diff --git a/.gitignore b/.gitignore
index a82d686..a63dccd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 /dehydrated-*.tar.gz
+/dehydrated-*.tar.gz.asc
diff --git a/3C2F2605E078A1E18F4793909C4DBE6CF438F333 b/3C2F2605E078A1E18F4793909C4DBE6CF438F333
new file mode 100644
index 0000000..9737767
--- /dev/null
+++ b/3C2F2605E078A1E18F4793909C4DBE6CF438F333
@@ -0,0 +1,149 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: 3C2F 2605 E078 A1E1 8F47  9390 9C4D BE6C F438 F333
+Comment: Lukas Schauer <lukas.schauer@h-brs.de>
+Comment: Lukas Schauer <lukas.schauer@inf.h-brs.de>
+Comment: Lukas Schauer <lukas2511@koeln.ccc.de>
+Comment: Lukas Schauer <lukas@fslab.de>
+Comment: Lukas Schauer <lukas@schauer.dev>
+Comment: Lukas Schauer <lukas@schauer.so>
+
+xsBNBFFfGhMBCADuxAL1vqC7J1AmxMrFGxobyPaY9tmUEueRF+JuUJlk48qSbcWg
+zAMEprSgw3HY/15Galu/7g8KxXnlN4WO2vgA6eu1CYx3CoukJ8dc/m6hEMxqwsIW
+H/1sI7P2hLGB/6YC3MqgpyZxrXzS3coe/JLLkeOtcnBgeT1VpGnodSEKsK4unkfV
+cmheLuF+zMb0t1DFtd//Ka99XtoF7HXW6p/n8NjiAXKkEkTWf+0qsOIzar3Hl7QE
+dnEMK1EjDbrqNufTe+TyvM9hVMyDTptvA0EDOj+5Jmt29pWpriOgUgm2D1JgZi9b
+YmGnTo149q5bUzfLvsTDI0IS7ClxXIES/dfXABEBAAHNJkx1a2FzIFNjaGF1ZXIg
+PGx1a2FzLnNjaGF1ZXJAaC1icnMuZGU+wsCOBBMBCgA4FiEEPC8mBeB4oeGPR5OQ
+nE2+bPQ48zMFAmGLB7ECGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQnE2+
+bPQ48zOiHAf9EaE/FleDKNicSlYc2tazUVx+qXiks6ADi40T8bLycu1rtXQCa5wC
+G3Ucnx5sWqOOHRwgruWpr5ksl9rFImozQaP6IvVzmWl7o5+7Bki8Bf8a5OU/D4IP
+EUdPO+UEoxr54KrSV9Cuk0K2tiENT8WLy+57rMSx49f4AF1svG/FUbMgkENR90Gi
+8YxyEGfm2K8yNoPcg9XukUfcL48cI2OH52GMaRpJVDhRG6bNKCJbUoczY249a8Ar
+4wWsZMN/ajeA5hFj3J8Ol2rl6h4x4kBVRrgW3nbx2Pu8SRVKwIW3mnNv1PovqDuP
+kxDiBLRHIdojyrn0ZDXLkJAavYReQXo2Kc0qTHVrYXMgU2NoYXVlciA8bHVrYXMu
+c2NoYXVlckBpbmYuaC1icnMuZGU+wsCOBBMBCgA4FiEEPC8mBeB4oeGPR5OQnE2+
+bPQ48zMFAlqZuscCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQnE2+bPQ4
+8zMsQAgA5ZbXLDtr4di+spbmykqKKvC+7teyaG/5VOTlwjlWBu9Vq5ijdKskogUu
+i49e3xC9Pnu3TTYeIDKQ/8GVBojMhQfEzPEWwAupK07dwL4N/VIEIowaYmTIggZb
+C0IkyHBG1esg//tFmyC2WGTdKDaCPB0Y+reB+DVkYCcSycSpjxDS3SpDqmyeEm7+
+BFgCsNIPJaj+YEscvJF7S+Bzga3uPitlNdIp4hBW7SpdNi3sx3PguOyHuSkqJm+t
+qblgA7p2RVcc4uHpXS77xUw3lI2KMmWkd+yL7Mrfspc+cDscU4mXEjk8bqM70F4y
+C2BnE8hPGURYIsnNbPOCzWXKqNIrRs0mTHVrYXMgU2NoYXVlciA8bHVrYXMyNTEx
+QGtvZWxuLmNjYy5kZT7CwI4EEwEKADgWIQQ8LyYF4Hih4Y9Hk5CcTb5s9DjzMwUC
+ZHIzXwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCcTb5s9DjzMxOKCADr
+S9SUhsh7e+pyQ2+8dof41moWsJOyNygFZLCgJVHqhaSG/k83C0/UIjxsPKzJS/RO
+6pBMTns02tGh7UVx+4X/frMOH5LHtUIX91qRRMFyq+ulbNQpGCJ05JGyxwgAZ7N0
+eWrSTR5CTeCR3imxeN4pqQTMrn+u5Zvwo0BtrUnZuS0m1cBwMuocrdvl3hZFwlL/
+fOYLObqzrVsygRQerZqt7WxFIeJCqslHdrxrI05UNU+rhO5ECHAWWtSp8iC71F7r
