vars.example

# dynTLS configuration example
# Copy this file to 'vars' and adjust as needed.
# Warning: do not edit vars.example directly!

# ------------------------------------------------------------------
# GENERAL
# ------------------------------------------------------------------

# Base directory of dynTLS configuration (defaults to script directory)
#set_var DYNTLS "${0%/*}"

# Main ACME client program used for certificate operations
# You can set this to any compatible wrapper script or binary
# https://github.com/bruncsak/ght-acme.sh
#DYNTLS_LE_PROGRAM="contrib/acme/letsencrypt.sh"

# OpenSSL binary (path if not in $PATH)
#set_var DYNTLS_OPENSSL "openssl"

# Productive mode:
#   0 = staging (test certs from Let's Encrypt staging server)
#   1 = production (real certs)
#set_var DYNTLS_PRODUCTIVE 0

# Use symlinks for server key: 1 = link all domains to base key
#set_var DYNTLS_PKI_KEY_LNS 0          # 0=per-domain key, 1=symlink all to base server key

# ------------------------------------------------------------------
# PKI DIRECTORIES
# ------------------------------------------------------------------

# Root PKI folder (contains httpd structure /certs /private etc.)
#set_var DYNTLS_PKI "/etc/pki"

# Temporary working dir
#set_var DYNTLS_TMP "$DYNTLS/tmp"

# HTTP service PKI directories
#set_var DYNTLS_PKI_HTTP_DIR          "$DYNTLS_PKI/httpd"
#set_var DYNTLS_PKI_HTTP_CERT_DIR     "$DYNTLS_PKI_HTTP_DIR/certs"
#set_var DYNTLS_PKI_HTTP_KEY_DIR      "$DYNTLS_PKI_HTTP_DIR/private"
#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup"

# Cert/key naming suffixes
#set_var DYNTLS_PKI_CERT_SUFFIX       "cert.pem"
#set_var DYNTLS_PKI_FULLCHAIN_SUFFIX  "fullchain.pem"
#set_var DYNTLS_PKI_KEY_SUFFIX        "key.pem"

# Base server key file and path
#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX"
#set_var DYNTLS_PKI_SERVER_BASEKEY      "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"

# Key algorithm and size
#set_var DYNTLS_PKI_KEY_ALGO rsa
#set_var DYNTLS_PKI_KEY_SIZE 2048
#set_var DYNTLS_PKI_KEY_CURVE secp384r1

# Certificate expiration threshold in days before renewal
#set_var DYNTLS_PKI_CERT_EXPIRE 30

# Force regenerating keys on renewal (0=no, 1=yes)
#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0

# Days to keep backuped certificates before removal
# Set to 0 to disable automatic deletion of backups
#DYNTLS_BACKUP_EXPIRATION=720

# ------------------------------------------------------------------
# LET'S ENCRYPT / ACME
# ------------------------------------------------------------------

# Account key used to register with Let's Encrypt
#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key"

# Token directory for http-01 challenges
#set_var DYNTLS_HTTPD_DEFAULT_DIR   "/var/www/public_html/default"
#set_var DYNTLS_ENCRYPT_TOKEN_DIR   "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"
#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache."

# Chain CA files for fullchains
#set_var DYNTLS_PKI_LECA_CHAIN_FILE     "LE_CA.chain.pem"
#set_var DYNTLS_PKI_LECA_CHAIN          "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE"
#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem"
#set_var DYNTLS_PKI_LECA_R12_CHAIN      "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE"
#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem"
#set_var DYNTLS_PKI_LECA_R13_CHAIN      "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"

# DNS validation (dns-01 challenge): server address and TSIG key file name
#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld"
#set_var DYNTLS_DNS_TSIG   "tsig.key"
#set_var DYNTLS_DNS_ZONE   ""

# ------------------------------------------------------------------
# LOGGING
# ------------------------------------------------------------------

#set_var DYNTLS_LOG_DIR   "/var/log/dyntls"
#set_var DYNTLS_LOG_FILE  "$DYNTLS_LOG_DIR/dyntls.log"

# Log level controls verbosity of logging output:
# 0 = off       : Disable all logging output.
# 1 = debug     : Detailed diagnostic information for troubleshooting and development.
#                 Includes variable values, function calls, and detailed execution flow.
# 2 = info      : Informational messages about normal operations and milestones.
#                 Useful for understanding general system behavior without noise.
# 3 = warn      : Warnings about potential problems or unusual situations that are not critical.
#                 Indicates areas that may require attention to prevent errors.
# 4 = error     : Errors indicating failures that impact functionality and require investigation.
# 5 = critical  : Severe, critical failures that cause system malfunction and need immediate action.
#set_var DYNTLS_LOG_LEVEL "3"

