summaryrefslogtreecommitdiffstats
path: root/dehydrated/share
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xdehydrated/share/cron/dehydrated3
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.chrony35
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.extra49
-rwxr-xr-xdehydrated/share/hooks/deploy_ocsp.extra37
-rwxr-xr-xdehydrated/share/hooks/exit_hook.extra-cleanup77
-rwxr-xr-xdehydrated/share/hooks/exit_hook.fix-permissions40
-rwxr-xr-xdehydrated/share/hooks/exit_hook.service-reload112
-rw-r--r--dehydrated/share/logrotate/dehydrated13
-rw-r--r--dehydrated/share/man/Makefile59
-rw-r--r--dehydrated/share/man/dehydrated-cron.1.rst95
-rw-r--r--dehydrated/share/man/dehydrated-hook.1.rst108
-rw-r--r--dehydrated/share/man/dehydrated-nsupdate.1.rst170
-rw-r--r--dehydrated/share/man/man.in19
13 files changed, 817 insertions, 0 deletions
diff --git a/dehydrated/share/cron/dehydrated b/dehydrated/share/cron/dehydrated
new file mode 100755
index 0000000..bece74f
--- /dev/null
+++ b/dehydrated/share/cron/dehydrated
@@ -0,0 +1,3 @@
+# /etc/cron.d/dehydrated
+
+@reboot root /usr/bin/dehydrated-cron
diff --git a/dehydrated/share/hooks/deploy_cert.chrony b/dehydrated/share/hooks/deploy_cert.chrony
new file mode 100755
index 0000000..b6744ff
--- /dev/null
+++ b/dehydrated/share/hooks/deploy_cert.chrony
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+if grep -Eqrs '^ *ntsservercert' /etc/chrony
+then
+ echo -n " + Copying certificate for chrony..."
+
+ # https://bugs.debian.org/1013882
+ cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem
+ cp -fL "${KEYFILE}" /etc/chrony/key.pem
+
+ chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem
+
+ echo " done."
+fi
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
new file mode 100755
index 0000000..56ca2f4
--- /dev/null
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo -n " + Creating extra certificate files..."
+
+DIRECTORY="$(dirname "${CERTFILE}")"
+
+# root and intermediate CA
+TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
+grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+
+# extra certificate permutations:
+# * privkey_fullchain.pem: postfix
+for EXTRA in fullchain_privkey privkey_fullchain
+do
+ EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')"
+
+ cat "${DIRECTORY}/${EXTRA1}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem"
+ ln -sf "${EXTRA1}_${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem"
+done
+
+echo " done."
diff --git a/dehydrated/share/hooks/deploy_ocsp.extra b/dehydrated/share/hooks/deploy_ocsp.extra
new file mode 100755
index 0000000..35a13f6
--- /dev/null
+++ b/dehydrated/share/hooks/deploy_ocsp.extra
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo " + Creating extra ocsp links..."
+
+DIRECTORY="$(dirname "${OCSPFILE}")"
+OCSP="$(readlink "${OCSPFILE}")"
+
+for EXTRA in fullchain_privkey privkey_fullchain
+do
+ EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')"
+
+ ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp"
+done
+
+echo " done."
diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup
new file mode 100755
index 0000000..59e203e
--- /dev/null
+++ b/dehydrated/share/hooks/exit_hook.extra-cleanup
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo -n " + Cleanup extra certificate files..."
+
+for EXTRA in root intermediate fullchain_privkey privkey_fullchain
+do
+ for CERTIFICATE in "${CERTDIR}"/*/
+ do
+ if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1
+ then
+ continue
+ fi
+
+ SYMLINK="${CERTIFICATE}/${EXTRA}.pem"
+ ORIGINAL="$(readlink -f "${SYMLINK}")"
+
+ if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ]
+ then
+ # remove dangling symlink
+ rm -f "${SYMLINK}"
+ fi
+
+ if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ]
+ then
+ # remove dangling symlink
+ rm -f "${SYMLINK}.ocsp"
+ fi
+
+ if [ -e "${SYMLINK}" ]
+ then
+ for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem
+ do
+ case "$(basename "${FILE}")" in
+ "$(basename "${ORIGINAL}")")
+ continue
+ ;;
+
+ *)
+ # archive unused files
+ ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")"
+ mkdir -p "${ARCHIVE}"
+
+ mv "${FILE}" "${ARCHIVE}"
+
+ if [ -e "${FILE}.ocsp" ]
+ then
+ mv "${FILE}.ocsp" "${ARCHIVE}"
+ fi
+ ;;
+ esac
+ done
+ fi
+ done
+done
+
+echo " done."
diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions
new file mode 100755
index 0000000..aa15553
--- /dev/null
+++ b/dehydrated/share/hooks/exit_hook.fix-permissions
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+if [ ! -e "${CERTDIR}" ]
+then
+ exit 0
+fi
+
+if getent group ssl-cert > /dev/null 2>&1
+then
+ echo -n " + Fixing file owner and permissions..."
+
+ # https://bugs.debian.org/854431
+ chown -R root:ssl-cert "${CERTDIR}"
+
+ find "${CERTDIR}" -type d -exec chmod 0750 {} \;
+ find "${CERTDIR}" -type f -exec chmod 0640 {} \;
+
+ echo " done."
+fi
diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload
new file mode 100755
index 0000000..c62c133
--- /dev/null
+++ b/dehydrated/share/hooks/exit_hook.service-reload
@@ -0,0 +1,112 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+Run_apache2 ()
+{
+ if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled
+ then
+ service apache2 stop
+ service apache2 start
+ fi
+}
+
+Run_chrony ()
+{
+ if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/*
+ then
+ service chrony restart
+ fi
+}
+
+Run_haproxy ()
+{
+ if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#'
+ then
+ service haproxy reload
+ fi
+}
+
+Run_knot_resolver ()
+{
+ if grep -Eqrs '^ *net.tls' /etc/knot-resolver/*
+ then
+ INSTANCES="$(systemctl | grep -c 'kresd@*.service')"
+
+ if [ "${INSTANCES}" -gt 0 ]
+ then
+ for INSTANCE in $(seq 1 "${INSTANCES}")
+ do
+ service kresd@"${INSTANCE}" restart
+ done
+ fi
+ fi
+}
+
+Run_postfix ()
+{
+ if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf
+ then
+ service postfix restart
+ fi
+}
+
+Run_postgresql ()
+{
+ if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/*
+ then
+ service postgresql reload
+ fi
+}
+
+Run_redis_sentinel ()
+{
+ if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf
+ then
+ service redis-sentinel restart
+ fi
+}
+
+Run_redis_server ()
+{
+ if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf
+ then
+ service redis-server restart
+ fi
+}
+
+echo " + Reloading services:"
+
+SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
+
+for SERVICE in ${SERVICES}
+do
+ if service "${SERVICE}" status > /dev/null 2>&1
+ then
+ echo -n " + ${SERVICE}:"
+
+ RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')"
+ ${RELOAD}
+
+ echo " done."
+ fi
+done
diff --git a/dehydrated/share/logrotate/dehydrated b/dehydrated/share/logrotate/dehydrated
new file mode 100644
index 0000000..385a4aa
--- /dev/null
+++ b/dehydrated/share/logrotate/dehydrated
@@ -0,0 +1,13 @@
+# /etc/logrotate.d/dehydrated
+
+/var/log/dehydrated/dehydrated.log {
+ compress
+ create 0640 root adm
+ dateext
+ dateformat -%Y%m
+ dateyesterday
+ missingok
+ monthly
+ notifempty
+ rotate 12
+}
diff --git a/dehydrated/share/man/Makefile b/dehydrated/share/man/Makefile
new file mode 100644
index 0000000..a6d6bf2
--- /dev/null
+++ b/dehydrated/share/man/Makefile
@@ -0,0 +1,59 @@
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+# Depends: python3-docutils
+
+RST2MAN = rst2man \
+ --no-datestamp \
+ --no-generator \
+ --strict \
+ --strip-comments \
+ --tab-width=4 \
+ --verbose
+
+VERSION := $(shell cat ../../../VERSION.txt)
+
+SHELL := sh -e
+
+all: build
+
+build: man
+
+man: man.in *.rst
+ @echo -n "Creating manpages... "
+
+ @for FILE in *.rst; \
+ do \
+ cp man.in $$(basename $${FILE} .rst); \
+ $(RST2MAN) $${FILE} | \
+ sed -e '/^.\\" Man page generated/d' \
+ -e '/^.\\" Generated by/d' \
+ -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \
+ >> $$(basename $${FILE} .rst); \
+ echo -n "."; \
+ done
+
+ @echo " done."
