SHA256
1
0
forked from pool/dehydrated

Accepting request 527349 from home:dmolkentin:branches:security:dehydrated

- Swap statements in post: installing services requires tmp.d 

- (Weak) dependency on dehydrated-acmeresponder.

- systemd update service: ConditionPathExists goes into [Unit] section 

- Use timer instead of cron for systemd-enabled distros

OBS-URL: https://build.opensuse.org/request/show/527349
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=10
This commit is contained in:
Marcus Rückert 2017-09-19 15:42:45 +00:00 committed by Git OBS Bridge
parent b03ec4a263
commit 19ef4a12d8
4 changed files with 80 additions and 9 deletions

View File

@ -0,0 +1,12 @@
[Unit]
Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket
[Service]
Type=oneshot
ExecStart=/usr/bin/dehydrated --cron
User=@USER@
Group=@USER@

10
dehydrated-update.timer Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Run Certificate Update Runner for Dehydrated
[Timer]
OnCalendar=daily
# Two hour window
RandomizedDelaySec=7200
[Install]
WantedBy=timers.target

View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Tue Sep 19 15:40:46 UTC 2017 - daniel.molkentin@suse.com
- Swap statements in post: installing services requires tmp.d
-------------------------------------------------------------------
Tue Sep 19 14:52:25 UTC 2017 - daniel.molkentin@suse.com
- (Weak) dependency on dehydrated-acmeresponder.
-------------------------------------------------------------------
Thu Sep 14 13:47:06 UTC 2017 - daniel.molkentin@suse.com
- systemd update service: ConditionPathExists goes into [Unit] section
-------------------------------------------------------------------
Wed Sep 13 15:27:08 UTC 2017 - daniel.molkentin@suse.com
- Use timer instead of cron for systemd-enabled distros
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 21 13:12:19 UTC 2017 - daniel.molkentin@suse.com Tue Feb 21 13:12:19 UTC 2017 - daniel.molkentin@suse.com

View File

@ -58,6 +58,8 @@ Source2: acme-challenge.conf.nginx.in
Source3: acme-challenge.conf.lighttpd.in Source3: acme-challenge.conf.lighttpd.in
Source4: dehydrated.cron.in Source4: dehydrated.cron.in
Source5: dehydrated.tmpfiles.d Source5: dehydrated.tmpfiles.d
Source6: dehydrated-update.service.in
Source7: dehydrated-update.timer
BuildRequires: %{_apache} BuildRequires: %{_apache}
%if %{with lighttpd} %if %{with lighttpd}
BuildRequires: lighttpd BuildRequires: lighttpd
@ -72,9 +74,6 @@ BuildRequires: generic-logos-httpd
Requires: coreutils Requires: coreutils
Requires: curl Requires: curl
Requires: openssl Requires: openssl
%if 0%{?suse_version}
Requires: cron
%endif
Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/useradd
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
Requires(pre): /usr/bin/getent Requires(pre): /usr/bin/getent
@ -85,6 +84,15 @@ BuildRequires: shadow
%if %{with systemd} %if %{with systemd}
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
%{?systemd_requires} %{?systemd_requires}
%else #with_systemd
%if 0%{?suse_version}
Requires: cron
%endif
%endif #with_systemd
%if 0%{?suse_version}
Recommends: dehydrated-acmeresponder
%else
Requires: dehydrated-acmeresponder
%endif %endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch BuildArch: noarch
@ -156,8 +164,17 @@ if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chow
if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi
%if %{with systemd} %if %{with systemd}
%service_add_pre dehydrated-update.service dehydrated-update.timer
%post %post
systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%service_add_post dehydrated-update.service dehydrated-update.timer
%preun
%service_del_preun dehydrated-update.service dehydrated-update.timer
%postun
%service_del_postun dehydrated-update.service dehydrated-update.timer
%endif %endif
%prep %prep
@ -168,6 +185,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%install %install
# sensitive keys # sensitive keys
mkdir -p %{buildroot}%{_home}/{accounts,certs} mkdir -p %{buildroot}%{_home}/{accounts,certs}
mkdir -p %{buildroot}%{_sbindir}
sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
install -m 0644 docs/examples/* %{buildroot}%{_home} install -m 0644 docs/examples/* %{buildroot}%{_home}
@ -191,14 +209,22 @@ sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d
%endif #with lighttpd %endif #with lighttpd
%if %{with systemd}
install -D -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
sed "s,@USER@,%{_user},g" %{S:6} > dehydrated-update.service
# Use timer
install -D -m 644 dehydrated-update.service %{buildroot}%{_unitdir}/dehydrated-update.service
install -D -m 644 %{S:7} %{buildroot}%{_unitdir}/dehydrated-update.timer
%if 0%{?suse_version}
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdehydrated-update
%endif
%else #with systemd
install -D -d -m 0750 %{buildroot}%{_lock_dir}
# Use cron
install -m 0755 -d %{buildroot}/etc/cron.d install -m 0755 -d %{buildroot}/etc/cron.d
sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated
%if %{with systemd} %endif #with systemd
install -D -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
%else
install -D -d -m 0750 %{buildroot}%{_lock_dir}
%endif
perl -p -i -e 's|#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config perl -p -i -e 's|#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
diff -urN docs/examples/config %{buildroot}%{_home}/config ||: diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
@ -210,14 +236,17 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh %config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
%config %{_sysconfdir}/cron.d/dehydrated
%{_bindir}/dehydrated %{_bindir}/dehydrated
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
%doc LICENSE README.md docs/*.md docs/*.jpg %doc LICENSE README.md docs/*.md docs/*.jpg
%if %{with systemd} %if %{with systemd}
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%{_unitdir}/dehydrated-update.service
%{_unitdir}/dehydrated-update.timer
%{_sbindir}/rcdehydrated-update
%ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir} %ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
%else %else
%config %{_sysconfdir}/cron.d/dehydrated
%attr(700,%{_user},%{_user}) %dir %{_lock_dir} %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
%endif %endif