# ------------------------------------------------------------------
# DOMAIN LISTS (CN + SANs)
# Each set_list line defines one certificate (CN + optional SANs separated by ':')
# ------------------------------------------------------------------

# Example multi-domain certificate (CN + SANs separated by :)
#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld"

# ------------------------------------------------------------------
# SERVICE LISTS (map CN to a service)
# Format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname
#
# pki_dir behavior:
# - If pki_dir does NOT contain a '/' character, it is treated as a
#   relative service name and will be created below DYNTLS_PKI.
#   Example: pki_dir='postfix' with DYNTLS_PKI='/etc/pki'
#            → effective PKI path: /etc/pki/postfix
#
# - If pki_dir contains at least one '/' character, it is treated as
#   an absolute path and used as-is without prefixing DYNTLS_PKI.
#   Example: pki_dir='/var/opt/container/mosquitto'
#            → effective PKI path: /var/opt/container/mosquitto
# ------------------------------------------------------------------

# Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname)
#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"

# ------------------------------------------------------------------
# OPTIONAL COMMAND HOOKS
# ------------------------------------------------------------------

# Commands to run before issuing/renewing a cert
#set_list DYNTLS_CMD_PRE_LIST  ""

# Commands to run after successfully issuing/renewing a cert
#set_list DYNTLS_CMD_POST_LIST ""

# ------------------------------------------------------------------
# BACKUP AND EXPIRATION
# ------------------------------------------------------------------

# Days to keep backuped certificates before removal
# Set to 0 to disable automatic deletion of backups
#set_var DYNTLS_BACKUP_EXPIRATION 360
Initial project commit 2026-02-22 16:18:53 +01:00			`# dynTLS configuration example`
			`# Copy this file to 'vars' and adjust as needed.`
			`# Warning: do not edit vars.example directly!`

			`# ------------------------------------------------------------------`
			`# GENERAL`
			`# ------------------------------------------------------------------`

			`# Base directory of dynTLS configuration (defaults to script directory)`
			`#set_var DYNTLS "${0%/*}"`

			`# Main ACME client program used for certificate operations`
			`# You can set this to any compatible wrapper script or binary`
			`# https://github.com/bruncsak/ght-acme.sh`
			`#DYNTLS_LE_PROGRAM="contrib/acme/letsencrypt.sh"`

			`# OpenSSL binary (path if not in $PATH)`
			`#set_var DYNTLS_OPENSSL "openssl"`

			`# Productive mode:`
			`# 0 = staging (test certs from Let's Encrypt staging server)`
			`# 1 = production (real certs)`
			`#set_var DYNTLS_PRODUCTIVE 0`

			`# Use symlinks for server key: 1 = link all domains to base key`
			`#set_var DYNTLS_PKI_KEY_LNS 0 # 0=per-domain key, 1=symlink all to base server key`

			`# ------------------------------------------------------------------`
			`# PKI DIRECTORIES`
			`# ------------------------------------------------------------------`

			`# Root PKI folder (contains httpd structure /certs /private etc.)`
			`#set_var DYNTLS_PKI "/etc/pki"`

			`# Temporary working dir`
			`#set_var DYNTLS_TMP "$DYNTLS/tmp"`

			`# HTTP service PKI directories`
			`#set_var DYNTLS_PKI_HTTP_DIR "$DYNTLS_PKI/httpd"`
			`#set_var DYNTLS_PKI_HTTP_CERT_DIR "$DYNTLS_PKI_HTTP_DIR/certs"`
			`#set_var DYNTLS_PKI_HTTP_KEY_DIR "$DYNTLS_PKI_HTTP_DIR/private"`
			`#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup"`

			`# Cert/key naming suffixes`
			`#set_var DYNTLS_PKI_CERT_SUFFIX "cert.pem"`
			`#set_var DYNTLS_PKI_FULLCHAIN_SUFFIX "fullchain.pem"`
			`#set_var DYNTLS_PKI_KEY_SUFFIX "key.pem"`

			`# Base server key file and path`
			`#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX"`
			`#set_var DYNTLS_PKI_SERVER_BASEKEY "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"`

			`# Key algorithm and size`
			`#set_var DYNTLS_PKI_KEY_ALGO rsa`
			`#set_var DYNTLS_PKI_KEY_SIZE 2048`
			`#set_var DYNTLS_PKI_KEY_CURVE secp384r1`

