1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
<!--
SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
SPDX-License-Identifier: AGPL-3.0-only
-->
# Automatic certificate renewal
This project is a wrapper around [LEGO](https://go-acme.github.io/lego/). Given
a toml config file with various information about domains, it invokes lego to
renew the certificates automatically.
We take care to reuse the account used to generate the request. This means that
TLSA records will remain correct after renewal.
## Config file
Place a `config.toml` file in the current working directory.
This file has a `[config]` section, and a section for each individual domain,
e.g. `[domains.example-org]`. Apart from being under the `domain` section,
domain headers do not have to be named in any particular way.
Imagine you would like to deploy certificates to both a forgejo and prosody
instance to `example.org`. Then, your config might look like this:
```toml
[config]
acme_server = "https://acme-v02.api.letsencrypt.org/directory"
timeout_seconds = 600
[domains.example-org]
acme_email = "user@example.org"
desec_token = "3x4mPl3t0K3n"
renew_days = 60
domains = [
"example.org",
"anon.example.org",
"conference.example.org",
"turn.example.org",
"upload.example.org",
"webchat.example.org",
]
renew_script = "install-for ~/.ssh/id_rsa --prosody admin@chat.example.org --forgejo admin@example.org"
```
This will generate a single certificate for all of the given domains (with the
first in the list being the "main" domain), and then use the provided ssh key
and script to install the certificate for the given services, across the given
hosts.
## Git hooks
We provide sample git hooks in the `hooks` directory. To use these, ensure the
following packages are installed:
* black
* gitlint
* mypy
* reuse
* shellcheck
```shell
$ git config core.hooksPath hooks
```
|
