~dricottone/huttese-apk: sr.ht-uacme: new package

6 files changed, 89 insertions(+), 0 deletions(-)

A sr.ht/sr.ht-uacme/APKBUILD
A sr.ht/sr.ht-uacme/acme-update-certs
A sr.ht/sr.ht-uacme/crontab
A sr.ht/sr.ht-uacme/doas.conf
A sr.ht/sr.ht-uacme/sr.ht-uacme.pre-install
A sr.ht/sr.ht-uacme/uacme.conf

A sr.ht/sr.ht-uacme/APKBUILD => sr.ht/sr.ht-uacme/APKBUILD +50 -0

@@ 0,0 1,50 @@
+# Maintainer: Drew DeVault <sir@cmpwn.com>
+pkgname=sr.ht-uacme
+pkgver=1.0
+pkgrel=0
+pkgdesc="sr.ht acme configuration & utilities"
+url="https://sr.ht/~sircmpwn/sr.ht"
+arch="noarch"
+license="MIT"
+depends="uacme openssl moreutils doas"
+pkgusers="uacme"
+pkggroups="uacme"
+install="$pkgname.pre-install"
+source="
+	acme-update-certs
+	crontab
+	uacme.conf
+	doas.conf
+"
+options="$options !check"
+
+build() {
+	true # no-op
+}
+
+package() {
+	mkdir -p "$pkgdir"/usr/bin
+	install -Dm755 acme-update-certs "$pkgdir"/usr/bin/acme-update-certs
+
+	mkdir -p "$pkgdir"/etc
+	install -Dm644 uacme.conf "$pkgdir"/etc/uacme.conf
+
+	mkdir -p "$pkgdir"/etc/doas.d
+	install -Dm644 doas.conf "$pkgdir"/etc/doas.d/10-uacme.conf
+
+	mkdir -p "$pkgdir"/etc/crontabs
+	install -Dm600 -ouacme -guacme crontab "$pkgdir"/etc/crontabs/acme
+
+	mkdir -p "$pkgdir"/var/log
+	install -Dm644 -ouacme -guacme /dev/null "$pkgdir"/var/log/acme.log
+
+	install -dm774 -ouacme -guacme "$pkgdir"/etc/ssl/uacme/private
+	install -dm755 -ouacme -guacme "$pkgdir"/var/www/.well-known/acme-challenge
+}
+
+sha512sums="
+032482a8f76164aa00a71ec31a34d679c5b3403b9b1b150f954ba5808cb6bb524f77a9d11d673d07e1aa3d9108b0af21247888429533cd580d90df80bc465ea7  acme-update-certs
+ebd161435985ffbd36de6f16a6daa82702ef32e23841eb8257c2cda5a546462a213da913f8bc7979b84a22667b5def4973e899ac7236d63737c2a9d969bf832d  crontab
+51e397f4a6ce4b66135560d9f82baa31097285ebf71e045c3c89ac9dee895fc0c05ad130c45ea85634b7a49b29bcbecc5d2cd6912f44a88196694686dc1d6220  uacme.conf
+bba47979d11da452a31c21312a688d4648fa8773fbde02a1af00c17a484e81736066b76247720cba6f6e686dbc83c0c35ca9885f4f67fb16822817dfc07694f8  doas.conf
+"

A sr.ht/sr.ht-uacme/acme-update-certs => sr.ht/sr.ht-uacme/acme-update-certs +27 -0

@@ 0,0 1,27 @@
+#!/bin/sh -eu
+exec >>/var/log/acme.log 2>&1
+date
+
+stats() {
+	cert="/etc/ssl/uacme/$1/cert.pem"
+	if ! [ -e "$cert" ]
+	then
+		return
+	fi
+	expiration=$(date -d"$(openssl x509 -enddate -noout -in "$cert" \
+		| cut -d= -f2)" -D'%b %d %H:%M:%S %Y GMT' +'%s')
+	printf '# TYPE certificate_expiration gauge\n'
+	printf '# HELP certificate_expiration Timestamp when SSL certificate will expire\n'
+	printf 'certificate_expiration{instance="%s"} %s\n' "$1" "$expiration"
+}
+
+acme() {
+	site=$1
+	shift
+	/usr/bin/uacme -v -h /usr/share/uacme/uacme.sh issue $site $* || true
+	stats $site | curl --data-binary @- https://push.metrics.sr.ht/metrics/job/$site
+}
+
+source /etc/uacme.conf
+chmod -R g+rX /etc/ssl/uacme /etc/ssl/uacme/private
+doas nginx -s reload

A sr.ht/sr.ht-uacme/crontab => sr.ht/sr.ht-uacme/crontab +2 -0

@@ 0,0 1,2 @@
+MAILTO=root
+0 0 * * * chronic /usr/bin/acme-update-certs

A sr.ht/sr.ht-uacme/doas.conf => sr.ht/sr.ht-uacme/doas.conf +1 -0

@@ 0,0 1,1 @@
+permit nopass acme cmd nginx args -s reload

A sr.ht/sr.ht-uacme/sr.ht-uacme.pre-install => sr.ht/sr.ht-uacme/sr.ht-uacme.pre-install +5 -0

@@ 0,0 1,5 @@
+#!/bin/sh
+addgroup -S acme || true
+adduser -SD -h /var/empty -s /sbin/nologin -G uacme -g uacme uacme || true
+echo "Run the following command to finish configuring uacme:"
+echo "doas -u acme uacme new <email address>"

A sr.ht/sr.ht-uacme/uacme.conf => sr.ht/sr.ht-uacme/uacme.conf +4 -0

@@ 0,0 1,4 @@
+# Add domains here in the following format:
+#	acme <domain> <subdomains...>
+# e.g.
+#	acme example.org foo.example.org bar.example.org