From 85347041a04d17f6803100dd2cec9b489c9db47d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 12 Oct 2022 01:43:23 +0200 Subject: Port baseline to Debian 11 (codename Bullseye). --- roles/lacme/files/etc/lacme/lacme.conf | 80 +++++++++++++++++++++++----------- 1 file changed, 54 insertions(+), 26 deletions(-) (limited to 'roles/lacme/files/etc/lacme/lacme.conf') diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf index 3dc06d1..28633b6 100644 --- a/roles/lacme/files/etc/lacme/lacme.conf +++ b/roles/lacme/files/etc/lacme/lacme.conf @@ -8,30 +8,28 @@ # The value of "socket" specifies the path to the lacme-accountd(1) # UNIX-domain socket to connect to for signature requests from the ACME -# client. lacme(1) aborts if the socket is readable or writable by +# client. lacme(8) aborts if the socket is readable or writable by # other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment -# variable is set. -# This option is ignored when lacme-accountd(1) is spawned by lacme(1), +# This setting is ignored when lacme-accountd(1) is spawned by lacme(8), # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -#socket = +#socket = %t/S.lacme # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -user = _lacme-client +#user = _lacme-client # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -group = nogroup +#group = nogroup -# Path to the ACME client executable. +# ACME client command. # -#command = /usr/lib/lacme/client +#command = /usr/libexec/lacme/client # URI of the ACME server's directory. NOTE: Use the staging server # for testing @@ -42,19 +40,19 @@ group = nogroup # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. # -#timeout = 10 +#timeout = 30 # Whether to verify the server certificate chain. # -SSL_verify = yes +#SSL_verify = yes # Specify the version of the SSL protocol used to transmit data. # -SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 +#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 # Specify the cipher list for the connection. # -SSL_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL +#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL [webserver] @@ -64,32 +62,62 @@ SSL_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL # #listen = /run/lacme-www.socket -# Non-existent directory under which an external HTTP daemon is -# configured to serve GET requests for challenge files under -# "/.well-known/acme-challenge/" (for each virtual host requiring -# authorization) as static files. +# Directory under which an external HTTP daemon is configured to serve +# GET requests for challenge files under "/.well-known/acme-challenge/" +# (for each virtual host requiring authorization) as static files. +# NOTE: the directory must exist and be writable by the lacme client +# user. # #challenge-directory = # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -user = www-data +#user = _lacme-www # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -group = www-data +#group = nogroup -# Path to the ACME webserver executable. +# ACME webserver command. # -#command = /usr/lib/lacme/webserver +#command = /usr/libexec/lacme/webserver # Whether to automatically install iptables(8) rules to open the # ADDRESS[:PORT] specified with listen. Theses rules are automatically -# removed once lacme(1) exits. +# removed once lacme(8) exits. # #iptables = No + +[accountd] +# lacme-accound(1) section. Comment out this section (including its +# header), or use the --socket= CLI option, to make lacme(8) connect to +# an existing lacme-accountd(1) process via a UNIX-domain socket. + +# username to drop privileges to (setting both effective and real uid). +# Skip privilege drop if the value is empty. +# +#user = + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Skip privilege drop if the value is empty. +# +#group = + +# lacme-accountd(1) command. +# +#command = /usr/bin/lacme-accountd + +# Path to the lacme-accountd(1) configuration file. +# +#config = + +# Be quiet. +# +#quiet = Yes + ; vim:ft=dosini -- cgit v1.2.3