Store certificates in /var/lib/tlstunnel by default

2024-05-12 06:26:23 +02:00 · 2020-09-10 23:33:09 +02:00 · 2020-09-10 23:33:09 +02:00 · fd46214036
parent cef64c51d6
commit fd46214036
3 changed files with 16 additions and 7 deletions
--- a/4
+++ b/4
@ -9,9 +9,11 @@ PREFIX = /usr/local
 BINDIR = $(PREFIX)/bin
 MANDIR = $(PREFIX)/share/man
 SYSCONFDIR = /etc
+SHAREDSTATEDIR = /var/lib

 goflags = $(GOFLAGS) \
-	-ldflags="-X 'main.configPath=$(SYSCONFDIR)/tlstunnel/config'"
+	-ldflags="-X main.configPath='$(SYSCONFDIR)/tlstunnel/config' \
+		-X main.certDataPath='$(SHAREDSTATEDIR)/tlstunnel'"

 all: tlstunnel tlstunnel.1

--- a/cmd/tlstunnel/main.go
+++ b/cmd/tlstunnel/main.go
@ -5,9 +5,13 @@ import (
 	"log"

 	"git.sr.ht/~emersion/tlstunnel"
+	"github.com/caddyserver/certmagic"
 )

-var configPath = "config"
+var (
+	configPath = "config"
+	certDataPath = ""
+)

 func main() {
 	flag.StringVar(&configPath, "config", configPath, "path to configuration file")
@ -20,6 +24,10 @@ func main() {

 	srv := tlstunnel.NewServer()

+	if certDataPath != "" {
+		srv.ACMEConfig.Storage = &certmagic.FileStorage{Path: certDataPath}
+	}
+
 	if err := srv.Load(cfg); err != nil {
 		log.Fatal(err)
 	}
--- a/server.go
+++ b/server.go
@ -17,8 +17,7 @@ type Server struct {
 	Frontends    []*Frontend
 	ManagedNames []string
 	ACMEManager  *certmagic.ACMEManager
-
-	certmagic *certmagic.Config
+	ACMEConfig   *certmagic.Config
 }

 func NewServer() *Server {
@ -34,7 +33,7 @@ func NewServer() *Server {
 	return &Server{
 		Listeners:   make(map[string]*Listener),
 		ACMEManager: mgr,
-		certmagic:   cfg,
+		ACMEConfig:  cfg,
 	}
 }

@ -53,7 +52,7 @@ func (srv *Server) RegisterListener(addr string) *Listener {
 }

 func (srv *Server) Start() error {
-	if err := srv.certmagic.ManageAsync(context.Background(), srv.ManagedNames); err != nil {
+	if err := srv.ACMEConfig.ManageAsync(context.Background(), srv.ManagedNames); err != nil {
 		return fmt.Errorf("failed to manage TLS certificates: %v", err)
 	}

@ -122,7 +121,7 @@ func (ln *Listener) handle(conn net.Conn) error {
 	defer conn.Close()

 	// TODO: setup timeouts
-	tlsConn := tls.Server(conn, ln.Server.certmagic.TLSConfig())
+	tlsConn := tls.Server(conn, ln.Server.ACMEConfig.TLSConfig())
 	if err := tlsConn.Handshake(); err != nil {
 		return err
 	}