From 5fe792ad41fb7f4c30cc03aebcff301f69885700 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 7 Jul 2022 12:20:07 +0200 Subject: Reworking chrony workaround (#1013882) now that we know it's going to be permanent. Signed-off-by: Daniel Baumann --- dehydrated/share/hooks/deploy_cert.chrony | 35 +++++++++++++++++++++ dehydrated/share/hooks/exit_hook.service-reload | 2 +- dehydrated/share/hooks/exit_hook.zz-chrony | 42 ------------------------- 3 files changed, 36 insertions(+), 43 deletions(-) create mode 100755 dehydrated/share/hooks/deploy_cert.chrony delete mode 100755 dehydrated/share/hooks/exit_hook.zz-chrony diff --git a/dehydrated/share/hooks/deploy_cert.chrony b/dehydrated/share/hooks/deploy_cert.chrony new file mode 100755 index 0000000..9bccf75 --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -0,0 +1,35 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -e + +if grep -Eqrs '^ *ntsservercert' /etc/chrony +then + # https://bugs.debian.org/1013882 + echo -n " + Copying certificate for chrony..." + + cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem + cp -fL "${KEYFILE}" /etc/chrony/key.pem + + chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem + + echo " done." +fi diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index 486c62f..02dd6c5 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -21,7 +21,7 @@ set -e -SERVICES="apache2 haproxy knot postgresql redis-server" +SERVICES="apache2 chrony haproxy knot postgresql redis-server" echo " + Reloading services..." diff --git a/dehydrated/share/hooks/exit_hook.zz-chrony b/dehydrated/share/hooks/exit_hook.zz-chrony deleted file mode 100755 index 13a7e9a..0000000 --- a/dehydrated/share/hooks/exit_hook.zz-chrony +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -set -e - -if grep -r -qs -E '^ntsserver(cert|key)' /etc/chrony -then - echo -n " + chrony (workaround):" - - # https://bugs.debian.org/1013882 - HOST="$(cat /etc/hostname)" - - cp -L "/var/lib/dehydrated/certs/${HOST}/fullchain.pem" /etc/chrony/cert.pem - cp -L "/var/lib/dehydrated/certs/${HOST}/privkey.pem" /etc/chrony/key.pem - - chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem - - if service chrony status > /dev/null 2>&1 - then - service chrony restart - fi - - echo " done." -fi -- cgit v1.2.3