			`# Certificate expiration threshold in days before renewal`
			`#set_var DYNTLS_PKI_CERT_EXPIRE 30`

			`# Force regenerating keys on renewal (0=no, 1=yes)`
			`#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0`

			`# Days to keep backuped certificates before removal`
			`# Set to 0 to disable automatic deletion of backups`
			`#DYNTLS_BACKUP_EXPIRATION=720`

			`# ------------------------------------------------------------------`
			`# LET'S ENCRYPT / ACME`
			`# ------------------------------------------------------------------`

			`# Account key used to register with Let's Encrypt`
			`#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key"`

			`# Token directory for http-01 challenges`
			`#set_var DYNTLS_HTTPD_DEFAULT_DIR "/var/www/public_html/default"`
			`#set_var DYNTLS_ENCRYPT_TOKEN_DIR "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"`
			`#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache."`

			`# Chain CA files for fullchains`
			`#set_var DYNTLS_PKI_LECA_CHAIN_FILE "LE_CA.chain.pem"`
			`#set_var DYNTLS_PKI_LECA_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE"`
			`#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem"`
			`#set_var DYNTLS_PKI_LECA_R12_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE"`
			`#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem"`
			`#set_var DYNTLS_PKI_LECA_R13_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"`

			`# DNS validation (dns-01 challenge): server address and TSIG key file name`
			`#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld"`
			`#set_var DYNTLS_DNS_TSIG "tsig.key"`
			`#set_var DYNTLS_DNS_ZONE ""`

			`# ------------------------------------------------------------------`
			`# LOGGING`
			`# ------------------------------------------------------------------`

			`#set_var DYNTLS_LOG_DIR "/var/log/dyntls"`
			`#set_var DYNTLS_LOG_FILE "$DYNTLS_LOG_DIR/dyntls.log"`

			`# Log level controls verbosity of logging output:`
			`# 0 = off : Disable all logging output.`
			`# 1 = debug : Detailed diagnostic information for troubleshooting and development.`
			`# Includes variable values, function calls, and detailed execution flow.`
			`# 2 = info : Informational messages about normal operations and milestones.`
			`# Useful for understanding general system behavior without noise.`
			`# 3 = warn : Warnings about potential problems or unusual situations that are not critical.`
			`# Indicates areas that may require attention to prevent errors.`
			`# 4 = error : Errors indicating failures that impact functionality and require investigation.`
			`# 5 = critical : Severe, critical failures that cause system malfunction and need immediate action.`
			`#set_var DYNTLS_LOG_LEVEL "3"`

			`# ------------------------------------------------------------------`
			`# DOMAIN LISTS (CN + SANs)`
			`# Each set_list line defines one certificate (CN + optional SANs separated by ':')`
			`# ------------------------------------------------------------------`

			`# Example multi-domain certificate (CN + SANs separated by :)`
			`#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld"`

			`# ------------------------------------------------------------------`
			`# SERVICE LISTS (map CN to a service)`
			`# Format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart\|reload:displayname`
			`#`
			`# pki_dir behavior:`
			`# - If pki_dir does NOT contain a '/' character, it is treated as a`
			`# relative service name and will be created below DYNTLS_PKI.`
			`# Example: pki_dir='postfix' with DYNTLS_PKI='/etc/pki'`
			`# → effective PKI path: /etc/pki/postfix`
			`#`
			`# - If pki_dir contains at least one '/' character, it is treated as`
			`# an absolute path and used as-is without prefixing DYNTLS_PKI.`
			`# Example: pki_dir='/var/opt/container/mosquitto'`
			`# → effective PKI path: /var/opt/container/mosquitto`
			`# ------------------------------------------------------------------`

			`# Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart\|reload:displayname)`
			`#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"`

			`# ------------------------------------------------------------------`
			`# OPTIONAL COMMAND HOOKS`
			`# ------------------------------------------------------------------`

			`# Commands to run before issuing/renewing a cert`
			`#set_list DYNTLS_CMD_PRE_LIST ""`

			`# Commands to run after successfully issuing/renewing a cert`
			`#set_list DYNTLS_CMD_POST_LIST ""`

			`# ------------------------------------------------------------------`
			`# BACKUP AND EXPIRATION`
			`# ------------------------------------------------------------------`

			`# Days to keep backuped certificates before removal`
			`# Set to 0 to disable automatic deletion of backups`
			`#set_var DYNTLS_BACKUP_EXPIRATION 360`