Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

acme: merge cli into init script

Browse source 
Signed-off-by: Glen Huang <i@glenhuang.com>
This commit is contained in:
Glen Huang 2023-02-28 19:19:19 +08:00 committed by Toke Høiland-Jørgensen
parent e93a9d0063
commit c6960a2bdc
5 changed files with 137 additions and 171 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
net/acme-common/Makefile
View file

@ -38,8 +38,6 @@ define Package/acme-common/install
$(INSTALL_DIR) $(1)/etc/ssl/acme $(INSTALL_DIR) $(1)/etc/ssl/acme
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme $(INSTALL_CONF) ./files/acme.config $(1)/etc/config/acme
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme
$(INSTALL_DIR) $(1)/usr/lib/acme $(INSTALL_DIR) $(1)/usr/lib/acme
$(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme $(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme
$(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify $(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify
@ -50,15 +48,15 @@ define Package/acme-common/install
$(INSTALL_DIR) $(1)/etc/hotplug.d/acme $(INSTALL_DIR) $(1)/etc/hotplug.d/acme
endef endef
define Package/acme/postinst define Package/acme-common/postinst
#!/bin/sh #!/bin/sh
grep -q '/usr/bin/acme' /etc/crontabs/root 2>/dev/null && exit 0 grep -q '/etc/init.d/acme' /etc/crontabs/root 2>/dev/null && exit 0
echo "0 0 * * * /usr/bin/acme get" >> /etc/crontabs/root echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
endef endef
define Package/acme-common/prerm define Package/acme-common/prerm
#!/bin/sh #!/bin/sh
sed -i '\|/usr/bin/acme|d' /etc/crontabs/root sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root
endef endef
define Build/Configure define Build/Configure

132
net/acme-common/files/acme.init
View file

@ -1,9 +1,137 @@
#!/bin/sh /etc/rc.common #!/bin/sh /etc/rc.common
START=80
USE_PROCD=1 USE_PROCD=1
run_dir=/var/run/acme
export CHALLENGE_DIR=$run_dir/challenge
export CERT_DIR=/etc/ssl/acme
NFT_HANDLE=
HOOK=/usr/lib/acme/hook
LOG_TAG=acme
# shellcheck source=net/acme/files/functions.sh
. /usr/lib/acme/functions.sh
cleanup() {
log debug "cleaning up"
if [ -e $run_dir/lock ]; then
rm $run_dir/lock
fi
if [ "$NFT_HANDLE" ]; then
# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
nft delete rule inet fw4 input $NFT_HANDLE
fi
}
load_options() {
section=$1
# compatibility for old option name
config_get_bool staging "$section" use_staging
if [ -z "$staging" ]; then
config_get_bool staging "$section" staging 0
fi
export staging
config_get calias "$section" calias
export calias
config_get dalias "$section" dalias
export dalias
config_get domains "$section" domains
export domains
export main_domain
main_domain="$(first_arg $domains)"
config_get keylength "$section" keylength ec-256
export keylength
config_get dns "$section" dns
export dns
config_get acme_server "$section" acme_server
export acme_server
config_get days "$section" days
export days
config_get standalone "$section" standalone 0
export standalone
config_get dns_wait "$section" dns_wait
export dns_wait
config_get webroot "$section" webroot
export webroot
if [ "$webroot" ]; then
log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
fi
}
first_arg() {
echo "$1"
}
get_cert() {
section=$1
config_get_bool enabled "$section" enabled 1
[ "$enabled" = 1 ] || return
load_options "$section"
if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
mkdir -p "$CHALLENGE_DIR"
fi
if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
return 1
fi
log debug "added nft rule: $NFT_HANDLE"
fi
load_credentials() {
eval export "$1"
}
config_list_foreach "$section" credentials load_credentials
"$HOOK" get
}
load_globals() {
section=$1
config_get account_email "$section" account_email
if [ -z "$account_email" ]; then
log err "account_email option is required"
exit 1
fi
export account_email
config_get state_dir "$section" state_dir
if [ "$state_dir" ]; then
log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
mkdir -p "$state_dir"
else
state_dir=/etc/acme
fi
export state_dir
config_get debug "$section" debug 0
export debug
# only look for the first acme section
return 1
}
start_service() {
mkdir -p $run_dir
exec 200>$run_dir/lock
if ! flock -n 200; then
log err "Another ACME instance is already running."
exit 1
fi
trap cleanup EXIT
config_load acme
config_foreach load_globals acme
config_foreach get_cert cert
}
service_triggers() { service_triggers() {
procd_add_config_trigger config.change acme \ procd_add_config_trigger config.change acme \
/usr/bin/acme get /etc/init.d/acme start
} }

