aboutsummaryrefslogtreecommitdiffstats
path: root/lacme.8.md
diff options
context:
space:
mode:
Diffstat (limited to 'lacme.8.md')
-rw-r--r--lacme.8.md90
1 files changed, 68 insertions, 22 deletions
diff --git a/lacme.8.md b/lacme.8.md
index 4dfc67e..aab448f 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -100,16 +100,22 @@ Generic settings
`--config=`*filename*
-: Use *filename* as configuration file. See the **[configuration
- file](#configuration-file)** section below for the configuration
- options.
+: Use *filename* as configuration file instead of
+ `%E/lacme/lacme.conf`. The value is subject to [%-specifier
+ expansion](#percent-specifiers).
+
+ See the **[configuration file](#configuration-file)** section below
+ for the configuration options.
`--socket=`*path*
: Use *path* as the [`lacme-accountd`(1)] UNIX-domain socket to
- connect to for signature requests from the [ACME] client. `lacme`
- aborts if `path` is readable or writable by other users, or if its
- parent directory is writable by other users.
+ connect to for signature requests from the [ACME] client. The value
+ is subject to [%-specifier expansion](#percent-specifiers).
+ `lacme` aborts if *path* exists or if its parent directory is
+ writable by other users.
+ Default: `%t/S.lacme`.
+
This command-line option overrides the *socket* setting of the
[`[client]` section](#client-section) of the configuration file; it
also causes the [`[accountd]` section](#accountd-section) to be
@@ -130,10 +136,6 @@ Generic settings
Configuration file
==================
-If `--config=` is not given, `lacme` uses the first existing
-configuration file among *$XDG_CONFIG_HOME/lacme/lacme.conf* (or
-*~/.config/lacme/lacme.conf* if the `XDG_CONFIG_HOME` environment
-variable is not set), and *@@sysconfdir@@/lacme/lacme.conf*.
Valid settings are:
Default section
@@ -145,13 +147,15 @@ Default section
space-separated list of certificate configuration files or
directories to use (see the **[certificate configuration
file](#certificate-configuration-file)** section below for the
- configuration options).
+ configuration options). Each item in that list is independently
+ subject to [%-specifier expansion](#percent-specifiers).
- Paths not starting with `/` are relative to the directory name of
- the **[configuration filename](#configuration-file)**. The list of
- files and directories is processed in order, with the later items
- taking precedence. Files in a directory are processed in
- lexicographic order, only considering the ones with suffix `.conf`.
+ Paths not starting with `/` (after %-expansion) are relative to the
+ parent directory of the **[configuration filename](#configuration-file)**.
+ The list of files and directories is processed in the specified
+ order, with the later items taking precedence. Files in a directory
+ are processed in lexicographic order, only considering the ones with
+ suffix `.conf`.
Default: `lacme-certs.conf lacme-certs.conf.d/`.
@@ -164,8 +168,6 @@ of [ACME] commands and dialogues with the remote [ACME] server).
*socket*
: See `--socket=`.
- Default: *$XDG_RUNTIME_DIR/S.lacme* if the `XDG_RUNTIME_DIR`
- environment variable is set.
*user*
@@ -247,7 +249,9 @@ served during certificate issuance.
lacme client user (by default `@@lacme_client_user@@`) needs to be
able to create files under it.
- This setting is required when *listen* is empty.
+ This setting is required when *listen* is empty. Moreover its value
+ is subject to [%-specifier expansion](#percent-specifiers) _before_
+ privilege drop.
*user*
@@ -308,13 +312,18 @@ UNIX-domain socket.
the first item being the command to execute, the second its first
argument etc. (Note that `lacme` appends more arguments when
executing the command internally.)
+ Each item in that list is independently subject to [%-specifier
+ expansion](#percent-specifiers) _after_ privilege drop.
+ Default: `@@bindir@@/lacme-accountd`.
+
Use for instance `ssh -T lacme@account.example.net lacme-accountd`
- in order to spawn a remote [`lacme-accountd`(1)] server. Default:
- `@@bindir@@/lacme-accountd`.
+ in order to spawn a remote [`lacme-accountd`(1)] server.
*config*
-: Path to the [`lacme-accountd`(1)] configuration file.
+: Path to the [`lacme-accountd`(1)] configuration file. The value is
+ subject to [%-specifier expansion](#percent-specifiers) _after_
+ privilege drop.
*quiet*
@@ -428,6 +437,43 @@ Valid settings are:
after successful installation of the *certificate* and/or
*certificate-chain*.
+%-specifiers {#percent-specifiers}
+============
+
+Some CLI options and configuration settings are subject to %-expansion
+for the following specifiers. Check the documentation of each setting
+to see which ones are affected.
+
+---- ------------------------------------------------------------------
+`%C` `@@localstatedir@@/cache` for the root user, and `$XDG_CACHE_HOME`
+ for other users (or `$HOME/.cache` if the `XDG_CACHE_HOME`
+ environment variable is unset or empty).
+
+`%E` `@@sysconfdir@@` for the root user, and `$XDG_CONFIG_HOME` for
+ other users (or `$HOME/.config` if the `XDG_CONFIG_HOME`
+ environment variable is unset or empty).
+
+`%g` Current group name.
+
+`%G` Current group ID.
+
+`%h` Home directory of the current user.
+
+`%t` `@@runstatedir@@` for the root user, and `$XDG_RUNTIME_DIR` for
+ other users. Non-root users may only use `%t` when the
+ `XDG_RUNTIME_DIR` environment variable is set to a non-empty
+ value.
+
+`%T` `$TMPDIR`, or `/tmp` if the `TMPDIR` environment variable is unset
+ or empty.
+
+`%u` Current user name.
+
+`%U` Current user ID.
+
+`%%` A literal `%`.
+---- ------------------------------------------------------------------
+
Examples
========