Last active
July 8, 2017 16:08
-
-
Save lucaswerkmeister/2c564c13f5dd5aa157370f6c148f6159 to your computer and use it in GitHub Desktop.
Configuration for running dehydrated (ACME client, formerly known as letsencrypt.sh) on Debian Stretch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 75e82fef397e402bf2c49b8c99e6066f976475b6 Mon Sep 17 00:00:00 2001 | |
| From: Lucas Werkmeister <[email protected]> | |
| Date: Sat, 8 Jul 2017 17:41:48 +0200 | |
| Subject: [PATCH] Add dehydrated config | |
| MIME-Version: 1.0 | |
| Content-Type: text/plain; charset=UTF-8 | |
| Content-Transfer-Encoding: 8bit | |
| dehydrated (formerly known as letsencrypt.sh) is a simple ACME client. | |
| This commit adds the default Debian configuration for it, as well as | |
| some additional configuration to make it work under apache2 and to run | |
| it as a systemd service (with associated timer). | |
| The service runs as the dehydrated user, and stores its persistent data | |
| (accounts, certificates) in /var/lib/dehydrated and its runtime data | |
| (ACME challenges) in /run/dehydrated. With the configuration files added | |
| here, the following commands can be used to set up the system for it: | |
| systemd-sysusers dehydrated.conf | |
| systemd-tmpfiles --create dehydrated.conf | |
| Most of the sandboxing options in dehydrated.service are not necessary | |
| for a non-root service; they are present because I added them before I | |
| changed the config to run dehydrated as non-root, and because they don’t | |
| hurt to have either. | |
| --- | |
| apache2/conf-available/dehydrated.conf | 8 ++++++++ | |
| apache2/conf-enabled/dehydrated.conf | 1 + | |
| dehydrated/conf.d/50-wellknown.sh | 3 +++ | |
| dehydrated/config | 15 +++++++++++++++ | |
| dehydrated/domains.txt | 1 + | |
| systemd/system/dehydrated.service | 27 +++++++++++++++++++++++++++ | |
| systemd/system/dehydrated.timer | 10 ++++++++++ | |
| sysusers.d/dehydrated.conf | 1 + | |
| tmpfiles.d/dehydrated.conf | 1 + | |
| 9 files changed, 67 insertions(+) | |
| create mode 100644 apache2/conf-available/dehydrated.conf | |
| create mode 120000 apache2/conf-enabled/dehydrated.conf | |
| create mode 100644 dehydrated/conf.d/50-wellknown.sh | |
| create mode 100644 dehydrated/config | |
| create mode 100644 dehydrated/domains.txt | |
| create mode 100644 systemd/system/dehydrated.service | |
| create mode 100644 systemd/system/dehydrated.timer | |
| create mode 100644 sysusers.d/dehydrated.conf | |
| create mode 100644 tmpfiles.d/dehydrated.conf | |
| diff --git a/apache2/conf-available/dehydrated.conf b/apache2/conf-available/dehydrated.conf | |
| new file mode 100644 | |
| index 0000000..269f2b2 | |
| --- /dev/null | |
| +++ b/apache2/conf-available/dehydrated.conf | |
| @@ -0,0 +1,8 @@ | |
| +Alias /.well-known/acme-challenge/ /run/dehydrated/ | |
| +<Directory /run/dehydrated> | |
| + Options -Indexes -FollowSymLinks | |
| + AllowOverride None | |
| + Require all granted | |
| +</Directory> | |
| + | |
| +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet | |
| diff --git a/apache2/conf-enabled/dehydrated.conf b/apache2/conf-enabled/dehydrated.conf | |
| new file mode 120000 | |
| index 0000000..4951de9 | |
| --- /dev/null | |
| +++ b/apache2/conf-enabled/dehydrated.conf | |
| @@ -0,0 +1 @@ | |
| +../conf-available/dehydrated.conf | |
| \ No newline at end of file | |
| diff --git a/dehydrated/conf.d/50-wellknown.sh b/dehydrated/conf.d/50-wellknown.sh | |
| new file mode 100644 | |
