Reworking chrony workaround (#1013882) now that we know it's going to be permanent.

Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>

1 files changed, 35 insertions, 0 deletions

diff --git a/dehydrated/share/hooks/deploy_cert.chrony b/dehydrated/share/hooks/deploy_cert.chrony
new file mode 100755
index 0000000..9bccf75
--- /dev/null
+++ b/dehydrated/share/hooks/deploy_cert.chrony
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+if grep -Eqrs '^ *ntsservercert' /etc/chrony
+then
+	# https://bugs.debian.org/1013882
+	echo -n " + Copying certificate for chrony..."
+
+	cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem
+	cp -fL "${KEYFILE}" /etc/chrony/key.pem
+
+	chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem
+
+	echo " done."
+fi