diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-08-04 01:40:31 +0200 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-08-04 01:40:31 +0200 | 
| commit | 2671d497d6d287b4729fed39738a9ad86e78c44c (patch) | |
| tree | 34599aa17192d0d7441c799d3c013d2659a1ccda | |
| parent | cfb8e89b5992b51d5d0955509dfedeab228e43eb (diff) | |
| parent | 49c14fb9faf9aedf1f6c22bff9526ba980d0f23b (diff) | |
Merge tag 'upstream/0.6.1' into debian
New release 0.6.1
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | COPYING | 8 | ||||
| -rw-r--r-- | Changelog | 16 | ||||
| -rw-r--r-- | Makefile | 97 | ||||
| -rwxr-xr-x | client | 2 | ||||
| -rw-r--r-- | config/lacme-certs.conf | 2 | ||||
| -rw-r--r-- | config/lacme.conf | 20 | ||||
| -rwxr-xr-x | lacme | 18 | ||||
| -rwxr-xr-x | lacme-accountd | 4 | ||||
| -rw-r--r-- | lacme-accountd.1.md (renamed from lacme-accountd.md) | 24 | ||||
| -rw-r--r-- | lacme.8.md (renamed from lacme.md) | 39 | ||||
| -rwxr-xr-x | pandoc2man.jq | 28 | ||||
| -rw-r--r-- | snippets/apache2.conf | 5 | ||||
| -rw-r--r-- | snippets/nginx.conf | 2 | ||||
| -rwxr-xr-x | webserver | 2 | 
15 files changed, 156 insertions, 114 deletions
| @@ -1,5 +1,4 @@  # vim swapfiles  .*.sw[po] -# generated man-pages -*.1 +/build/ @@ -1,7 +1,7 @@                      GNU GENERAL PUBLIC LICENSE                         Version 3, 29 June 2007 - Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>   Everyone is permitted to copy and distribute verbatim copies   of this license document, but changing it is not allowed. @@ -645,7 +645,7 @@ the "copyright" line and a pointer to where the full notice is found.      GNU General Public License for more details.      You should have received a copy of the GNU General Public License -    along with this program.  If not, see <http://www.gnu.org/licenses/>. +    along with this program.  If not, see <https://www.gnu.org/licenses/>.  Also add information on how to contact you by electronic and paper mail. @@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box".    You should also get your employer (if you work as a programmer) or school,  if any, to sign a "copyright disclaimer" for the program, if necessary.  For more information on this, and how to apply and follow the GNU GPL, see -<http://www.gnu.org/licenses/>. +<https://www.gnu.org/licenses/>.    The GNU General Public License does not permit incorporating your program  into proprietary programs.  If your program is a subroutine library, you  may consider it more useful to permit linking proprietary applications with  the library.  If this is what you want to do, use the GNU Lesser General  Public License instead of this License.  But first, please read -<http://www.gnu.org/philosophy/why-not-lgpl.html>. +<https://www.gnu.org/philosophy/why-not-lgpl.html>. @@ -1,3 +1,17 @@ +lacme (0.6.1) upstream; + + + Adapt Apache2 snippet to Apache2 2.4. + + Ignore [accountd] section from lacme.conf when the --socket option is +   defined.  This allows remotely-controlled lacme processes being +   controlled without modifying an config files. + * Makefile: major refactoring, add install and uninstall targets, honor +   BUILD_DOCDIR and DESTDIR variables. + * Install lacme manual to section 8. + * Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme. + * Makefile: Use variables for target directories etc. + + -- Guilhem Moulin <guilhem@fripost.org>  Tue, 04 Aug 2020 01:39:47 +0200 +  lacme (0.6) upstream;   + client: poll order URL instead of each authz URL successively. @@ -5,7 +19,7 @@ lacme (0.6) upstream;     deactivation, see RFC 8555 sec. 7.3.6.   - lacme, client: new dependency Date::Parse, don't parse RFC 3339     datetime strings from X.509 certs manually. - - lacme: assume that the iptables(1) binaries are under /usr/sbin not + - lacme: assume that the iptables(8) binaries are under /usr/sbin not     /sbin.  As of Buster this is the case, and the maintainer plans to     drop compatibility symlinks once Bullseye is released.   - Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the @@ -1,53 +1,56 @@ -MANPAGES = lacme-accountd.1 lacme.1 +DESTDIR ?= /usr/local +BUILDDIR ?= ./build +MANUAL_FILES = $(addprefix $(BUILDDIR)/,$(patsubst ./%.md,%,$(wildcard ./*.