diff options
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 4 | ||||
-rw-r--r-- | acme@.service | 11 | ||||
-rw-r--r-- | example.conf | 3 |
4 files changed, 15 insertions, 7 deletions
@@ -21,8 +21,8 @@ pkgbase = acme-client-git sha256sums = SKIP sha256sums = 5f87d778e5d62822d60e38fa9621c1c5648fc559d198ba314bd9d89cbf67d9e3 sha256sums = c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73 - sha256sums = 2fbe99262986b4e4d84e659bc868e1e616c3b150190d50994f4184b1d606dc60 - sha256sums = b441b83feda96286a932add31237abfccb9f7bed7d13a3c6d85886e6a62fcc8f + sha256sums = 10594d585c80630c4a6c36614249e4c9e6b59070caa18e1d6015bff61204b8cb + sha256sums = 297cf2592b1baed8da591136334ab7fc1f4f64a6a093a1ac657ceaae45aa8583 pkgname = acme-client-git @@ -20,8 +20,8 @@ source=(${pkgname}::'git+https://github.com/kristapsdz/acme-client-portable.git' sha256sums=('SKIP' '5f87d778e5d62822d60e38fa9621c1c5648fc559d198ba314bd9d89cbf67d9e3' 'c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73' - '2fbe99262986b4e4d84e659bc868e1e616c3b150190d50994f4184b1d606dc60' - 'b441b83feda96286a932add31237abfccb9f7bed7d13a3c6d85886e6a62fcc8f') + '10594d585c80630c4a6c36614249e4c9e6b59070caa18e1d6015bff61204b8cb' + '297cf2592b1baed8da591136334ab7fc1f4f64a6a093a1ac657ceaae45aa8583') depends=('libbsd') makedepends=('git') diff --git a/acme@.service b/acme@.service index b2f16e6ddbc9..cccfed95d390 100644 --- a/acme@.service +++ b/acme@.service @@ -26,3 +26,14 @@ EnvironmentFile=/etc/acme/%I.conf ExecStartPre=/usr/bin/install -dm0700 "${ACME_DIR}/certs/%I" ExecStart=/usr/bin/acme-client $ACME_ARGS -f "${ACME_DIR}/accounts/${ACME_ACCOUNT}.pem" -c "${ACME_DIR}/certs/%I" -k "${ACME_DIR}/certs/%I/privkey.pem" -C /run/acme-challenge $ACME_DOMAINS + +CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID +NoNewPrivileges=true + +PrivateTmp=true +PrivateDevices=true +ProtectHome=true + +ReadOnlyPaths=/ +ReadWritePaths=/var/lib/acme +ReadWritePaths=/run/acme-challenge diff --git a/example.conf b/example.conf index 9ea17221ba09..19a70d125539 100644 --- a/example.conf +++ b/example.conf @@ -18,9 +18,6 @@ # List domain names included in certificate separated by space. All domains should work and refer to this server. ACME_DOMAINS="example.com www.example.com" -# Directory for acme accounts and certificates -#ACME_DIR="/var/lib/acme" - #ACME_ACCOUNT="letsencrypt" #ACME_ARGS="-vbnN" |