- run always via sudo as root:dehydrated to allow dehydrated group

[packages/dehydrated.git] / pld.patch

diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated
--- dehydrated-0.6.2.orig/dehydrated    2018-04-25 21:22:40.000000000 +0000
+++ dehydrated-0.6.2/dehydrated 2018-12-19 22:44:07.875403000 +0000
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
 # dehydrated by lukas2511
 # Source: https://dehydrated.io
@@ -11,7 +11,7 @@
 [[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB && set -o noglob
 [[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob && set -f
 
-umask 077 # paranoid umask, we're creating private keys
+umask 027 # allow root and dehydrated group only to protect private keys
 
 # Close weird external file descriptors
 exec 3>&-
@@ -112,7 +112,7 @@
 load_config() {
   # Check for config in various locations
   if [[ -z "${CONFIG:-}" ]]; then
-    for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"; do
+    for check_config in "/etc/dehydrated" "/etc/webapps/dehydrated" "/usr/local/etc/dehydrated" "/etc/webapps/letsencrypt.sh" "${PWD}" "${SCRIPTDIR}"; do
       if [[ -f "${check_config}/config" ]]; then
         BASEDIR="${check_config}"
         CONFIG="${check_config}/config"
@@ -148,8 +148,8 @@
   IP_VERSION=
   CHAINCACHE=
   AUTO_CLEANUP="no"
-  DEHYDRATED_USER=
-  DEHYDRATED_GROUP=
+  DEHYDRATED_USER="root"
+  DEHYDRATED_GROUP="dehydrated"
   API="auto"
 
   if [[ -z "${CONFIG:-}" ]]; then
@@ -228,7 +228,7 @@
 
   # Create new account directory or symlink to account directory from old CA
   CAHASH="$(echo "${CA}" | urlbase64)"
-  [[ -z "${ACCOUNTDIR}" ]] && ACCOUNTDIR="${BASEDIR}/accounts"
+  [[ -z "${ACCOUNTDIR}" ]] && ACCOUNTDIR="/var/lib/dehydrated//accounts"
   if [[ ! -e "${ACCOUNTDIR}/${CAHASH}" ]]; then
     OLDCAHASH="$(echo "${OLDCA}" | urlbase64)"
     mkdir -p "${ACCOUNTDIR}"
@@ -253,10 +253,10 @@
     mv "${BASEDIR}/private_key.json" "${ACCOUNT_KEY_JSON}"
   fi
 
-  [[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
+  [[ -z "${CERTDIR}" ]] && CERTDIR="/var/lib/dehydrated//certs"
   [[ -z "${CHAINCACHE}" ]] && CHAINCACHE="${BASEDIR}/chains"
   [[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
-  [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated"
+  [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/lib/dehydrated/acme-challenge"
   [[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
   [[ -z "${OPENSSL_CNF}" ]] && OPENSSL_CNF="$("${OPENSSL}" version -d | cut -d\" -f2)/openssl.cnf"
   [[ -n "${PARAM_LOCKFILE_SUFFIX:-}" ]] && LOCKFILE="${LOCKFILE}-${PARAM_LOCKFILE_SUFFIX}"
diff -ur dehydrated-0.6.2.orig/docs/examples/config dehydrated-0.6.2/docs/examples/config
--- dehydrated-0.6.2.orig/docs/examples/config  2018-04-25 21:22:40.000000000 +0000
+++ dehydrated-0.6.2/docs/examples/config       2018-12-19 22:42:55.015403000 +0000
@@ -47,13 +47,13 @@
 #DOMAINS_TXT="${BASEDIR}/domains.txt"
 
 # Output directory for generated certificates
-#CERTDIR="${BASEDIR}/certs"
+#CERTDIR="/var/lib/dehydrated/certs"
 
 # Directory for account keys and registration information
 #ACCOUNTDIR="${BASEDIR}/accounts"
 
 # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
-#WELLKNOWN="/var/www/dehydrated"
+#WELLKNOWN="/var/lib/dehydrated/acme-challenge"
 
 # Default keysize for private keys (default: 4096)
 #KEYSIZE="4096"
@@ -77,7 +77,7 @@
 #
 # BASEDIR and WELLKNOWN variables are exported and can be used in an external program
 # default: <unset>
-#HOOK=
+HOOK=/etc/webapps/dehydrated/hook.sh
 
 # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
 #HOOK_CHAIN="no"