Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

LFS compliance adaptions 

Makefile: /var/run is depreciated -> using /run
Makefile: add missing include for "letsencrypt.toml"

acmed.service: sandbox hardened systemd unit
  * RuntimeDirectory (systemd handled access to pid-file)
acmed.conf: systemd handled tempfile configuration
  * preset runtime environment, needed
    if daemon is started without systemd unit
  * asure writable LFS compliant directories,
  * assining an `acmed` system user
    create the user with your OS tools (e.g useradd)
letsencrypt.toml: update strings

Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
pull/46/head
Ralf Zerres 5 years ago
parent
988f250694
commit
afb6d9b820
No known key found for this signature in database GPG Key ID: D17312FD44A71C23
5 changed files with 58 additions and 34 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      Makefile
  2. 8
      acmed/config/letsencrypt.toml
  3. 39
      contrib/acmed.service
  4. 29
      contrib/acmed.service.example
  5. 13
      contrib/tmpfiles.d/acmed.conf

3
Makefile
View File

@ -7,7 +7,7 @@ MAN5DIR = $(DATADIR)/man/man5
MAN8DIR = $(DATADIR)/man/man8 MAN8DIR = $(DATADIR)/man/man8
SYSCONFDIR = /etc SYSCONFDIR = /etc
VARLIBDIR = /var/lib VARLIBDIR = /var/lib
RUNSTATEDIR = /var/run
RUNSTATEDIR = /run
TARGET_DIR = ./target/$(TARGET)/release TARGET_DIR = ./target/$(TARGET)/release
MAN_SRC_DIR = ./man/en MAN_SRC_DIR = ./man/en
MAN_DST_DIR = $(TARGET_DIR)/man MAN_DST_DIR = $(TARGET_DIR)/man
@ -54,6 +54,7 @@ install:
install -m 0644 $(TARGET_DIR)/man/acmed.toml.5.gz $(DESTDIR)$(MAN5DIR)/acmed.toml.5.gz; \ install -m 0644 $(TARGET_DIR)/man/acmed.toml.5.gz $(DESTDIR)$(MAN5DIR)/acmed.toml.5.gz; \
install -m 0644 acmed/config/acmed.toml $(DESTDIR)$(SYSCONFDIR)/acmed/acmed.toml; \ install -m 0644 acmed/config/acmed.toml $(DESTDIR)$(SYSCONFDIR)/acmed/acmed.toml; \
install -m 0644 acmed/config/default_hooks.toml $(DESTDIR)$(SYSCONFDIR)/acmed/default_hooks.toml; \ install -m 0644 acmed/config/default_hooks.toml $(DESTDIR)$(SYSCONFDIR)/acmed/default_hooks.toml; \
install -m 0644 acmed/config/letsencrypt.toml $(DESTDIR)$(SYSCONFDIR)/acmed/letsencrypt.toml; \
fi fi
if test -f "$(TARGET_DIR)/tacd"; then \ if test -f "$(TARGET_DIR)/tacd"; then \
install -m 0755 $(TARGET_DIR)/tacd $(DESTDIR)$(BINDIR)/tacd; \ install -m 0755 $(TARGET_DIR)/tacd $(DESTDIR)$(BINDIR)/tacd; \

8
acmed/config/letsencrypt.toml
View File

@ -1,16 +1,16 @@
[[rate-limit]] [[rate-limit]]
name = "LE min"
name = "Let's Encrypt rate-limit"
number = 20 number = 20
period = "1s" period = "1s"
[[endpoint]] [[endpoint]]
name = "letsencrypt v2 prod"
name = "Let's Encrypt v2 production"
url = "https://acme-v02.api.letsencrypt.org/directory" url = "https://acme-v02.api.letsencrypt.org/directory"
rate_limits = ["LE min"]
rate_limits = ["Let's Encrypt rate-limit"]
tos_agreed = false tos_agreed = false
[[endpoint]] [[endpoint]]
name = "letsencrypt v2 staging" name = "letsencrypt v2 staging"
url = "https://acme-staging-v02.api.letsencrypt.org/directory" url = "https://acme-staging-v02.api.letsencrypt.org/directory"
rate_limits = ["LE min"]
rate_limits = ["Let's Encrypt rate-limit"]
tos_agreed = false tos_agreed = false

39
contrib/acmed.service
View File

@ -0,0 +1,39 @@
[Unit]
Description=ACME client daemon
After=network.target
[Service]
User=acmed
Group=acmed
# Working directory equals to User-Home
#WorkingDirectory=/var/lib/acmed
WorkingDirectory=/etc/acmed
RuntimeDirectory=acmed
# daemon handling: start, stop, timeouts
#ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level debug --log-stderr
ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level warn
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT
# Sandboxing: reduce privileges on filesystem and kernel-space
# restrict write access to acmed's directories with variable data
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc/acmed /var/lib/acmed
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target

29
contrib/acmed.service.example
View File

@ -1,29 +0,0 @@
# systemd example unit file. Please adjust.
[Unit]
Description=ACME client daemon
After=network.target
[Service]
User=acmed
Group=acmed
# Working directory
WorkingDirectory=/etc/acmed
# Starting, stopping, timeouts
ExecStart=/usr/local/bin/acmed --foreground --pid-file /etc/acmed/acmed.pid --log-level debug --log-stderr
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT
# Sandboxing, reduce privileges, only allow write access to working directory
NoNewPrivileges=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectSystem=strict
ReadWritePaths=/etc/acmed/
[Install]
WantedBy=multi-user.target

13
contrib/tmpfiles.d/acmed.conf
View File

@ -0,0 +1,13 @@
###
# acmed:
# running as sandboxed deamon (UID/GID) needs Read/Write access
# preset runtime environment, if not restricted via systemd unit
###
#Type Path Mode User Group Age Argument
d /run/acmed 0755 acmed acmed - -
f /run/acmed/acmed.pid 0644 acmed acmed - -
d /var/lib/acmed 0755 acmed acmed - -
d /var/lib/acmed/accounts 0700 acmed acmed - -
d /var/lib/acmed/certs 0755 acmed acmed - -
Write Preview
Loading…
Cancel
Save