net/acme-common/files/acme.init

   1 #!/bin/sh /etc/rc.common
   2
   3 USE_PROCD=1
   4 run_dir=/var/run/acme
   5 export CHALLENGE_DIR=$run_dir/challenge
   6 export CERT_DIR=/etc/ssl/acme
   7 NFT_HANDLE=
   8 HOOK=/usr/lib/acme/hook
   9 LOG_TAG=acme
  10
  11 # shellcheck source=net/acme/files/functions.sh
  12 . "$IPKG_INSTROOT/usr/lib/acme/functions.sh"
  13
  14 cleanup() {
  15         log debug "cleaning up"
  16         if [ -e $run_dir/lock ]; then
  17                 rm $run_dir/lock
  18         fi
  19         if [ "$NFT_HANDLE" ]; then
  20                 # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
  21                 nft delete rule inet fw4 input $NFT_HANDLE
  22         fi
  23 }
  24
  25 load_options() {
  26         section=$1
  27
  28         # compatibility for old option name
  29         config_get_bool staging "$section" use_staging
  30         if [ -z "$staging" ]; then
  31                 config_get_bool staging "$section" staging 0
  32         fi
  33         export staging
  34         config_get calias "$section" calias
  35         export calias
  36         config_get dalias "$section" dalias
  37         export dalias
  38         config_get domains "$section" domains
  39         export domains
  40         export main_domain
  41         main_domain="$(first_arg $domains)"
  42         config_get keylength "$section" keylength
  43         if [ "$keylength" ]; then
  44                 log warn "Option \"keylength\" is deprecated, please use key_type (e.g., ec256, rsa2048) instead."
  45                 case $keylength in
  46                 ec-*) key_type=${keylength/-/} ;;
  47                 *) key_type=rsa$keylength ;;
  48                 esac
  49         else
  50                 config_get key_type "$section" key_type ec256
  51         fi
  52         export key_type
  53         config_get dns "$section" dns
  54         export dns
  55         config_get acme_server "$section" acme_server
  56         export acme_server
  57         config_get days "$section" days
  58         export days
  59         config_get standalone "$section" standalone
  60         [ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated."
  61         config_get dns_wait "$section" dns_wait
  62         export dns_wait
  63         config_get webroot "$section" webroot
  64         if [ "$webroot" ]; then
  65                 log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
  66                 CHALLENGE_DIR=$webroot
  67         fi
  68
  69         config_get validation_method "$section" validation_method
  70         # if validation_method isn't set then guess it
  71         if [ -z "$validation_method" ]; then
  72                 if [ -n "$dns" ]; then
  73                         validation_method="dns"
  74                 elif [ "$standalone" = 1 ]; then
  75                         validation_method="standalone"
  76                 else
  77                         validation_method="webroot"
  78                 fi
  79                 log warn "Please set \"option validation_method $validation_method\"."
  80         fi
  81         export validation_method
  82 }
  83
  84 first_arg() {
  85         echo "$1"
  86 }
  87
  88 get_cert() {
  89         section=$1
  90
  91         config_get_bool enabled "$section" enabled 1
  92         [ "$enabled" = 1 ] || return
  93
  94         load_options "$section"
  95         if [ "$validation_method" = "webroot" ]; then
  96                 mkdir -p "$CHALLENGE_DIR"
  97         fi
  98
  99         if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then
 100                 if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
 101                         return 1
 102                 fi
 103                 log debug "added nft rule: $NFT_HANDLE"
 104         fi
 105
 106         load_credentials() {
 107                 eval export "$1"
 108         }
 109         config_list_foreach "$section" credentials load_credentials
 110
 111         "$HOOK" get
 112 }
 113
 114 load_globals() {
 115         section=$1
 116
 117         config_get account_email "$section" account_email
 118         if [ -z "$account_email" ]; then
 119                 log err "account_email option is required"
 120                 exit 1
 121         fi
 122         export account_email
 123
 124         config_get state_dir "$section" state_dir
 125         if [ "$state_dir" ]; then
 126                 log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
 127                 mkdir -p "$state_dir"
 128         else
 129                 state_dir=/etc/acme
 130         fi
 131         export state_dir
 132
 133         config_get debug "$section" debug 0
 134         export debug
 135
 136         # only look for the first acme section
 137         return 1
 138 }
 139
 140 start_service() {
 141         mkdir -p $run_dir
 142         exec 200>$run_dir/lock
 143         if ! flock -n 200; then
 144                 log err "Another ACME instance is already running."
 145                 exit 1
 146         fi
 147
 148         trap cleanup EXIT
 149
 150         config_load acme
 151         config_foreach load_globals acme
 152
 153         config_foreach get_cert cert
 154 }
 155
 156 service_triggers() {
 157         procd_add_config_trigger config.change acme \
 158                 /etc/init.d/acme start
 159 }