160
net/acme-common/files/acme.sh
View file

@ -1,160 +0,0 @@
#!/bin/sh
# Wrapper for acme.sh to work on openwrt.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# Authors: Toke Høiland-Jørgensen <toke@toke.dk>
run_dir=/var/run/acme
export CHALLENGE_DIR=$run_dir/challenge
export CERT_DIR=/etc/ssl/acme
NFT_HANDLE=
HOOK=/usr/lib/acme/hook
LOG_TAG=acme
# shellcheck source=/dev/null
. /lib/functions.sh
# shellcheck source=net/acme/files/functions.sh
. /usr/lib/acme/functions.sh
cleanup() {
log debug "cleaning up"
if [ -e $run_dir/lock ]; then
rm $run_dir/lock
fi
if [ "$NFT_HANDLE" ]; then
# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
nft delete rule inet fw4 input $NFT_HANDLE
fi
}
load_options() {
section=$1
# compatibility for old option name
config_get_bool staging "$section" use_staging
if [ -z "$staging" ]; then
config_get_bool staging "$section" staging 0
fi
export staging
config_get calias "$section" calias
export calias
config_get dalias "$section" dalias
export dalias
config_get domains "$section" domains
export domains
export main_domain
main_domain="$(first_arg $domains)"
config_get keylength "$section" keylength ec-256
export keylength
config_get dns "$section" dns
export dns
config_get acme_server "$section" acme_server
export acme_server
config_get days "$section" days
export days
config_get standalone "$section" standalone 0
export standalone
config_get dns_wait "$section" dns_wait
export dns_wait
config_get webroot "$section" webroot
export webroot
if [ "$webroot" ]; then
log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
fi
}
first_arg() {
echo "$1"
}
get_cert() {
section=$1
config_get_bool enabled "$section" enabled 1
[ "$enabled" = 1 ] || return
load_options "$section"
if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
mkdir -p "$CHALLENGE_DIR"
fi
if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
return 1
fi
log debug "added nft rule: $NFT_HANDLE"
fi
load_credentials() {
eval export "$1"
}
config_list_foreach "$section" credentials load_credentials
"$HOOK" get
}
load_globals() {
section=$1
config_get account_email "$section" account_email
if [ -z "$account_email" ]; then
log err "account_email option is required"
exit 1
fi
export account_email
config_get state_dir "$section" state_dir
if [ "$state_dir" ]; then
log warn "Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
mkdir -p "$state_dir"
else
state_dir=/etc/acme
fi
export state_dir
config_get debug "$section" debug 0
export debug
# only look for the first acme section
return 1
}
usage() {
cat <<EOF
Usage: acme <command> [arguments]
Commands:
get issue or renew certificates
EOF
exit 1
}
if [ ! -x "$HOOK" ]; then
log err "An ACME client like acme-acmesh or acme-uacme is required, which is not installed."
exit 1
fi
case $1 in
get)
mkdir -p $run_dir
exec 200>$run_dir/lock
if ! flock -n 200; then
log err "Another ACME instance is already running."
exit 1
fi
trap cleanup EXIT
config_load acme
config_foreach load_globals acme
config_foreach get_cert cert
;;
*)
usage
;;
esac

4
net/acme-common/files/acme.uci-defaults
View file

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/sh
grep -q '/usr/bin/acme' /etc/crontabs/root 2>/dev/null && exit 0 grep -q '/etc/init.d/acme' /etc/crontabs/root 2>/dev/null && exit 0
echo "0 0 * * * /usr/bin/acme get" >> /etc/crontabs/root echo "0 0 * * * /etc/init.d/acme start" >>/etc/crontabs/root

2
net/acme-common/files/functions.sh
View file

@ -1,7 +1,7 @@
log() { log() {
prio="$1" prio="$1"
shift shift
if [ "$prio" != debug ] || [ "$debug" = 0 ]; then if [ "$prio" != debug ] || [ "$debug" = 1 ]; then
logger -t "$LOG_TAG" -s -p "daemon.$prio" -- "$@" logger -t "$LOG_TAG" -s -p "daemon.$prio" -- "$@"
fi fi
} }