1 files changed, 89 insertions, 0 deletions

diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..18d6c52
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,89 @@
+Source: lacme
+Section: utils
+Priority: optional
+Maintainer: Guilhem Moulin <guilhem@debian.org>
+Build-Depends: debhelper-compat (= 12), jq, pandoc (>= 2.1~)
+Rules-Requires-Root: no
+Standards-Version: 4.5.0
+Homepage: https://git.guilhem.org/lacme/about/
+Vcs-Git: https://git.guilhem.org/lacme
+Vcs-Browser: https://git.guilhem.org/lacme
+
+Package: lacme
+Architecture: all
+Depends: libconfig-tiny-perl,
+         libjson-perl,
+         libnet-ssleay-perl,
+         libtimedate-perl,
+         libtypes-serialiser-perl,
+         libwww-perl,
+         openssl,
+         ${misc:Depends},
+         ${perl:Depends}
+Recommends: lacme-accountd (= ${binary:Version}), liblwp-protocol-https-perl
+Description: ACME client written with process isolation and minimal privileges in mind
+ lacme is divided into four components, each with its own executable:
+ .
+  * A process to manage the account key and issue SHA-256 signatures needed for
+    each ACME command.  (This process binds to a UNIX-domain socket to reply to
+    signature requests from the ACME client.)  One can use the UNIX-domain
+    socket forwarding facility of OpenSSH 6.7 and later to run this process on
+    a different host.
+ .
+  * A "master" process, which runs as root and is the only component
+    with access to the private key material of the server keys.  It is used to
+    fork the ACME client (and optionally the ACME webserver) after dropping
+    root privileges.  For certificate issuances, it also generates Certificate
+    Signing Requests, then verifies the validity of the issued certificate, and
+    optionally reloads or restarts services.
+ .
+  * An actual ACME client, which builds ACME commands and dialogues with
+    the remote ACME server.  Since ACME commands need to be signed with the
+    account key, the "master" process passes the UNIX-domain socket of the
+    account key manager to the ACME client: data signatures are requested by
+    writing the data to be signed to the socket.
+ .
+  * For certificate issuances, an optional webserver, which is spawned
+    by the "master" process when no service is listening on the HTTP port.
+    (The only challenge type currently supported is "http-01", which requires a
+    webserver to answer challenges.)  That webserver only processes GET and
+    HEAD requests under the "/.well-known/acme-challenge/" URI.  By default
+    some iptables(8) rules are automatically installed to open the HTTP port,
+    and removed afterwards.
+
+Package: lacme-accountd
+Architecture: all
+Depends: libconfig-tiny-perl, libjson-perl, ${misc:Depends}, ${perl:Depends}
+Recommends: libcrypt-openssl-rsa-perl
+Description: lacme account key manager
+ lacme is an ACME client written with process isolation and minimal privileges
+ in mind.  It is divided into four components, each with its own executable:
+ .
+  * A process to manage the account key and issue SHA-256 signatures needed for
+    each ACME command.  (This process binds to a UNIX-domain socket to reply to
+    signature requests from the ACME client.)  One can use the UNIX-domain
+    socket forwarding facility of OpenSSH 6.7 and later to run this process on
+    a different host.
+ .
+  * A "master" process, which runs as root and is the only component
+    with access to the private key material of the server keys.  It is used to
+    fork the ACME client (and optionally the ACME webserver) after dropping
+    root privileges.  For certificate issuances, it also generates Certificate
+    Signing Requests, then verifies the validity of the issued certificate, and
+    optionally reloads or restarts services.
+ .
+  * An actual ACME client, which builds ACME commands and dialogues with
+    the remote ACME server.  Since ACME commands need to be signed with the
+    account key, the "master" process passes the UNIX-domain socket of the
+    account key manager to the ACME client: data signatures are requested by
+    writing the data to be signed to the socket.
+ .
+  * For certificate issuances, an optional webserver, which is spawned
+    by the "master" process when no service is listening on the HTTP port.
+    (The only challenge type currently supported is "http-01", which requires a
+    webserver to answer challenges.)  That webserver only processes GET and
+    HEAD requests under the "/.well-known/acme-challenge/" URI.  iptables(8)
+    rules can optionally be installed to temporarily open the HTTP port.
+ .
+ lacme-accountd is the first (account key manager) component.  It is the only
+ component with access to the account key.