| index 0000000..e5f7da4 | |
| --- /dev/null | |
| +++ b/dehydrated/conf.d/50-wellknown.sh | |
| @@ -0,0 +1,3 @@ | |
| +WELLKNOWN=/run/dehydrated | |
| +# directory created by systemd through RuntimeDirectory in dehydrated.service | |
| +# and made available by apache2 through Alias in dehydrated.conf | |
| diff --git a/dehydrated/config b/dehydrated/config | |
| new file mode 100644 | |
| index 0000000..1fe71d4 | |
| --- /dev/null | |
| +++ b/dehydrated/config | |
| @@ -0,0 +1,15 @@ | |
| +############################################################# | |
| +# This is the main config file for dehydrated # | |
| +# # | |
| +# This is the default configuration for the Debian package. # | |
| +# To see a more comprehensive example, see # | |
| +# /usr/share/doc/dehydrated/examples/config # | |
| +# # | |
| +# For details please read: # | |
| +# /usr/share/doc/dehydrated/README.Debian # | |
| +############################################################# | |
| + | |
| +CONFIG_D=/etc/dehydrated/conf.d | |
| +BASEDIR=/var/lib/dehydrated | |
| +WELLKNOWN="${BASEDIR}/acme-challenges" | |
| +DOMAINS_TXT="/etc/dehydrated/domains.txt" | |
| diff --git a/dehydrated/domains.txt b/dehydrated/domains.txt | |
| new file mode 100644 | |
| index 0000000..9e03445 | |
| --- /dev/null | |
| +++ b/dehydrated/domains.txt | |
| @@ -0,0 +1 @@ | |
| +example.com | |
| diff --git a/systemd/system/dehydrated.service b/systemd/system/dehydrated.service | |
| new file mode 100644 | |
| index 0000000..108d14e | |
| --- /dev/null | |
| +++ b/systemd/system/dehydrated.service | |
| @@ -0,0 +1,27 @@ | |
| +[Unit] | |
| +Description=Check and renew ACME TLS certificates | |
| +Documentation=man:dehydrated(1) | |
| + | |
| +[Service] | |
| +Type=oneshot | |
| +ExecStart=/usr/bin/dehydrated --cron | |
| +User=dehydrated | |
| +RuntimeDirectory=dehydrated | |
| + | |
| +CapabilityBoundingSet= | |
| +PrivateTmp=yes | |
| +PrivateDevices=yes | |
| +PrivateUsers=yes | |
| +ProtectSystem=strict | |
| +ReadWritePaths=/var/lib/dehydrated /run/dehydrated | |
| +ProtectHome=yes | |
| +ProtectKernelTunables=yes | |
| +ProtectControlGroups=yes | |
| +MountFlags=slave | |
| +NoNewPrivileges=yes | |
| +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @privileged @raw-io @resources | |
| +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX | |
| +RestrictNamespaces=yes | |
| +ProtectKernelModules=yes | |
| +MemoryDenyWriteExecute=yes | |
| +RestrictRealtime=yes | |
| diff --git a/systemd/system/dehydrated.timer b/systemd/system/dehydrated.timer | |
| new file mode 100644 | |
| index 0000000..afb35af | |
| --- /dev/null | |
| +++ b/systemd/system/dehydrated.timer | |
| @@ -0,0 +1,10 @@ | |
| +[Unit] | |
| +Description=Weekly check and renew ACME TLS certificates | |
| + | |
| +[Timer] | |
| +OnCalendar=weekly | |
| +AccuracySec=1day | |
| +Persistent=true | |
| + | |
| +[Install] | |
| +WantedBy=timers.target | |
| diff --git a/sysusers.d/dehydrated.conf b/sysusers.d/dehydrated.conf | |
| new file mode 100644 | |
| index 0000000..933d1e9 | |
| --- /dev/null | |
| +++ b/sysusers.d/dehydrated.conf | |
| @@ -0,0 +1 @@ | |
| +u dehydrated - "ACME client user" | |
| diff --git a/tmpfiles.d/dehydrated.conf b/tmpfiles.d/dehydrated.conf | |
| new file mode 100644 | |
| index 0000000..b6d719c | |
| --- /dev/null | |
| +++ b/tmpfiles.d/dehydrated.conf | |
| @@ -0,0 +1 @@ | |
| +d /var/lib/dehydrated - dehydrated dehydrated - | |
| -- | |
| 2.11.0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment