deuill/coreos-home-server
1
0
Fork 0
mirror of https://github.com/deuill/coreos-home-server.git synced 2024-09-21 05:30:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

letsencrypt: Copy certs to host-specific directory

Browse Source 
This should help make use of host-specific certificates easier, as
otherwise containers will have access to all certificates and private keys.
This commit is contained in:
Alex Palaistras 2024-01-03 19:42:42 +00:00
parent 2649741f3c
commit f0fd067dca
4 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
service/letsencrypt/container/run-hook
View File

@ -2,8 +2,7 @@
set -eu set -eu
# Copy certificates to dedicated directories. # Copy certificates to dedicated directory.
for dir in "/var/lib/letsencrypt-certificates" "/var/lib/letsencrypt-certificate-$CERT_DOMAIN"; do install --owner letsencrypt --group letsencrypt --mode 0755 -d "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN"
install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "$dir" install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.pem"
install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "$dir" install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.key"
done

3
service/letsencrypt/container/run-lego
View File

@ -2,7 +2,8 @@
set -eu set -eu
# Correct permissions where needed. # Create directories and correct permissions where needed.
install --owner letsencrypt --group letsencrypt --mode 0755 -d /var/lib/letsencrypt-certificates
chown -R letsencrypt:letsencrypt /var/lib/letsencrypt chown -R letsencrypt:letsencrypt /var/lib/letsencrypt
# Run ACME verification with parameters given. # Run ACME verification with parameters given.

1
service/letsencrypt/systemd/letsencrypt-dns-register@.service
View File

@ -12,7 +12,6 @@ ExecStart=/bin/podman run --replace --rm --name letsencrypt-register-%i \
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \ --env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
--volume letsencrypt:/var/lib/letsencrypt:z \ --volume letsencrypt:/var/lib/letsencrypt:z \
--volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \ --volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \
--volume "letsencrypt-certificate-%i:/var/lib/letsencrypt-certificate-%i:z" \
localhost/letsencrypt:latest \ localhost/letsencrypt:latest \
--accept-tos --pem --path /var/lib/letsencrypt --domains "%i" \ --accept-tos --pem --path /var/lib/letsencrypt --domains "%i" \
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} run \ --server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} run \

1
service/letsencrypt/systemd/letsencrypt-dns-renew@.service
View File

@ -11,7 +11,6 @@ ExecStart=/bin/podman run --replace --rm --name letsencrypt-renew-%i \
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \ --env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
--volume letsencrypt:/var/lib/letsencrypt:z \ --volume letsencrypt:/var/lib/letsencrypt:z \
--volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \ --volume letsencrypt-certificates:/var/lib/letsencrypt-certificates:z \
--volume "letsencrypt-certificate-%i:/var/lib/letsencrypt-certificate-%i:z" \
localhost/letsencrypt:latest \ localhost/letsencrypt:latest \
--pem --path /var/lib/letsencrypt --domains "%i" \ --pem --path /var/lib/letsencrypt --domains "%i" \
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} renew \ --server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} renew \