[1-9].md))) -all: ${MANPAGES} +all: manual $(addprefix $(BUILDDIR)/,lacme lacme-accountd client webserver $(wildcard config/* snippets/*)) +doc: manual + +manual: $(MANUAL_FILES)  # upper case the headers and remove the links -%.1: %.md -	@pandoc -f markdown -t json "$<" | \ -	jq "                                                                        \ -	    def fixheaders:                                                         \ -	        if .t == \"Header\" then                                            \ -	            .c[2][] |= (if .t == \"Str\" then .c |= ascii_upcase else . end)\ -	        else                                                                \ -	            .                                                               \ -	        end;                                                                \ -	    def fixlinks:                                                           \ -	        if type == \"object\" then                                          \ -	            if .t == \"Link\" then                                          \ -	                if .c[2][0][0:7] == \"mailto:\" then . else .c[1][] end     \ -	            else                                                            \ -	                map_values(fixlinks)                                        \ -	            end                                                             \ -	        else if type == \"array\" then                                      \ -	                map(fixlinks)                                               \ -	            else                                                            \ -	                .                                                           \ -	            end                                                             \ -	        end;                                                                \ -	    { \"pandoc-api-version\"                                                \ -	    , meta                                                                  \ -	    , blocks: .blocks | map(fixheaders) | map(fixlinks)                     \ -	    }" | \ -	pandoc -s -f json -t man+smart -o "$@" - -install: ${MANPAGES} -	install -d $(DESTDIR)/etc/lacme -	install -d $(DESTDIR)/etc/lacme/lacme-certs.conf.d -	install -m0644 -t $(DESTDIR)/etc/lacme config/*.conf -	install -m0644 -t $(DESTDIR)/etc/lacme snippets/*.conf -	install -d $(DESTDIR)/usr/share/lacme -	install -m0644 -t $(DESTDIR)/usr/share/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem -	install -d $(DESTDIR)/usr/lib/lacme -	install -m0755 -t $(DESTDIR)/usr/lib/lacme client webserver -	install -d $(DESTDIR)/usr/share/man/man1 -	install -m0644 -t $(DESTDIR)/usr/share/man/man1 lacme-accountd.1 lacme.1 -	install -d $(DESTDIR)/usr/bin -	install -m0644 -t $(DESTDIR)/usr/bin lacme-accountd -	install -d $(DESTDIR)/usr/sbin -	install -m0644 -t $(DESTDIR)/usr/bin lacme +$(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md +	pandoc -f markdown -t json -- "$<" | ./pandoc2man.jq | pandoc -s -f json -t man -o "$@" + +prefix ?= $(DESTDIR) +exec_prefix ?= $(prefix) +bindir ?= $(exec_prefix)/bin +sbindir ?= $(exec_prefix)/sbin +libexecdir ?= $(exec_prefix)/libexec +datarootdir ?= $(prefix)/share +datadir ?= $(datarootdir) +sysconfdir ?= $(prefix)/etc +localstatedir =? $(prefix)/var +runstatedir ?= $(localstatedir)/run +mandir ?= $(datarootdir)/man +man1dir ?= $(mandir)/man1 +man8dir ?= $(mandir)/man8 + +$(BUILDDIR)/%: % +	mkdir -pv -- $(dir $@) +	cp --no-dereference --preserve=mode,links,xattr -vfT -- "$<" "$@" +	sed -i "s#@@bindir@@#$(bindir)#g; \ +	        s#@@sbindir@@#$(sbindir)#g; \ +	        s#@@libexecdir@@#$(libexecdir)#g; \ +	        s#@@datadir@@#$(datadir)#g; \ +	        s#@@runstatedir@@#$(runstatedir)#g; \ +	        s#@@sysconfdir@@#$(sysconfdir)#g;" -- "$@" + +install: all +	install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf +	install -vd $(sysconfdir)/lacme/lacme-certs.conf.d +	install -m0644 -vDt $(datadir)/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem +	install -m0755 -vDt $(libexecdir)/lacme $(BUILDDIR)/client $(BUILDDIR)/webserver +	install -m0644 -vDt $(man1dir) $(BUILDDIR)/lacme-accountd.1 +	install -m0644 -vDt $(man8dir) $(BUILDDIR)/lacme.8 +	install -m0644 -vDt $(bindir) $(BUILDDIR)/lacme-accountd +	install -m0644 -vDt $(sbindir) $(BUILDDIR)/lacme + +uninstall: +	rm -vf -- $(bindir)/lacme-accountd $(sbindir)/lacme +	rm -vf -- $(man1dir)/lacme-accountd.1 $(man8dir)/lacme.8 +	rm -rvf -- $(sysconfdir)/lacme $(datadir)/lacme $(libexecdir)/lacme  clean: -	rm -vf ${MANPAGES} +	rm -rvf -- $(BUILDDIR) -.PHONY: all install clean +.PHONY: all doc manual install uninstall clean @@ -15,7 +15,7 @@  # GNU General Public License for more details.  #  # You should have received a copy of the GNU General Public License -# along with this program.  If not, see <http://www.gnu.org/licenses/>. +# along with this program.  If not, see <https://www.gnu.org/licenses/>.  #----------------------------------------------------------------------  use v5.14.2; diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 97d588a..dd02f95 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -34,7 +34,7 @@  # and to verify the validity of each issued certificate.  Specifying an  # empty value skip certificate validation.  # -#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem +#CAfile = @@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem  # Subject field of the Certificate Signing Request.  This option is  # required. diff --git a/config/lacme.conf b/config/lacme.conf index 39c8654..9f4db72 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -8,11 +8,11 @@  # The value of "socket" specifies the path to the lacme-accountd(1)  # UNIX-domain socket to connect to for signature requests from the ACME -# client.  lacme(1) aborts if the socket is readable or writable by +# client.  lacme(8) aborts if the socket is readable or writable by  # other users, or if its parent directory is writable by other users.  # Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment  # variable is set. -# This option is ignored when lacme-accountd(1) is spawned by lacme(1), +# This option is ignored when lacme-accountd(1) is spawned by lacme(8),  # since the two processes communicate through a socket pair.  See the  # "accountd" section below for details.  # @@ -31,7 +31,7 @@  # Path to the ACME client executable.  # -#command = /usr/lib/lacme/client +#command = @@libexecdir@@/lacme/client  # URI of the ACME server's directory.  NOTE: Use the staging server  # <https://acme-staging-v02.api.letsencrypt.org/directory> for testing @@ -62,7 +62,7 @@  # Comma- or space-separated list of addresses to listen on, for instance  # "0.0.0.0:80 [::]:80".  # -#listen = /var/run/lacme-www.socket +#listen = @@runstatedir@@/lacme-www.socket  # Non-existent directory under which an external HTTP daemon is  # configured to serve GET requests for challenge files under @@ -84,19 +84,19 @@  # Path to the ACME webserver executable.  # -#command = /usr/lib/lacme/webserver +#command = @@libexecdir@@/lacme/webserver  # Whether to automatically install iptables(8) rules to open the  # ADDRESS[:PORT] specified with listen.  Theses rules are automatically -# removed once lacme(1) exits. +# removed once lacme(8) exits.  #  #iptables = No  [accountd]  # lacme-accound(1) section.  Comment out this section (including its -# header) to make lacme(1) connect to an existing UNIX-domain socket -# bound by a running acme-accountd(1) process. +# header), or use the --socket= CLI option, to make lacme(8) connect to +# an existing lacme-accountd(1) process via a UNIX-domain socket.  # username to drop privileges to (setting both effective and real uid).  # Preserve root privileges if the value is empty. @@ -111,11 +111,11 @@  # Path to the lacme-accountd(1) executable.  # -#command = /usr/bin/lacme-accountd +#command = @@bindir@@/lacme-accountd  # Path to the lacme-accountd(1) configuration file.  # -#config = /etc/lacme/lacme-accountd.conf +#config = @@sysconfdir@@/lacme/lacme-accountd.conf  # The (private) account key to use for signing requests.  See  # lacme-accountd(1) for details. @@ -15,7 +15,7 @@  # GNU General Public License for more details.  #  # You should have received a copy of the GNU General Public License -# along with this program.  If not, see <http://www.gnu.org/licenses/>. +# along with this program.  If not, see <https://www.gnu.org/licenses/>.  #----------------------------------------------------------------------  use v5.14.2; @@ -75,7 +75,7 @@ sub set_FD_CLOEXEC($$);  my $CONFFILENAME = $OPTS{config} // first { -f $_ }     ( "./$NAME.conf"     , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" -   , "/etc/lacme/$NAME.conf" +   , "@@sysconfdir@@/lacme/$NAME.conf"     );  do {      die "Error: Can't find configuration file\n" unless defined $CONFFILENAME; @@ -87,30 +87,30 @@ do {      my $h = Config::Tiny::->read_string($conf) or die Config::Tiny::->errstr()."