# dynTLS configuration example
# Copy this file to 'vars' and adjust as needed.
# Warning: do not edit vars.example directly!

# ------------------------------------------------------------------
# GENERAL
# ------------------------------------------------------------------

# Base directory of dynTLS configuration (defaults to script directory)
#set_var DYNTLS "${0%/*}"

# Main ACME client program used for certificate operations
# You can set this to any compatible wrapper script or binary
# https://github.com/bruncsak/ght-acme.sh
#DYNTLS_LE_PROGRAM="contrib/acme/letsencrypt.sh"

# OpenSSL binary (path if not in $PATH)
#set_var DYNTLS_OPENSSL "openssl"

# Productive mode:
#   0 = staging (test certs from Let's Encrypt staging server)
#   1 = production (real certs)
#set_var DYNTLS_PRODUCTIVE 0

# Use symlinks for server key: 1 = link all domains to base key
#set_var DYNTLS_PKI_KEY_LNS 0          # 0=per-domain key, 1=symlink all to base server key

# ------------------------------------------------------------------
# PKI DIRECTORIES
# ------------------------------------------------------------------

# Root PKI folder (contains httpd structure /certs /private etc.)
#set_var DYNTLS_PKI "/etc/pki"

# Temporary working dir
#set_var DYNTLS_TMP "$DYNTLS/tmp"

# HTTP service PKI directories
#set_var DYNTLS_PKI_HTTP_DIR          "$DYNTLS_PKI/httpd"
#set_var DYNTLS_PKI_HTTP_CERT_DIR     "$DYNTLS_PKI_HTTP_DIR/certs"
#set_var DYNTLS_PKI_HTTP_KEY_DIR      "$DYNTLS_PKI_HTTP_DIR/private"
#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup"

# Cert/key naming suffixes
#set_var DYNTLS_PKI_CERT_SUFFIX       "cert.pem"
#set_var DYNTLS_PKI_FULLCHAIN_SUFFIX  "fullchain.pem"
#set_var DYNTLS_PKI_KEY_SUFFIX        "key.pem"

# Base server key file and path
#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX"
#set_var DYNTLS_PKI_SERVER_BASEKEY      "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"

# Key algorithm and size
#set_var DYNTLS_PKI_KEY_ALGO rsa
#set_var DYNTLS_PKI_KEY_SIZE 2048
#set_var DYNTLS_PKI_KEY_CURVE secp384r1

# Certificate expiration threshold in days before renewal
#set_var DYNTLS_PKI_CERT_EXPIRE 30

# Force regenerating keys on renewal (0=no, 1=yes)
#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0

# Days to keep backuped certificates before removal
# Set to 0 to disable automatic deletion of backups
#DYNTLS_BACKUP_EXPIRATION=720

# ------------------------------------------------------------------
# LET'S ENCRYPT / ACME
# ------------------------------------------------------------------

# Account key used to register with Let's Encrypt
#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key"

# Token directory for http-01 challenges
#set_var DYNTLS_HTTPD_DEFAULT_DIR   "/var/www/public_html/default"
#set_var DYNTLS_ENCRYPT_TOKEN_DIR   "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"
#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache."

# Chain CA files for fullchains
#set_var DYNTLS_PKI_LECA_CHAIN_FILE     "LE_CA.chain.pem"
#set_var DYNTLS_PKI_LECA_CHAIN          "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE"
#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem"
#set_var DYNTLS_PKI_LECA_R12_CHAIN      "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE"
#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem"
#set_var DYNTLS_PKI_LECA_R13_CHAIN      "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"

# DNS validation (dns-01 challenge): server address and TSIG key file name
#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld"
#set_var DYNTLS_DNS_TSIG   "tsig.key"
#set_var DYNTLS_DNS_ZONE   ""

# ------------------------------------------------------------------
# LOGGING
# ------------------------------------------------------------------

#set_var DYNTLS_LOG_DIR   "/var/log/dyntls"
#set_var DYNTLS_LOG_FILE  "$DYNTLS_LOG_DIR/dyntls.log"

# Log level controls verbosity of logging output:
# 0 = off       : Disable all logging output.
# 1 = debug     : Detailed diagnostic information for troubleshooting and development.
#                 Includes variable values, function calls, and detailed execution flow.
# 2 = info      : Informational messages about normal operations and milestones.
#                 Useful for understanding general system behavior without noise.
# 3 = warn      : Warnings about potential problems or unusual situations that are not critical.
#                 Indicates areas that may require attention to prevent errors.
# 4 = error     : Errors indicating failures that impact functionality and require investigation.
# 5 = critical  : Severe, critical failures that cause system malfunction and need immediate action.
#set_var DYNTLS_LOG_LEVEL "3"

# ------------------------------------------------------------------
# DOMAIN LISTS (CN + SANs)
# Each set_list line defines one certificate (CN + optional SANs separated by ':')
# ------------------------------------------------------------------

# Example multi-domain certificate (CN + SANs separated by :)
#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld"

# ------------------------------------------------------------------
# SERVICE LISTS (map CN to a service)
# Format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname
#
# pki_dir behavior:
# - If pki_dir does NOT contain a '/' character, it is treated as a
#   relative service name and will be created below DYNTLS_PKI.
#   Example: pki_dir='postfix' with DYNTLS_PKI='/etc/pki'
#            → effective PKI path: /etc/pki/postfix
#
# - If pki_dir contains at least one '/' character, it is treated as
#   an absolute path and used as-is without prefixing DYNTLS_PKI.
#   Example: pki_dir='/var/opt/container/mosquitto'
#            → effective PKI path: /var/opt/container/mosquitto
# ------------------------------------------------------------------

# Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname)
#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"

# ------------------------------------------------------------------
# OPTIONAL COMMAND HOOKS
# ------------------------------------------------------------------

# Commands to run before issuing/renewing a cert
#set_list DYNTLS_CMD_PRE_LIST  ""

# Commands to run after successfully issuing/renewing a cert
#set_list DYNTLS_CMD_POST_LIST ""

# ------------------------------------------------------------------
# BACKUP AND EXPIRATION
# ------------------------------------------------------------------

# Days to keep backuped certificates before removal
# Set to 0 to disable automatic deletion of backups
#set_var DYNTLS_BACKUP_EXPIRATION 360