diff --git a/Makefile b/Makefile index 80ab01b..8898179 100644 --- a/Makefile +++ b/Makefile @@ -40,7 +40,8 @@ install: install -D --mode=0644 $(TARGET_DIR)/man/acmed.8.gz $(DESTDIR)$(DATADIR)/man/man8/acmed.8.gz install -D --mode=0644 $(TARGET_DIR)/man/acmed.toml.5.gz $(DESTDIR)$(DATADIR)/man/man5/acmed.toml.5.gz install -D --mode=0644 $(TARGET_DIR)/man/tacd.8.gz $(DESTDIR)$(DATADIR)/man/man8/tacd.8.gz - install -D --mode=0644 acmed/acmed_example.toml $(DESTDIR)$(SYSCONFDIR)/acmed/acmed.toml + install -D --mode=0644 acmed/config/acmed.toml $(DESTDIR)$(SYSCONFDIR)/acmed/acmed.toml + install -D --mode=0644 acmed/config/default_hooks.toml $(DESTDIR)$(SYSCONFDIR)/acmed/default_hooks.toml install -d --mode=0700 $(DESTDIR)$(SYSCONFDIR)/acmed/accounts install -d --mode=0755 $(DESTDIR)$(SYSCONFDIR)/acmed/certs diff --git a/acmed/acmed_example.toml b/acmed/acmed_example.toml deleted file mode 100644 index abb2204..0000000 --- a/acmed/acmed_example.toml +++ /dev/null @@ -1,64 +0,0 @@ -[global] -accounts_directory = "/etc/acmed/accounts" -certificates_directory = "/etc/acmed/certs" - -[[endpoint]] -name = "letsencrypt v2 prod" -url = "https://acme-v02.api.letsencrypt.org/directory" -tos_agreed = false - -[[endpoint]] -name = "letsencrypt v2 staging" -url = "https://acme-staging-v02.api.letsencrypt.org/directory" -tos_agreed = false - -[[hook]] -name = "http-echo-create" -type = ["challenge-http-01"] -cmd = "echo" -args = ["{{proof}}"] -stdout = "/srv/http/{{domain}}/.well-known/acme-challenge/{{file_name}}" - -[[hook]] -name = "http-echo-clean" -type = ["challenge-http-01-clean"] -cmd = "rm" -args = [ - "-f", - "/srv/http/{{domain}}/.well-known/acme-challenge/{{file_name}}" -] - -[[group]] -name = "http-echo" -hooks = ["http-echo-create", "http-echo-clean"] - -[[hook]] -name = "email-report" -type = ["post-operation"] -cmd = "sendmail" -args = [ - "-f", "noreply@example.org", - "john.doe@example.org" -] -stdin = """Subject: Certificate renewal alert for {{domains.[0]}} - -The following certificate is being renewed. -domains: {{#each domains}}{{#if @index}}, {{/if}}{{this}}{{/each}} -algorithm: {{algorithm}} -status: {{status}}""" - -[[account]] -name = "test_account" -email = "certs@example.org" - -[[certificate]] -account = "test_account" -endpoint = "letsencrypt v2 staging" -domains = [ - { dns = "example.org", challenge = "http-01"}, - { dns = "sub-1.example.org", challenge = "http-01" }, - { dns = "sub-2.example.org", challenge = "http-01" } -] -algorithm = "ecdsa_p384" -kp_reuse = false -hooks = ["http-echo", "email-report"] diff --git a/acmed/config/acmed.toml b/acmed/config/acmed.toml new file mode 100644 index 0000000..ccfda5e --- /dev/null +++ b/acmed/config/acmed.toml @@ -0,0 +1,17 @@ +include = [ + "default_hooks.toml" +] + +[global] +accounts_directory = "/etc/acmed/accounts" +certificates_directory = "/etc/acmed/certs" + +[[endpoint]] +name = "letsencrypt v2 prod" +url = "https://acme-v02.api.letsencrypt.org/directory" +tos_agreed = false + +[[endpoint]] +name = "letsencrypt v2 staging" +url = "https://acme-staging-v02.api.letsencrypt.org/directory" +tos_agreed = false diff --git a/acmed/config/default_hooks.toml b/acmed/config/default_hooks.toml