.com/graywolf/acme-client-portable.git#tag=v$pkgver" + 'acme-client.conf' + 'acme-client@.timer' + 'acme-client@.service' + 'example.org.hook' +) + +validpgpkeys=('A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5') + +sha256sums=('SKIP' + 'ceda6ded73c9273b50a6fa8c1eef1a21ef1fe4565f81ad1ef872cd8ff9d12f6d' + 'c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73' + '1ab1b79d27f13ac25b680209de200702245957b56d875b7ff5ce3660cd2081a2' + '40d7cf2596fdc6f2c94998dd93aba76107828e7cf4dbd77b99fd1b4c36712dc4') + +depends=( + 'curl' + 'libbsd' + 'openssl' +) +makedepends=('git') + +conflicts=('acme-client') +provides=('acme-client') + +backup=('etc/acme-client.conf') + +build() { + cd "${pkgname}" + autoreconf -i + ./configure --prefix=/usr + make +} + +package() { + cd "${pkgname}" + + install -Dm755 -t "${pkgdir}/usr/bin" acme-client + install -Dm644 -t "${pkgdir}/usr/share/man/man1" acme-client.1 + install -Dm644 -t "${pkgdir}/usr/share/man/man5" acme-client.conf.5 + + install -Dm644 -t "${pkgdir}/etc" ../acme-client.conf + install -Dm755 -t "${pkgdir}/etc/acme-client.d" ../example.org.hook + install -Dm644 -t "${pkgdir}/usr/lib/systemd/system" ../acme-client@.{timer,service} +} diff --git a/acme-client.conf b/acme-client.conf new file mode 100644 index 000000000000..2f63130838e7 --- /dev/null +++ b/acme-client.conf @@ -0,0 +1,45 @@ +# +# You need to configure http server +# so that directory "/run/acme-challenge" +# was the alias of "/.well-known/acme-challenge" +# +# Nginx example: +# location /.well-known/acme-challenge { +# alias /run/acme-challenge; +# } +# +# Run: +# systemctl start acme-client@domain +# +# Show status: +# journalctl -e -u acme-client@domain +# +# Enable daily timer check and renew certs: +# systemctl enable --now acme-client@domain.timer +# +# If you need to copy and edit the hook: +# /etc/acme-client.d/example.org.hook + +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/var/lib/acme-client/accounts/letsencrypt.key" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/var/lib/acme-client/accounts/letsencrypt-staging.key" +} + +domain example.org { + domain key "/var/lib/acme-client/certs/example.org.key" + domain full chain certificate "/var/lib/acme-client/certs/example.org.crt" + sign with "letsencrypt" + challengedir "/run/acme-challenge" +} + +# domain example.org { +# domain key "/var/lib/acme-client/certs/example.org.key-staging" +# domain full chain certificate "/var/lib/acme-client/certs/example.org.crt-staging" +# sign with "letsencrypt-staging" +# challengedir "/run/acme-challenge" +# } diff --git a/acme-client@.service b/acme-client@.service new file mode 100644 index 000000000000..f436989543c5 --- /dev/null +++ b/acme-client@.service @@ -0,0 +1,23 @@ +[Unit] +Description=Check and renew ACME TLS certificates +After=network.target +Requires=network.target + +[Service] +Type=oneshot + +ExecStart=/usr/bin/acme-client -v %I +SuccessExitStatus=2 + +ExecStopPost=/usr/bin/sh -c "[ ! -x '/etc/acme-client.d/%I.hook' ] || exec '/etc/acme-client.d/%I.hook'" + +PrivateTmp=true +PrivateDevices=true +ProtectHome=true + +ReadOnlyPaths=/ + +StateDirectory=acme-client/accounts +StateDirectory=acme-client/certs +RuntimeDirectory=acme-challenge +RuntimeDirectoryMode=0755 diff --git a/acme-client@.timer b/acme-client@.timer new file mode 100644 index 000000000000..3b954c3ae74e --- /dev/null +++ b/acme-client@.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Check and renew ACME TLS certificates + +[Timer] +OnCalendar=daily +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target diff --git a/example.org.hook b/example.org.hook new file mode 100755 index 000000000000..807de8863c69 --- /dev/null +++ b/example.org.hook @@ -0,0 +1,14 @@ +#!/bin/sh +# +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#%24EXIT_CODE +# > $EXIT_STATUS contains the numeric exit code formatted as string if $EXIT_CODE is "exited", +# > and the signal name in all other cases. +# +# $EXIT_STATUS of acme-client +# 1 on failure +# 2 if the certificates didn't change (up to date) +# 0 if certificates were changed (revoked or updated). + +if [ 0 = "$EXIT_STATUS" ]; then + systemctl reload nginx.service +fi |