\n";      my $defaults = delete $h->{_} // {}; -    my $accountd = exists $h->{accountd} ? 1 : 0; +    my $accountd = defined $OPTS{socket} ? 0 : exists $h->{accountd} ? 1 : 0;      my %valid = (          client => {              socket  => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef),              user    => 'nobody',              group   => 'nogroup', -            command => '/usr/lib/lacme/client', +            command => '@@libexecdir@@/lacme/client',              # the rest is for the ACME client              map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/          },          webserver => { -            listen                => '/var/run/lacme-www.socket', +            listen                => '@@runstatedir@@/lacme-www.socket',              'challenge-directory' => undef,              user                  => 'www-data',              group                 => 'www-data', -            command               => '/usr/lib/lacme/webserver', +            command               => '@@libexecdir@@/lacme/webserver',              iptables              => 'No'          },          accountd => {              user    => '',              group   => '', -            command => '/usr/bin/lacme-accountd', -            config  => '/etc/lacme/lacme-accountd.conf', +            command => '@@bindir@@/lacme-accountd', +            config  => '@@sysconfdir@@/lacme/lacme-accountd.conf',              privkey => undef,              quiet   => 'Yes',          } @@ -743,7 +743,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {          };          # verify certificate validity against the CA -        $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem'; +        $conf->{CAfile} //= '@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem';          if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile},                                                                        qw/-purpose sslserver -x509_strict/)) {              print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n"; diff --git a/lacme-accountd b/lacme-accountd index 822894b..af64168 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -16,7 +16,7 @@  # GNU General Public License for more details.  #  # You should have received a copy of the GNU General Public License -# along with this program.  If not, see <http://www.gnu.org/licenses/>. +# along with this program.  If not, see <https://www.gnu.org/licenses/>.  #----------------------------------------------------------------------  use v5.14.2; @@ -67,7 +67,7 @@ do {      my $conffile = $OPTS{config} // first { -f $_ }          ( "./$NAME.conf"          , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" -        , "/etc/lacme/$NAME.conf" +        , "@@sysconfdir@@/lacme/$NAME.conf"          );      die "Error: Can't find configuration file\n" unless defined $conffile;      print STDERR "Using configuration file: $conffile\n" if $OPTS{debug}; diff --git a/lacme-accountd.md b/lacme-accountd.1.md index 403c68c..6cf9ea8 100644 --- a/lacme-accountd.md +++ b/lacme-accountd.1.md @@ -16,9 +16,9 @@ Synopsis  Description  =========== -`lacme-accountd` is the account key manager component of [`lacme`(1)], a +`lacme-accountd` is the account key manager component of [`lacme`(8)], a  small [ACME] client written with process isolation and minimal -privileges in mind.  No other [`lacme`(1)] component needs access to the +privileges in mind.  No other [`lacme`(8)] component needs access to the  account key; in fact the account key could as well be stored on another  host or a smartcard. @@ -26,12 +26,12 @@ host or a smartcard.  `--socket=`), which [ACME] clients can connect to in order to request  data signatures.  As a consequence, `lacme-accountd` needs to be up and running before -using [`lacme`(1)] to issue [ACME] commands.  Also, the process does not +using [`lacme`(8)] to issue [ACME] commands.  Also, the process does not  automatically terminate after the last signature request: instead, one  sends an `INT` or `TERM` [`signal`(7)] to bring the server down.  