6 files changed, 41 insertions, 6 deletions

diff --git a/configs/nginx/certbot.ctx-server.conf b/configs/nginx/certbot.ctx-server.conf
new file mode 100644
index 00000000..6c8ea525
--- /dev/null
+++ b/configs/nginx/certbot.ctx-server.conf
@@ -0,0 +1,5 @@
+location /.well-known/acme-challenge {
+	root /run/kvmd-certbot/webroot;
+	include /etc/kvmd/nginx/loc-nocache.conf;
+	auth_request off;
+}
diff --git a/configs/nginx/nginx.conf b/configs/nginx/nginx.conf
index 81b8265d..6b08c68e 100644
--- a/configs/nginx/nginx.conf
+++ b/configs/nginx/nginx.conf
@@ -27,11 +27,11 @@ http {
 	keepalive_timeout 10;
 	client_max_body_size 4k;
 
-	client_body_temp_path	/tmp/kvmd-nginx.client_body_temp;
-	fastcgi_temp_path		/tmp/kvmd-nginx.fastcgi_temp;
-	proxy_temp_path			/tmp/kvmd-nginx.proxy_temp;
-	scgi_temp_path			/tmp/kvmd-nginx.scgi_temp;
-	uwsgi_temp_path			/tmp/kvmd-nginx.uwsgi_temp;
+	client_body_temp_path	/tmp/kvmd-nginx/client_body_temp;
+	fastcgi_temp_path		/tmp/kvmd-nginx/fastcgi_temp;
+	proxy_temp_path			/tmp/kvmd-nginx/proxy_temp;
+	scgi_temp_path			/tmp/kvmd-nginx/scgi_temp;
+	uwsgi_temp_path			/tmp/kvmd-nginx/uwsgi_temp;
 
 	include /etc/kvmd/nginx/kvmd.ctx-http.conf;
 	include /usr/share/kvmd/extras/*/nginx.ctx-http.conf;
@@ -47,6 +47,7 @@ http {
 		include /etc/kvmd/nginx/listen-https.conf;
 		include /etc/kvmd/nginx/ssl.conf;
 		include /etc/kvmd/nginx/kvmd.ctx-server.conf;
+		include /etc/kvmd/nginx/certbot.ctx-server.conf;
 		include /usr/share/kvmd/extras/*/nginx.ctx-server.conf;
 	}
 }
diff --git a/configs/os/services/kvmd-certbot.service b/configs/os/services/kvmd-certbot.service
new file mode 100644
index 00000000..bf505aea
--- /dev/null
+++ b/configs/os/services/kvmd-certbot.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=PiKVM - Certbot-Renew for KVMD-Nginx
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/kvmd-certbot renew --quiet
+# Should we?..
+# PrivateTmp=true
diff --git a/configs/os/services/kvmd-certbot.timer b/configs/os/services/kvmd-certbot.timer
new file mode 100644
index 00000000..84fc9fcd
--- /dev/null
+++ b/configs/os/services/kvmd-certbot.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Run KVMD-Certbot twice daily
+
+[Timer]
+OnCalendar=*-*-* 00/12:00:00
+RandomizedDelaySec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/configs/os/sysusers.conf b/configs/os/sysusers.conf
index a24fbef9..b25179b8 100644
--- a/configs/os/sysusers.conf
+++ b/configs/os/sysusers.conf
@@ -4,6 +4,7 @@ g kvmd-ipmi - -
 g kvmd-vnc - -
 g kvmd-nginx - -
 g kvmd-janus - -
+g kvmd-certbot - -
 
 u kvmd - "PiKVM - The main daemon" -
 u kvmd-pst - "PiKVM - Persistent storage" -
@@ -11,6 +12,7 @@ u kvmd-ipmi - "PiKVM - IPMI to KVMD proxy" -
 u kvmd-vnc - "PiKVM - VNC to KVMD/Streamer proxy" -
 u kvmd-nginx - "PiKVM - HTTP entrypoint" -
 u kvmd-janus - "PiKVM - Janus WebRTC Gateway" -
+u kvmd-certbot - "PiKVM - Certbot-Renew for KVMD-Nginx"
 
 m kvmd video
 m kvmd gpio
@@ -26,3 +28,6 @@ m kvmd-janus audio
 
 m kvmd-nginx kvmd
 m kvmd-nginx kvmd-janus
+m kvmd-nginx kvmd-certbot
+
+m kvmd-certbot kvmd-pst
diff --git a/configs/os/tmpfiles.conf b/configs/os/tmpfiles.conf
index 8e1734d2..973c5d43 100644
--- a/configs/os/tmpfiles.conf
+++ b/configs/os/tmpfiles.conf
@@ -1 +1,7 @@
-D /run/kvmd 0775 kvmd kvmd -
+D	/run/kvmd					0775	kvmd			kvmd			-
+D	/run/kvmd-certbot			0755	root			root			-
+D	/run/kvmd-certbot/webroot	0755	kvmd-certbot	kvmd-certbot	-
+
+D	/tmp/kvmd					0775	kvmd			kvmd			-
+D	/tmp/kvmd-nginx				0700	kvmd-nginx		root			-
+D	/tmp/kvmd-certbot			0755	kvmd-certbot	kvmd-certbot	-