commit 83802480024ccb77c40871c32dfa0884c6697e08 Author: Gibheer Date: Mon Sep 18 15:57:22 2023 +0200 initial commit for certmgmt diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 0000000..a2cf1c8 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,31 @@ +pkgname='certmgmt' +pkgver=0.1 +pkgrel=6 +pkgdesc='certmgmt is a collection of infrastructure to manage acme-tiny' +arch=('x86_64') +depends=('acme-tiny' 'systemd') + +source=( + 'certmgmt' + 'certmgmt.conf' + 'certmgmt.sysusers' + 'certmgmt.tmpfiles' + 'certmgmt@.service' + 'certmgmt@.timer' +) +backup=('etc/certmgmt.conf') +sha256sums=('d2bc6e60e802161a7c202605eadaba476f03ab307f95b08c57bae2e9208cea71' + '6a72a9d006f8af929385770acac85168d276ba3aa092e829f25c4b573406085a' + '526673acbfe4f8e1e5d5f9dee56d87196c1d8019dfb7e1a13941bb03bb4a56af' + '898396693c9f10fc094f571f81045f634a9ec72bd0ae16959b3774a931c512dc' + '897d2655224debfad543547e9920a08fe965ffb08354d1ff477be2c0d115d4a0' + '51f0f939b753fd142ef6a3659066446933ec8700dddc33f227ef3ecc5653ce8e') + +package() { + install -Dm 0644 "${srcdir}/certmgmt.conf" "${pkgdir}/etc/certmgmt.conf" + install -Dm 0644 "${srcdir}/certmgmt.sysusers" "${pkgdir}/usr/lib/sysusers.d/certmgmt.conf" + install -Dm 0644 "${srcdir}/certmgmt.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/certmgmt.conf" + install -Dm 0755 "${srcdir}/certmgmt" "${pkgdir}/opt/certmgmt/bin/certmgmt" + install -Dm 0644 "${srcdir}/certmgmt@.service" "${pkgdir}/usr/lib/systemd/system/certmgmt@.service" + install -Dm 0644 "${srcdir}/certmgmt@.timer" "${pkgdir}/usr/lib/systemd/system/certmgmt@.timer" +} diff --git a/certmgmt b/certmgmt new file mode 100644 index 0000000..2427da5 --- /dev/null +++ b/certmgmt @@ -0,0 +1,43 @@ +#!/bin/sh + +if [ ! -f "/etc/certmgmt.conf" ]; then + echo "config file '/etc/certmgmt/certmgmt.conf' not found" + exit 1 +fi +. /etc/certmgmt.conf + +if [ -z "${ACCOUNT_FILE}" ]; then + echo "ACCOUNT_FILE was not found in config file" + exit 1 +fi +if [ ! -f "${ACCOUNT_FILE}" ]; then + echo "account file was not found" + exit 1 +fi + +if [ -z "$1" ]; then + echo "no domain given to check" + exit 1 +fi + +if [ ! -f "/opt/certmgmt/certs/${1}/csr" ]; then + echo "certificate request is missing" + exit 1 +fi + +age="$(find "/opt/certmgmt/certs/${1}/crt" -mtime -60 | wc -l)" +if [ "${age}" -gt "0" ]; then + echo "certificate exists and is not old enough for renewal" + exit 0 +fi + +acme-tiny \ + --account-key "${ACCOUNT_FILE}" \ + --csr "/opt/certmgmt/certs/${1}/csr" \ + --acme-dir '/opt/certmgmt/challenges' \ + > "/opt/certmgmt/certs/${1}/crt" + #--directory-url https://acme-staging-v02.api.letsencrypt.org/directory \ +if [ "$?" -gt "0" ]; then + rm "/opt/certmgmt/certs/${1}/crt" + exit 1 +fi diff --git a/certmgmt.conf b/certmgmt.conf new file mode 100644 index 0000000..117e306 --- /dev/null +++ b/certmgmt.conf @@ -0,0 +1,2 @@ +# set the path to the account file +ACCOUNT_FILE="/etc/certmgmt.account" diff --git a/certmgmt.sysusers b/certmgmt.sysusers new file mode 100644 index 0000000..89d3a12 --- /dev/null +++ b/certmgmt.sysusers @@ -0,0 +1 @@ +u certmgmt - "acme-tiny cert manager" / /sbin/nologin diff --git a/certmgmt.tmpfiles b/certmgmt.tmpfiles new file mode 100644 index 0000000..2cf00d5 --- /dev/null +++ b/certmgmt.tmpfiles @@ -0,0 +1 @@ +d /opt/certmgmt 0750 certmgmt certmgmt - diff --git a/certmgmt@.service b/certmgmt@.service new file mode 100644 index 0000000..678cc09 --- /dev/null +++ b/certmgmt@.service @@ -0,0 +1,14 @@ +[Unit] +Description=refresh certificate %i +After=network.target network-online.target nginx.service +Requires=nginx.service + +[Service] +User=certmgmt +Group=certmgmt +Type=oneshot +ExecStart=/opt/certmgmt/bin/certmgmt %i +ExecStartPost=+/usr/bin/systemctl reload nginx + +[Install] +WantedBy=multi-user.target diff --git a/certmgmt@.timer b/certmgmt@.timer new file mode 100644 index 0000000..446d78d --- /dev/null +++ b/certmgmt@.timer @@ -0,0 +1,12 @@ +[Unit] +Description=refresh certificate %i +After=network.target network-online.target nginx.service +Requires=nginx.service + +[Timer] +OnCalendar=daily +Persistent=true +RandomizedDelaySec=300 + +[Install] +WantedBy=timers.target