Furthermore, one can use the UNIX-domain socket forwarding facility of -[OpenSSH] 6.7 and later to run `lacme-accountd` and [`lacme`(1)] on +[OpenSSH] 6.7 and later to run `lacme-accountd` and [`lacme`(8)] on  different hosts.  For instance one could store the account key on a  machine that is not exposed to the internet.  See the  **[examples](#examples)** section below. @@ -85,7 +85,7 @@ If `--config=` is not given, `lacme-accountd` uses the first existing  configuration file among *./lacme-accountd.conf*,  *$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* (or  *~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME` -environment variable is not set), and */etc/lacme/lacme-accountd.conf*. +environment variable is not set), and *@@sysconfdir@@/lacme/lacme-accountd.conf*.  When given on the command line, the `--privkey=`, `--socket=` and  `--quiet` options take precedence over their counterpart (without @@ -119,13 +119,13 @@ Run `lacme-accountd` in a first terminal:      ~$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme -Then, while `lacme-accountd` is running, execute locally [`lacme`(1)] in +Then, while `lacme-accountd` is running, execute locally [`lacme`(8)] in  another terminal:      ~$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder  Alternatively, use [OpenSSH] 6.7 or later to forward the socket and -execute [`lacme`(1)] remotely: +execute [`lacme`(8)] remotely:      ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \         sudo lacme --socket=/path/to/remote.sock newOrder @@ -133,11 +133,11 @@ execute [`lacme`(1)] remotely:  See also  ======== -[`lacme`(1)], [`ssh`(1)] +[`lacme`(8)], [`ssh`(1)]  [ACME]: https://tools.ietf.org/html/rfc8555 -[`lacme`(1)]: lacme.1.html -[`signal`(7)]: http://linux.die.net/man/7/signal +[`lacme`(8)]: lacme.8.html +[`signal`(7)]: https://linux.die.net/man/7/signal  [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html -[OpenSSH]: http://www.openssh.com/ -[`ssh`(1)]: http://man.openbsd.org/ssh +[OpenSSH]: https://www.openssh.com/ +[`ssh`(1)]: https://man.openbsd.org/ssh @@ -1,4 +1,4 @@ -% lacme(1) +% lacme(8)  % [Guilhem Moulin](mailto:guilhem@fripost.org)  % December 2015 @@ -108,11 +108,9 @@ Generic options      aborts if `path` is readable or writable by other users, or if its      parent directory is writable by other users.      This command-line option overrides the *socket* option of the -    [`[client]` section](#client-section) of the configuration file. -    Moreover this option is ignored when the configuration file has an -    [`[accountd]` section](#accountd-section); in that case `lacme` -    spawns [`lacme-accountd`(1)], and the two processes communicate -    through a socket pair. +    [`[client]` section](#client-section) of the configuration file; it +    also causes the [`[accountd]` section](#accountd-section) to be +    ignored.  `-h`, `--help` @@ -133,7 +131,7 @@ If `--config=` is not given, `lacme` uses the first existing  configuration file among *./lacme.conf*,  *$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if  the `XDG_CONFIG_HOME` environment variable is not set), and -*/etc/lacme/lacme.conf*. +*@@sysconfdir@@/lacme/lacme.conf*.  Valid options are:  Default section @@ -185,7 +183,7 @@ of [ACME] commands and dialogues with the remote [ACME] server).  *command*  :   Path to the [ACME] client executable. -    Default: `/usr/lib/lacme/client`. +    Default: `@@libexecdir@@/lacme/client`.  *server* @@ -224,13 +222,13 @@ served during certificate issuance.      addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the      `:PORT` suffix is optional and defaults to the HTTP port 80), or an      absolute path of a UNIX-domain socket (created with mode `0666`). -    Default: `/var/run/lacme-www.socket`. +    Default: `@@runstatedir@@/lacme-www.socket`.      **Note**: The default value is only suitable when an external HTTP      daemon is publicly reachable and passes all ACME challenge requests      to the webserver component through the UNIX-domain socket -    `/var/run/lacme-www.socket` (for instance using the provided -    `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration +    `@@runstatedir@@/lacme-www.socket` (for instance using the provided +    `@@sysconfdir@@/lacme/apache2.conf` or `@@sysconfdir@@/lacme/nginx.conf` configuration      snippets for each virtual host requiring authorization).  