From f18885a0ec90cd7cc5ffc41b515bc8ac6ad33b82 Mon Sep 17 00:00:00 2001
From: Lexi Winter <ivy@FreeBSD.org>
Date: Tue, 3 Jun 2025 10:10:34 +0100
Subject: domains.conf: support default options

---
 domains.conf.5  | 17 ++++++++++++++++-
 lfacme-renew.sh | 16 ++++++++++++++--
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/domains.conf.5 b/domains.conf.5
index c737d49..0f937a6 100644
--- a/domains.conf.5
+++ b/domains.conf.5
@@ -23,6 +23,14 @@ names or options for the certificate.
 If no subject alt names are provided, then the certificate name is used as
 the common name and subject alt name.
 .Pp
+If the certificate name is
+.Dq * ,
+then this line will not cause a certificate to be issued;
+instead, any options set on this line will apply to all following lines,
+or until another line with the certificate name
+.Dq * ,
+which will replace the previously set options.
+.Pp
 The following options may be set:
 .Bl -tag -width indent
 .It Sy type Ns Li = Ns Ar keytype
@@ -67,11 +75,18 @@ This is not necessarily the certificate's common name.
 .It Sy LFACME_CERTFILE
 The path of a file which contains the public certificate and any issuer
 certificates, in PEM format.
-.It Sy lFACME_KEYFILE
+.It Sy LFACME_KEYFILE
 The path of a file which contains the private key file in PEM format.
 .El
 .El
 .Sh EXAMPLES
+Set the key type to
+.Dq rsa
+for all certificates.
+.Bd -literal -offset indent
+*	type=rsa
+.Ed
+.Pp
 Issue a certificate for
 .Dq example.org
 using the default options.
diff --git a/lfacme-renew.sh b/lfacme-renew.sh
index ce7c7f2..0a487d8 100644
--- a/lfacme-renew.sh
+++ b/lfacme-renew.sh
@@ -109,7 +109,7 @@ _docert() {
 	local certfile="${dir}/${identifier}-cert.pem"
 
 	# these can be overridden by args
-	local keytype="ec"
+	local keytype=""
 	local altnames=""
 	local hooks=""
 	local domain=""
@@ -144,6 +144,11 @@ _docert() {
 		domain="$identifier"
 	fi
 
+	# Default key type is ec.
+	if [ -z "$keytype" ]; then
+		keytype="ec"
+	fi
+
 	# make sure all the hook scripts are valid.  if the hook name
 	# begins with a '/' it's a full path, otherwise it's related to
 	# ACME_HOOKDIR.
@@ -222,11 +227,18 @@ _docert() {
 }
 
 _exit=0
+_default_args=""
 
 cat "$_DOMAINS" \
 | egrep -v '^(#|[[:space:]]*$)' \
 | while read identifier args; do
-	if ! _docert "$identifier" $args; then
+
+	if [ "$identifier" = "*" ]; then
+		_default_args="$args"
+		continue
+	fi
+
+	if ! _docert "$identifier" $_default_args $args; then
 		_exit=1
 	fi
 done
-- 
cgit v1.2.3