[arch-commits] Commit in (10 files)

Sat, 09 Apr 2022 09:14:32 -0700 

    Date: Saturday, April 9, 2022 @ 16:14:19
  Author: archange
Revision: 1183132

Addition of acme-user to [community]

Added:
  acme-user/
  acme-user/repos/
  acme-user/trunk/
  acme-user/trunk/PKGBUILD
  acme-user/trunk/acme-post.sh
  acme-user/trunk/acme-renew.sh
  acme-user/trunk/acme.service
  acme-user/trunk/acme.sysusers
  acme-user/trunk/acme.timer
  acme-user/trunk/acme.tmpfiles

---------------+
 PKGBUILD      |   30 ++++++++++++++++++++++++++++++
 acme-post.sh  |   18 ++++++++++++++++++
 acme-renew.sh |    8 ++++++++
 acme.service  |   38 ++++++++++++++++++++++++++++++++++++++
 acme.sysusers |    1 +
 acme.timer    |   10 ++++++++++
 acme.tmpfiles |    3 +++
 7 files changed, 108 insertions(+)

Added: acme-user/trunk/PKGBUILD
===================================================================
--- acme-user/trunk/PKGBUILD                            (rev 0)
+++ acme-user/trunk/PKGBUILD    2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,30 @@
+# Maintainer: Bruno Pagani <[email protected]>
+
+pkgname=acme-user
+pkgver=1.0.0
+pkgrel=1
+pkgdesc="acme-tiny systemd files for running as dedicated user instead of 
root."
+arch=(any)
+url="https://certbot.eff.org";
+license=(GPL)
+depends=(acme-tiny systemd)
+source=(acme.service
+        acme.timer
+        acme.tmpfiles
+        acme.sysusers
+        acme-renew.sh
+        acme-post.sh)
+sha256sums=(799b67ec34b23004002cc90aa40c639979c155b793f3e4cb1012008163332051
+            c8bf2bf90baaf5630d7a0d1761773fd75b153d39f6d34289e287c862eebead2d
+            34f0023cef60e11d5ac83b91fe36df7a3b7353c6a70dc4f86128e0d4cec4268a
+            6b0124bad46fb4f1864b791c57b974e76c25c07e2f8476b7de3757cba7cc4c11
+            2ebe80ce48fecdf30c5f7a3db173541cc61ff70ccb55d7b1ea4fc31d89b6e933
+            db7881b0ceaab0eb555765b378a4437890d70bffe4f38e64541e0a42eb36f993)
+
+package() {
+    install -Dm755 acme-renew.sh "${pkgdir}"/usr/bin/acme-renew
+    install -Dm755 acme-post.sh "${pkgdir}"/usr/bin/acme-post
+    install -Dm644 acme.{service,timer} -t "${pkgdir}"/usr/lib/systemd/system/
+    install -Dm644 acme.tmpfiles "${pkgdir}"/usr/lib/tmpfiles.d/acme.conf
+    install -Dm644 acme.sysusers "${pkgdir}"/usr/lib/sysusers.d/acme.conf
+}

Added: acme-user/trunk/acme-post.sh
===================================================================
--- acme-user/trunk/acme-post.sh                                (rev 0)
+++ acme-user/trunk/acme-post.sh        2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,18 @@
+#!/usr/bin/sh
+
+# Read through domains
+for domain in $(find /etc/acme -type d -not -path /etc/acme); do
+    if [ -f ${domain}/fullchain_new.pem ]; then # The certificate was renewed
+        echo "Replacing certificate and fixing permissions for ${domain##*/}…"
+        mv ${domain}/fullchain{_new,}.pem
+        chown root:root ${domain}/fullchain.pem
+        chmod 444 ${domain}/fullchain.pem
+        # Splitting for OCSP needs
+        FULLCHAIN=$(<${domain}/fullchain.pem)
+        echo "${FULLCHAIN%%-----END CERTIFICATE-----*}-----END 
CERTIFICATE-----" > ${domain}/cert.pem
+        echo -e "${FULLCHAIN#*-----END CERTIFICATE-----}" | sed '/./,$!d' > 
${domain}/chain.pem
+    fi
+    # Regenerate answers for OCSP stapling (whether or not the certificate has 
been renewed)
+    echo "Regenerating OCSP priming for ${domain##*/}…"
+    openssl ocsp -noverify -no_nonce -respout ${domain}/ocsp.der -issuer 
${domain}/chain.pem -cert ${domain}/cert.pem -url $(openssl x509 -noout 
-ocsp_uri -in ${domain}/cert.pem)
+done


Property changes on: acme-user/trunk/acme-post.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: acme-user/trunk/acme-renew.sh
===================================================================
--- acme-user/trunk/acme-renew.sh                               (rev 0)
+++ acme-user/trunk/acme-renew.sh       2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,8 @@
+#!/usr/bin/sh
+
+for domain in $(find /etc/acme -type d -not -path /etc/acme); do
+    echo "Checking certificate expiry date for ${domain##*/}…"
+    openssl x509 -noout -checkend 2592000 -in ${domain}/fullchain.pem > 
/dev/null 2>&1 && echo "Certificate not expiring within 30 days, skipping." && 
continue
+    echo "Renewing certificate for ${domain##*/}…"
+    /usr/bin/acme-tiny --account-key /etc/acme/accountkey.pem --csr 
${domain}/csr.pem --acme-dir /var/lib/acme/ > ${domain}/fullchain_new.pem || 
exit
+done


Property changes on: acme-user/trunk/acme-renew.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: acme-user/trunk/acme.service
===================================================================
--- acme-user/trunk/acme.service                                (rev 0)
+++ acme-user/trunk/acme.service        2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,38 @@
+[Unit]
+Description=ACME certificate renewal
+
+[Service]
+Type=oneshot
+User=acme
+Group=acme
+PermissionsStartOnly=True
+ExecStart=/usr/bin/acme-renew
+ExecStartPost=!/usr/bin/acme-post
+Restart=on-failure
+StateDirectory=acme
+ReadWritePaths=/etc/acme/
+AmbientCapabilities=
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=yes
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=yes
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+#SecureBits=noroot-locked
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM

Added: acme-user/trunk/acme.sysusers
===================================================================
--- acme-user/trunk/acme.sysusers                               (rev 0)
+++ acme-user/trunk/acme.sysusers       2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1 @@
+u acme - "ACME dedicated user" /var/lib/acme

Added: acme-user/trunk/acme.timer
===================================================================
--- acme-user/trunk/acme.timer                          (rev 0)
+++ acme-user/trunk/acme.timer  2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,10 @@
+[Unit]
+Description=Renew ACME certificats daily
+
+[Timer]
+OnCalendar=*-*-* 00/12:00:00
+RandomizedDelaySec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

Added: acme-user/trunk/acme.tmpfiles
===================================================================
--- acme-user/trunk/acme.tmpfiles                               (rev 0)
+++ acme-user/trunk/acme.tmpfiles       2022-04-09 16:14:19 UTC (rev 1183132)
@@ -0,0 +1,3 @@
+d /etc/acme       0750 acme acme
+d /var/lib/acme   0755 acme acme
+d /var/log/acme   0750 acme acme

Reply via email to