If there      is no HTTP daemon bound to port 80 one needs to set *listen* to      `[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is disabled or @@ -264,7 +262,7 @@ served during certificate issuance.  :   Path to the [ACME] webserver executable.  A separate process is      spawned for each address to *listen* on.  (In particular no      webserver process is forked when the *listen* option is empty.) -    Default: `/usr/lib/lacme/webserver`. +    Default: `@@libexecdir@@/lacme/webserver`.  *iptables* @@ -276,10 +274,11 @@ served during certificate issuance.  `[accountd]` section  --------------------- -This section is used for configuring the [`lacme-accountd`(1)] process. -If the section (including its header) is absent or commented out, -`lacme` connects to an existing UNIX-domain socket bound by a running -[`lacme-accountd`(1)] process. +This section is used for configuring the [`lacme-accountd`(1)] child +process.  If the section (including its header) is absent or commented +out, or if the CLI option `--socket` is specified, then `lacme` connects +to an existing [`lacme-accountd`(1)] process via the specified +UNIX-domain socket.  *user* @@ -295,12 +294,12 @@ If the section (including its header) is absent or commented out,  *command*  :   Path to the [`lacme-accountd`(1)] executable. -    Default: `/usr/bin/lacme-accountd`. +    Default: `@@bindir@@/lacme-accountd`.  *config*  :   Path to the [`lacme-accountd`(1)] configuration file. -    Default: `/etc/lacme/lacme-accountd.conf`. +    Default: `@@sysconfdir@@/lacme/lacme-accountd.conf`.  *privkey* @@ -355,7 +354,7 @@ Valid options are:      *certificate-chain* and to verify the validity of each issued      certificate.      Specifying an empty value skip certificate validation. -    Default: `/usr/share/lacme/lets-encrypt-x3-cross-signed.pem`. +    Default: `@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem`.  *hash* @@ -408,6 +407,6 @@ See also  [ACME]: https://tools.ietf.org/html/rfc8555  [`lacme-accountd`(1)]: lacme-accountd.1.html -[`iptables`(8)]: http://linux.die.net/man/8/iptables +[`iptables`(8)]: https://linux.die.net/man/8/iptables  [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html  [`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html diff --git a/pandoc2man.jq b/pandoc2man.jq new file mode 100755 index 0000000..69802a5 --- /dev/null +++ b/pandoc2man.jq @@ -0,0 +1,28 @@ +#!/usr/bin/jq -f + +def fixheaders: +    if .t == "Header" then +        .c[2][] |= (if .t == "Str" then .c |= ascii_upcase else . end) +    else +        . +    end; + +def fixlinks: +    if type == "object" then +        if .t == "Link" then +            if .c[2][0][0:7] == "mailto:" then . else .c[1][] end +        else +            map_values(fixlinks) +        end +    else if type == "array" then +            map(fixlinks) +        else +            . +        end +    end; + +{ +    "pandoc-api-version" +  , meta +  , blocks: .blocks | map(fixheaders | fixlinks) +} diff --git a/snippets/apache2.conf b/snippets/apache2.conf index 20bf2ad..45d7c7f 100644 --- a/snippets/apache2.conf +++ b/snippets/apache2.conf @@ -5,8 +5,7 @@  # non-ssl one) of each virtual host requiring authorization.  <Location /.well-known/acme-challenge/> -  ProxyPass unix:///var/run/lacme-www.socket|http://localhost/.well-known/acme-challenge/ -  Order allow,deny -  Allow from all +  ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/ +  Require all granted  </Location> diff --git a/snippets/nginx.conf b/snippets/nginx.conf index 981bdc3..6775489 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -6,7 +6,7 @@  location ^~ /.well-known/acme-challenge/ {      # Pass ACME requests to lacme's webserver component -    proxy_pass http://unix:/var/run/lacme-www.socket; +    proxy_pass http://unix:@@runstatedir@@/lacme-www.socket;      ## Alternatively, you can let nginx serve the requests by      ## setting 'challenge-directory' to '/var/www/acme-challenge' in @@ -16,7 +16,7 @@  # GNU General Public License for more details.  #  # You should have received a copy of the GNU General Public License -# along with this program.  If not, see <http://www.gnu.org/licenses/>. +# along with this program.  If not, see <https://www.gnu.org/licenses/>.  #----------------------------------------------------------------------  use v5.14.2; | 