new file mode 100644 index 0000000..0b93fc8 --- /dev/null +++ b/acmed/config/default_hooks.toml @@ -0,0 +1,150 @@ +# Copyright (c) 2019 Rodolphe Bréard +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. This file is offered as-is, +# without any warranty. + +# ------------------------------------------------------------------------ +# Default hooks for ACMEd +# You should not edit this file since it may be overridden by a newer one. +# ------------------------------------------------------------------------ + + +# +# http-01 challenge in "/var/www/{{domain}}/" +# + +[[hook]] +name = "http-01-echo-mkdir" +type = ["challenge-http-01"] +cmd = "mkdir" +args = [ + "-m", "0755", + "-p", "/var/www/{{domain}}/.well-known/acme-challenge" +] + +[[hook]] +name = "http-01-echo-echo" +type = ["challenge-http-01"] +cmd = "echo" +args = ["{{proof}}"] +stdout = "/var/www/{{domain}}/.well-known/acme-challenge/{{file_name}}" + +[[hook]] +name = "http-01-echo-chmod" +type = ["challenge-http-01-clean"] +cmd = "chmod" +args = [ + "a+r", + "/var/www/{{domain}}/.well-known/acme-challenge/{{file_name}}" +] + +[[hook]] +name = "http-01-echo-clean" +type = ["challenge-http-01-clean"] +cmd = "rm" +args = [ + "-f", + "/var/www/{{domain}}/.well-known/acme-challenge/{{file_name}}" +] + +[[group]] +name = "http-01-echo-var-www" +hooks = [ + "http-01-echo-mkdir", + "http-01-echo-echo", + "http-01-echo-chmod", + "http-01-echo-clean" +] + + +# +# tls-alpn-01 challenge with tacd +# + +[[hook]] +name = "tls-alpn-01-tacd-start-tcp" +type = ["challenge-tls-alpn-01"] +cmd = "tacd" +args = [ + "--pid-file", "/tmp/tacd_{{domain}}.pid", + "--domain", "{{domain}}", + "--acme-ext", "{{proof}}", + "--listen", "{{domain}}:5001" +] + +[[hook]] +name = "tls-alpn-01-tacd-start-unix" +type = ["challenge-tls-alpn-01"] +cmd = "tacd" +args = [ + "--pid-file", "/tmp/tacd_{{domain}}.pid", + "--domain", "{{domain}}", + "--acme-ext", "{{proof}}", + "--listen", "unix:/tmp/tacd_{{domain}}.sock" +] + +[[hook]] +name = "tls-alpn-01-tacd-kill" +type = ["challenge-tls-alpn-01-clean"] +cmd = "pkill" +args = [ + "-F", "/tmp/tacd_{{domain}}.pid" +] + +[[hook]] +name = "tls-alpn-01-tacd-rm" +type = ["challenge-tls-alpn-01-clean"] +cmd = "rm" +args = [ + "-f", "/tmp/tacd_{{domain}}.pid" +] + +[[group]] +name = "tls-alpn-01-tacd-tcp" +hooks = ["tls-alpn-01-tacd-start-tcp", "tls-alpn-01-tacd-kill", "tls-alpn-01-tacd-rm"] + +[[group]] +name = "tls-alpn-01-tacd-tcp-unix" +hooks = ["tls-alpn-01-tacd-start-unix", "tls-alpn-01-tacd-kill", "tls-alpn-01-tacd-rm"] + + +# +# Git storage hook +# + +[[hook]] +name = "git-init" +type = ["file-pre-create", "file-pre-edit"] +cmd = "git" +args = [ + "init", + "{{file_directory}}" +] + +[[hook]] +name = "git-add" +type = ["file-post-create", "file-post-edit"] +cmd = "git" +args = [ + "-C", "{{file_directory}}", + "add", "{{file_name}}" +] + +[[hook]] +name = "git-commit" +type = ["file-post-create", "file-post-edit"] +cmd = "git" +args = [ + "-C", "{{file_directory}}", + "-c", "user.name=ACMEd", + "-c", "user.email=acmed@localhost", + "commit", + "-m", "{{file_name}}", + "--only", "{{file_name}}" +] + +[[group]] +name = "git" +hooks = ["git-init", "git-add", "git-commit"]