+
+clean:
+ rm -f *.[0-9]
+
+distclean: clean
+
+rebuild: clean build
diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst
new file mode 100644
index 0000000..cd93a30
--- /dev/null
+++ b/dehydrated/share/man/dehydrated-cron.1.rst
@@ -0,0 +1,95 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===============
+dehydrated-cron
+===============
+
+----------------------------------------------------
+dehydrated cronjob for automatic certificate renewal
+----------------------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **dehydrated-cron**
+
+Description
+===========
+
+**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority.
+
+The **dehydrated-cron** script runs dehydrated once per day and on system reboot for an automatic certificate renewal.
+
+It uses the dehydrated '--keep-going' option to keep going after encountering an error while creating/renewing multiple certificates. Afterwards it also removes all unused certificates by using the dehydrated '--cleanup-delete' option.
+
+Usage
+=====
+
+Installation
+------------
+
+| sudo ln -s /usr/bin/dehydrated-cron /etc/cron.d/dehydrated
+
+Removal
+-------
+
+| sudo rm -f /etc/cron.d/dehydrated
+
+
+Files
+=====
+
+The following files are used:
+
+/etc/cron.d/dehydrated:
+ cronjob file.
+
+/usr/bin/dehydrated-cron:
+ script that gets executed by cron.
+
+/var/log/dehydrated/dehydrated.log
+ logfile for dehydrated-cron.
+
+See also
+========
+
+| dehydrated(1),
+| dehydrated-hook(1),
+| dehydrated-nsupdate(1).
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others.
diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst
new file mode 100644
index 0000000..de63127
--- /dev/null
+++ b/dehydrated/share/man/dehydrated-hook.1.rst
@@ -0,0 +1,108 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===============
+dehydrated-hook
+===============
+
+-------------------------
+dehydrated run-parts hook
+-------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **dehydrated-hook** 'HANDLER'
+
+Description
+===========
+
+**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority.
+
+The **dehydrated-hook** makes it possible to run multiple scripts in every stage within the process of creating, signing and deploying a certificate.
+
+Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh
+
+Handlers
+========
+
+The following **dehydrated** handlers are available:
+
+|
+| deploy_challenge
+| clean_challenge
+| sync_cert
+| deploy_cert
+| deploy_ocsp
+| unchanged_cert
+| invalid_challenge
+| request_failure
+| generate_csr
+| startup_hook
+| exit_hook
+
+Usage
+=====
+
+Installation
+------------
+
+| sudo echo HOOK="/usr/bin/dehydrated-hook" > /etc/dehydrated/conf.d/zz-hook.sh
+| sudo mkdir -p /etc/dehydrated/hook.d
+
+Removal
+-------
+
+| sudo rm -f /etc/dehydrated/conf.d/zz-hook.sh
+| sudo rmdir /etc/dehydrated/hook.d
+
+Files
+=====
+
+The following files are used:
+
+/etc/dehydrated/hook.d:
+ directory to place individual hooks.
+
+See also
+========
+
+| dehydrated(1),
+| dehydrated-cron(1),
+| dehydrated-nsupdate(1).
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others.
diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst
new file mode 100644
index 0000000..d4b097b
--- /dev/null
+++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst
@@ -0,0 +1,170 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===================
+dehydrated-nsupdate
+===================
+
+---------------------------------------
+dehydrated hook for dns-01 verification
+---------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **dehydrated-nsupdate**
+
+Description
+===========
+
+**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority.
+
+The **dehydrated-nsupdate** hook implements the dns-01 verification. It is typically run together with **dehydrated-hook** as:
+
+|
+| /etc/dehydrated/hook.d/deploy_challenge.nsupdate
+| /etc/dehydrated/hook.d/clean_challenge.nsupdate
+
+Features
+========
+
+**dehydrated-nsupdate** has the following features:
+
+Automatic nameserver detection (IPv4 and IPv6)
+----------------------------------------------
+
+dehydrated-nsupdate automatically finds and updates all authoritative nameservers for a given record by looking up the records in the DNS by itself, supporting IPv6-only, IPv4-only, and dual-stacked environments.
