summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-17 18:40:22 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-17 18:40:24 +0200
commit2f3e75fe26fb123b365cba6aba94b096a12a51bf (patch)
tree459c972caa6aabee4788ea9840e86cde9a898dad
parent407acdd1a00d1dc2242362f2b569bd261fb1d2e5 (diff)
lacme: Port to Debian 10.
We also rename the ‘lacme’ system user to ‘_lacme’ per Debian Policy §9.2.1: https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction .
-rw-r--r--roles/lacme/files/etc/lacme/lacme.conf57
-rw-r--r--roles/lacme/tasks/main.yml4
2 files changed, 35 insertions, 26 deletions
diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf
index 5aa1252..6f1ee4b 100644
--- a/roles/lacme/files/etc/lacme/lacme.conf
+++ b/roles/lacme/files/etc/lacme/lacme.conf
@@ -1,23 +1,27 @@
-# For certificate issuance (new-cert command), specify the certificate
-# configuration file to use
+# For certificate issuance (newOrder command), specify a space-separated
+# certificate configuration files or directories to use
#
-#config-certs = config/lacme-certs.conf
+#config-certs = lacme-certs.conf lacme-certs.conf.d/
+
[client]
-# The value of "socket" specifies the lacme-accountd(1) UNIX-domain
-# socket to connect to for signature requests from the ACME client.
-# lacme(1) aborts if the socket is readable or writable by other users,
-# or if its parent directory is writable by other users.
+
+# The value of "socket" specifies the path to the lacme-accountd(1)
+# UNIX-domain socket to connect to for signature requests from the ACME
+# client. lacme(1) aborts if the socket is readable or writable by
+# other users, or if its parent directory is writable by other users.
# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
# variable is set.
+# This option is ignored when lacme-accountd(1) is spawned by lacme(1),
+# since the two processes communicate through a socket pair. See the
+# "accountd" section below for details.
#
-#socket = /run/user/1000/S.lacme
+#socket =
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty (not recommended).
-# Default: "nobody".
#
-user = lacme
+user = _lacme
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
@@ -26,13 +30,14 @@ user = lacme
group = nogroup
# Path to the ACME client executable.
+#
#command = /usr/lib/lacme/client
-# Root URI of the ACME server. NOTE: Use the staging server for testing
-# as it has relaxed ratelimit.
+# URI of the ACME server's directory. NOTE: Use the staging server
+# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
+# as it has relaxed rate-limiting.
#
-#server = https://acme-v01.api.letsencrypt.org/
-#server = https://acme-staging.api.letsencrypt.org/
+#server = https://acme-v02.api.letsencrypt.org/directory
# Timeout in seconds after which the client stops polling the ACME
# server and considers the request failed.
@@ -40,28 +45,31 @@ group = nogroup
#timeout = 10
# Whether to verify the server certificate chain.
+#
SSL_verify = yes
# Specify the version of the SSL protocol used to transmit data.
+#
SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
# Specify the cipher list for the connection.
+#
SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
[webserver]
-# Specify the local address to listen on, in the form ADDRESS[:PORT].
+# Comma- or space-separated list of addresses to listen on, for instance
+# "0.0.0.0:80 [::]:80".
#
-#listen = 0.0.0.0:80
-listen = [::]:80
+#listen = /run/lacme-www.socket
-# If a webserver is already running, specify a non-existent directory
-# under which the webserver is configured to serve GET requests for
-# challenge files under "/.well-known/acme-challenge/" (for each virtual
-# hosts requiring authorization) as static files.
+# Non-existent directory under which an external HTTP daemon is
+# configured to serve GET requests for challenge files under
+# "/.well-known/acme-challenge/" (for each virtual host requiring
+# authorization) as static files.
#
-challenge-directory = /var/www/acme-challenge
+#challenge-directory =
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty (not recommended).
@@ -72,15 +80,16 @@ user = www-data
# and also setting the list of supplementary gids to that single group).
# Preserve root privileges if the value is empty (not recommended).
#
-user = www-data
+group = www-data
# Path to the ACME webserver executable.
+#
#command = /usr/lib/lacme/webserver
# Whether to automatically install iptables(8) rules to open the
# ADDRESS[:PORT] specified with listen. Theses rules are automatically
# removed once lacme(1) exits.
#
-#iptables = Yes
+#iptables = No
; vim:ft=dosini
diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml
index 9ff88c2..5ae2597 100644
--- a/roles/lacme/tasks/main.yml
+++ b/roles/lacme/tasks/main.yml
@@ -5,8 +5,8 @@
- liblwp-protocol-https-perl
- lacme
-- name: Create a user 'lacme'
- user: name=lacme system=yes
+- name: Create '_lacme' user
+ user: name=_lacme system=yes
group=nogroup
createhome=no
home=/nonexistent