#
# spec file for package dehydrated
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


# See also http://en.opensuse.org/openSUSE:Specfile_guidelines

%if 0%{?suse_version}
%define _apache apache2
%else
%define _apache httpd
%endif
%define _challengedir /var/lib/acme-challenge
%define _user         dehydrated
%define _home         /etc/dehydrated

%if 0%{?suse_version} > 1230
%bcond_without systemd
%define  _lock_dir /run/dehydrated
%else
%bcond_with    systemd
%define  _lock_dir /var/run/dehydrated
%endif

%if (0%{?suse_version} < 1200 && !0%{?is_opensuse}) || 0%{?centos_version} || 0%{?rhel_version}
%bcond_with nginx
%bcond_with lighttpd
%else
%bcond_without nginx
%bcond_without lighttpd
%endif

%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }

Name:           dehydrated
Version:        0.4.0
Release:        0
Summary:        A client for signing certificates with an ACME server
License:        MIT
Group:          Productivity/Networking/Security
Url:            https://github.com/lukas2511/dehydrated
Source0:        %{name}-%{version}.tar.gz
Source1:        acme-challenge.conf.apache.in
Source2:        acme-challenge.conf.nginx.in
Source3:        acme-challenge.conf.lighttpd.in
Source4:        dehydrated.cron.in
Source5:        dehydrated.tmpfiles.d
BuildRequires:  %{_apache}
%if %{with lighttpd}
BuildRequires:  lighttpd
%endif
%if %{with nginx}
BuildRequires:  nginx
%endif
%if 0%{?fedora_version}
BuildRequires:  generic-logos
BuildRequires:  generic-logos-httpd
%endif
Requires:       coreutils
Requires:       curl
Requires:       openssl
%if 0%{?suse_version}
Requires:       cron
%endif
Requires(pre):  /usr/sbin/useradd
Requires(pre):  /usr/sbin/groupadd
Requires(pre):  /usr/bin/getent
# openSUSE >= 12.3 has shadow, pwdutils is provided but obsoleted.
%if 0%{?suse_version} >= 1230
BuildRequires:  shadow
%endif
%if %{with systemd}
BuildRequires:  pkgconfig(systemd)
%{?systemd_requires}
%endif
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildArch:      noarch

Obsoletes:      letsencrypt.sh < %{version}
Provides:       letsencrypt.sh = %{version}

%description
This is a client for signing certificates with an ACME server
(currently only provided by letsencrypt) implemented as a relatively
simple bash-script.

It uses the openssl utility for everything related to actually
handling keys and certificates, so you need to have that installed.

Other dependencies are: curl, sed, grep, mktemp (all found on almost
any system, curl being the only exception)

Current features:

* Signing of a list of domains
* Signing of a CSR
* Renewal if a certificate is about to expire or SAN (subdomains) changed
* Certificate revocation

%package %{_apache}
Requires:       %{_apache}
Requires:       %{name}
%if ! 0%{?suse_version}
Requires:       mod_ssl
%endif
Obsoletes:      letsencrypt.sh-%{_apache} < %{version}
Provides:       letsencrypt.sh-%{_apache} = %{version}
Summary:        Apache Integration for dehydrated
Group:          Productivity/Networking/Security

%description %{_apache}
This adds a configuration file for dehydrated's acme-challenge to Apache.

%if %{with nginx}
%package nginx
Requires:       %{name}
Requires:       nginx
Obsoletes:      letsencrypt.sh-nginx < %{version}
Provides:       letsencrypt.sh-nginx = %{version}
Summary:        Nginx Integration for dehydrated
Group:          Productivity/Networking/Security

%description nginx
This adds a configuration file for dehydrated's acme-challenge to nginx.
%endif #with nginx

%if %{with lighttpd}
%package lighttpd
Requires:       %{name}
Requires:       lighttpd
Summary:        Lighttpd Integration for dehydrated
Group:          Productivity/Networking/Security

%description lighttpd
This adds a configuration file for dehydrated's acme-challenge to lighttpd.
%endif #with lighttpd 

%pre
getent group %{_user} >/dev/null || /usr/sbin/groupadd -r %{_user}
getent passwd %{_user} >/dev/null || /usr/sbin/useradd -g %{_user} \
	-s /bin/false -r -c "%{_user}" -d %{_home} %{_user}
if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chown -R %{_user} /etc/dehydrated; fi
if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi

%if %{with systemd}
%post
systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%endif

%prep
%setup -q

%build

%install
# sensitive keys
mkdir -p %{buildroot}%{_home}/{accounts,certs}

sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
install -m 0644 docs/examples/* %{buildroot}%{_home}
install -m 0755 -d %{buildroot}/usr/bin
install -m 0755 dehydrated %{buildroot}/usr/bin
install -m 0755 -d %{buildroot}%{_challengedir}

install -m 0755 -d %{buildroot}/etc/%{_apache}/conf.d
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE1} > acme-challenge.conf
install -m 0644 acme-challenge.conf %{buildroot}/etc/%{_apache}/conf.d

%if %{with nginx}
install -m 0755 -d %{buildroot}/etc/nginx
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE2} > acme-challenge
install -m 0644 acme-challenge %{buildroot}/etc/nginx
%endif #with nginx

%if %{with lighttpd}
install -m 0755 -d %{buildroot}/etc/lighttpd/conf.d
sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d
%endif #with lighttpd

install -m 0755 -d %{buildroot}/etc/cron.d
sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated
%if %{with systemd}
install -D    -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
%else
install -D -d -m 0750 %{buildroot}%{_lock_dir}
%endif
perl -p -i -e 's|#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
diff -urN docs/examples/config %{buildroot}%{_home}/config ||:

%files
%defattr(-,root,root)
%attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
%config %{_sysconfdir}/cron.d/dehydrated
%{_bindir}/dehydrated
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
%doc LICENSE README.md docs/*.md docs/*.jpg
%if %{with systemd}
%{_tmpfilesdir}/%{name}.conf
%ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
%else
%attr(700,%{_user},%{_user}) %dir %{_lock_dir}
%endif

%files %{_apache}
%defattr(-,root,root,-)
%config %{_sysconfdir}/%{_apache}/conf.d/acme-challenge.conf

%if %{with nginx}
%files nginx
%defattr(-,root,root,-)
%config %attr(640,root,nginx) %{_sysconfdir}/nginx/acme-challenge
%endif #with nginx

%if %{with lighttpd}
%files lighttpd
%defattr(-,root,root,-)
%config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge
%endif #with lighttpd

%changelog