+
+Proper CNAME support
+--------------------
+
+dehydrated-nsupdate follows CNAMEs delegating the TXT record update to another zone.
+
+Handling nameserver subzone shortcuts
+-------------------------------------
+
+dehydrated-nsupdate correctly handles authoritative nameserver answers that (wrongly) give shortcut answers for their own zones when using multiple authoritative subzones on the same nameservers.
+
+TSIG support
+------------
+
+dehydrated-nsupdate uses TSIG, if provided, to authenticate itself to the nameserver. Additionally to a global TSIG to be used for all record updates, separate TSIGs can individually be specified per record, per zone, and per nameserver.
+
+Proper removal of TXT records
+-----------------------------
+
+dehydrated-nsupdate removes records after succesfull verification.
+
+bind9-dnsutils and knot-dnsutils support
+----------------------------------------
+
+dehydrated-nsupdate works with both nsupdate (bind9) and knsupdate (knot).
+
+IDN handling
+------------
+
+dehydrated-nsupdate works with IDN domains by not expanding the punycode to update the correct records.
+
+Usage
+=====
+
+dehydrated-hook(1) is a prerequisite for dehydrated-nsupdate.
+
+Installation
+------------
+
+| sudo echo CHALLENGETYPE="dns-01" > /etc/dehydrated/conf.d/zz-challengetype.sh
+| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/deploy_challenge.nsupdate
+| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/clean_challenge.nsupdate
+
+Removal
+-------
+
+| sudo rm -f /etc/dehydrated/conf.d/zz-challengetype.sh
+| sudo rm -f /etc/dehydrated/hook.d/deploy_challenge.nsupdate
+| sudo rm -f /etc/dehydrated/hook.d/clean_challenge.nsupdate
+
+Configuration
+=============
+
+Depending on the nameserver requirements, dehydrated-nsupdate can send record updates either unauthenticated or using a TSIG (recommended).
+
+A TSIG file consists of one single line containing the key (nsupdate/knsupdate do not allow comments), e.g.:
+
+|
+| hmac-sha512:example:/LXPy6U8HAWA+QmvulZWm0owsQgNf8qJ5MNLTvirzvVtDb+PzLKoBmVHjnL6TUffkvRYa7Do448dSIrAuJ1G/A==
+
+Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver.
+
+The lookup hierarchy is the following (first match wins):
+
+|
+| /etc/dehydrated/tsig/${record}.key
+| /etc/dehydrated/tsig/${zone}.key
+| /etc/dehydrated/tsig/${nameserver}.key
+| /etc/dehydrated/tsig.key
+|
+| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate/*
+| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate
+
+In order to explicitly not use a TSIG for a specific record, zone, or nameserver, an empty keyfile or a keyfile with only comments can be used, e.g.:
+
+|
+| echo "# disabled" > /etc/dehydrated/tsig/ns1.example.org.key
+
+Files
+=====
+
+The following files are used:
+
+/etc/dehydrated/tsig.key:
+ default location for global TSIG key to be used.
+
+/etc/dehydrated/tsig/${record}.key, /etc/dehydrated/tsig/${zone}.key, /etc/dehydrated/tsig/${nameserver}.key:
+ default locations for specific TSIG keys to be used individually per record, zone, or nameserver.
+
+/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/\*:
+ configuration file, currently only used for TSIG_KEYFILE variable pointing to the location of the global TSIG key to be used (default: /etc/dehydrated/tsig.key).
+
+See also
+========
+
+| dehydrated(1),
+| dehydrated-cron(1),
+| dehydrated-hook(1).
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others.
diff --git a/dehydrated/share/man/man.in b/dehydrated/share/man/man.in
new file mode 100644
index 0000000..f95ca67
--- /dev/null
+++ b/dehydrated/share/man/man.in
@@ -0,0 +1,19 @@
+.\" Open Infrastructure: service-tools
+.\"
+.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+.\"
+.\" SPDX-License-Identifier: GPL-3.0+
+.\"
+.\" This program is free software: you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <https://www.gnu.org/licenses/>.
+.\"