Re: [systemd-devel] Conditionally reload a service from another service

2023-08-05 Thread Barry



> On 31 Jul 2023, at 21:23, Ian Pilcher  wrote:
> 
> I have created service (along with an associated timer) that checks the
> remaining life of a TLS certificate and retrieves an updated certificate
> from Let's Encrypt if the remaining life is too short.

Certbot already knows how to do this.
It has a service and timer that renews the all certs and restarts httpd.
You could see how certbot solves the problem or just use certbot if it suitable.

Barry





Re: [systemd-devel] Conditionally reload a service from another service

2023-07-31 Thread Ian Pilcher

On 7/31/23 17:18, Nils Kattenbeck wrote:
Huh, I am actually surprised to discover that httpd does not watch these 
files itself.


To be honest, I never even considered the posibility that it might do
that.  Unfortunately, testing reveals that it doesn't do so.

Regardless, I think the systemd way to achieve this would be to use path 
units, though I gotta admit that I have not played with them myself yet:
https://www.freedesktop.org/software/systemd/man/systemd.path.html 



I had honestly forgotten that those exist.  Looks very promising.

Alternative you could likely write custom polkit policies which would 
allow your script to reload https without elevated privileges. Not sure 
if there is an easier way to do this.


That sounds painful!  A path unit definitely sounds the the way to go
any way, because I'd prefer not to give that level of permission to an
unprivileged service.

Thanks!

--

Google  Where SkyNet meets Idiocracy




Re: [systemd-devel] Conditionally reload a service from another service

2023-07-31 Thread Peter Hoeg
1. decide on a global path like `/run/http/restart'
2. give your LE script access to write there
3. use a `.path' unit to trigger on the file above being created and triggering 
a one-liner that running as root restarts apache and deletes the file again

This way your “run as root” is limited to that one, tiny script


Re: [systemd-devel] Conditionally reload a service from another service

2023-07-31 Thread Kevin P. Fleming
That's how I do it. Path units are a good solution here as they maintain loose 
coupling between the cert management and consumption.

On Mon, Jul 31, 2023, at 16:56, Max Gautier wrote:
> On Mon, Jul 31, 2023 at 03:23:26PM -0500, Ian Pilcher wrote:
>> I have created service (along with an associated timer) that checks the
>> remaining life of a TLS certificate and retrieves an updated certificate
>> from Let's Encrypt if the remaining life is too short.
>
> Is the updated certificate placed in the same file ? If so, maybe you
> could use a path unit with PathChanged=/path/to/your/cert ?
>
> -- 
> Max Gautier


Re: [systemd-devel] Conditionally reload a service from another service

2023-07-31 Thread Max Gautier
On Mon, Jul 31, 2023 at 03:23:26PM -0500, Ian Pilcher wrote:
> I have created service (along with an associated timer) that checks the
> remaining life of a TLS certificate and retrieves an updated certificate
> from Let's Encrypt if the remaining life is too short.

Is the updated certificate placed in the same file ? If so, maybe you
could use a path unit with PathChanged=/path/to/your/cert ?

-- 
Max Gautier