projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
acme: merge cli into init script
[feed/packages.git] / net / acme-common / files / acme.init
1 #!/bin/sh /etc/rc.common
2
3 USE_PROCD=1
4 run_dir=/var/run/acme
5 export CHALLENGE_DIR=$run_dir/challenge
6 export CERT_DIR=/etc/ssl/acme
7 NFT_HANDLE=
8 HOOK=/usr/lib/acme/hook
9 LOG_TAG=acme
10
11 # shellcheck source=net/acme/files/functions.sh
12 . /usr/lib/acme/functions.sh
13
14 cleanup() {
15 log debug "cleaning up"
16 if [ -e $run_dir/lock ]; then
17 rm $run_dir/lock
18 fi
19 if [ "$NFT_HANDLE" ]; then
20 # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
21 nft delete rule inet fw4 input $NFT_HANDLE
22 fi
23 }
24
25 load_options() {
26 section=$1
27
28 # compatibility for old option name
29 config_get_bool staging "$section" use_staging
30 if [ -z "$staging" ]; then
31 config_get_bool staging "$section" staging 0
32 fi
33 export staging
34 config_get calias "$section" calias
35 export calias
36 config_get dalias "$section" dalias
37 export dalias
38 config_get domains "$section" domains
39 export domains
40 export main_domain
41 main_domain="$(first_arg $domains)"
42 config_get keylength "$section" keylength ec-256
43 export keylength
44 config_get dns "$section" dns
45 export dns
46 config_get acme_server "$section" acme_server
47 export acme_server
48 config_get days "$section" days
49 export days
50 config_get standalone "$section" standalone 0
51 export standalone
52 config_get dns_wait "$section" dns_wait
53 export dns_wait
54
55 config_get webroot "$section" webroot
56 export webroot
57 if [ "$webroot" ]; then
58 log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
59 fi
60 }
61
62 first_arg() {
63 echo "$1"
64 }
65
66 get_cert() {
67 section=$1
68
69 config_get_bool enabled "$section" enabled 1
70 [ "$enabled" = 1 ] || return
71
72 load_options "$section"
73 if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
74 mkdir -p "$CHALLENGE_DIR"
75 fi
76
77 if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
78 if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
79 return 1
80 fi
81 log debug "added nft rule: $NFT_HANDLE"
82 fi
83
84 load_credentials() {
85 eval export "$1"
86 }
87 config_list_foreach "$section" credentials load_credentials
88
89 "$HOOK" get
90 }
91
92 load_globals() {
93 section=$1
94
95 config_get account_email "$section" account_email
96 if [ -z "$account_email" ]; then
97 log err "account_email option is required"
98 exit 1
99 fi
100 export account_email
101
102 config_get state_dir "$section" state_dir
103 if [ "$state_dir" ]; then
104 log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
105 mkdir -p "$state_dir"
106 else
107 state_dir=/etc/acme
108 fi
109 export state_dir
110
111 config_get debug "$section" debug 0
112 export debug
113
114 # only look for the first acme section
115 return 1
116 }
117
118 start_service() {
119 mkdir -p $run_dir
120 exec 200>$run_dir/lock
121 if ! flock -n 200; then
122 log err "Another ACME instance is already running."
123 exit 1
124 fi
125
126 trap cleanup EXIT
127
128 config_load acme
129 config_foreach load_globals acme
130
131 config_foreach get_cert cert
132 }
133
134 service_triggers() {
135 procd_add_config_trigger config.change acme \
136 /etc/init.d/acme start
137 }
Mirror of packages feed