+QerDeX8Bbw7zVFxxL/+XdkXSrVkA3TcKwyHizlnrBEDaZLbRri5SR6x3wF3L4D35
+QsxEUtDDR4sPIhF1sJDQzR5MdWthcyBTY2hhdWVyIDxsdWthc0Bmc2xhYi5kZT7C
+wI4EEwEKADgWIQQ8LyYF4Hih4Y9Hk5CcTb5s9DjzMwUCWsTl3gIbAwULCQgHAwUV
+CgkICwUWAgMBAAIeAQIXgAAKCRCcTb5s9DjzM0TrB/0YkMpsYbcyk5Ly+nhFKi3E
+U3Q20XBTFTBDG957+djPhjHO6brnKBCXi87F6eGKTmCmAtN9GSciwVQ9J23Qc8dI
+b3/gNT4WtqwFqzBoVzeyk/fBoda5kRpdczwu/4fc61U/4UUPmR9JuRoCDgRKjYQ0
+MDAv92tDfIPbK4yVE6PsU0/7aPuaa9u4V+g3J1V5ILazhrsAyGTh3AFDGmGICcAt
+rwsPOyYEHC8bzGch4AqOFCLEsPJBOuGZdueryBtIcIpt9dMwz0dNVwuDldoUWzuE
+vGGf0N2gRqMnRcXYrkIKOKqoqSQZb/uwTCagk9oRP6LOuVaR7N6Nwaul9NwyOXV0
+zSFMdWthcyBTY2hhdWVyIDxsdWthc0BzY2hhdWVyLmRldj7CwI4EEwEKADgWIQQ8
+LyYF4Hih4Y9Hk5CcTb5s9DjzMwUCYYsIrgIbAwULCQgHAwUVCgkICwUWAgMBAAIe
+AQIXgAAKCRCcTb5s9DjzM0xYCACpqhuKTb7Dcy/5SwmWCdFtMMeaORd321+IV0lY
+3JG55blOsBgIZujaLWK9sVlE5FS3x6EaQYHEUUu1cEBJlUT9T1Ko5qo/6zz7Y2ic
+NK5LPfCPYDirGLYsSK08R/ts2E6IL09u3cFWaiZbvDepjnEakgyNpVcJYlhXayie
+DH7t3Om6FPte3ihyT5J5fP6tW1PD0s7HjIFSErmQ1CpgrL5MkGoShcWpYt9IDcmo
+7Q8LQE/M/CNCULEnEXXvdtdWL9HsbXlKwIok2ReJ8N4XlcKdaucgP3oTSqtX0/yC
+TrytyhTemHgIaXRb3rYcXntQcJHFDlU6K/iWL5ib5bUb53AEwsCOBBMBCgA4FiEE
+PC8mBeB4oeGPR5OQnE2+bPQ48zMFAl+9ZiQCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
+HgECF4AACgkQnE2+bPQ48zPzJgf/TUZJLdwue6xbI6nz9QynyHn8dM6F5nEz4zEx
+Go+lEqR9prXvKVG7xecEMGYuydtS/vzYkLy6pnXDGzkUBgues7CWATz05MezjH+6
+k49EKm0nOubANpCeBVw+hBvtxqBWcdxY2gS7Nl4Qt33hXmAl0A/sn4Yt4bXC3m1e
+8nQthj/hMsKiw5gXT3nGZc62fyZPLY6qTDO8L+9j8JhzNoE7dhh5vK5STYpFPY3k
+sjUuiAIRqiH+rMshBMaCSWAuTBh0Kv2rzFbtVBhoarSmyaZ+LsFVEV+MXaUN2sv/
+gEta75uKlOYSGwTvecGjm4xtjHjor9DJ16+gJBHwcjnsV6e6+c0gTHVrYXMgU2No
+YXVlciA8bHVrYXNAc2NoYXVlci5zbz7CwJMEEwEKACYCGwMHCwkIBwMCAQYVCAIJ
+CgsEFgIDAQIeAQIXgAUCVczrqQIZAQAhCRCcTb5s9DjzMxYhBDwvJgXgeKHhj0eT
+kJxNvmz0OPMzdycIANghzH+bFgEhJdfIwOX6D4Id3B746XdZmRNbWLToIbJbJflD
+TjgZUGNLtmbH8Hv57ss8ssNmkp0nB+c2fb6Ar/Tl3sEheJM49PWbI96ERqSDhr+f
+mKKhOEjptwQTAy1prBAvTZ1LbyN9ChJwf00nU3tjBfvS19z8ZFGATY6yBGvnbxHn
+qz+n06COcBXsz8dsAtDzvxCMMhfSmgL+PAere8pJCLi3WklazbkzjuKqsfd02GJC
+CH/OeLmrtyBG8fkQzVpg4zDFgdetiqvc2bJeYYGmvPhBYtqgTWm8iZvfVRIyN2fF
+br04b3hx6eXVjRHSp2+d10so2fVD6Cf3gidBX4LCwJAEEwECACMFAlIeIN8CGwMH
+CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAhCRCcTb5s9DjzMxYhBDwvJgXgeKHh
+j0eTkJxNvmz0OPMz0cYH/2NaSfR+rgeq5gmt1R6MYby5Fa7lEqSPiVzVIcKVFlCj
+RNcpO/I5o0YTDGX+1DGIn8hpLiv9P3BK5La+Y/JKidq+tITp5pAt4xKuR9ISnxs4
+aLHp1L80fXBDWM4J5v+ATVls9SNeo5FkXBBo3gvMtN91N0467XOn9Iy3u0ei86LK
+VAlis6fFlFoE4KqQMoyWOiOOGOkKU45kRerdTc9skccX9jQGzkFpEk7nrrIC1WMr
+6i2edbt37LgycW0IgZzbdGRmEgwSq7OfUb4NF49XAb9be0q8x7sMoogkLBGizL2A
+soJO6kZmQWejygNIBPKGCK+X9dCsdDI6p67PMJqXoIjOwE0EUV8aEwEIAM1d0x6B
+/PUlXfUzkTlYtFmfm67OOPW2EImld+53RgVc/HGY9RyYP0YwxNs1mjWalzJYV6/a
+Q9xke/Dz0pLYwIl2c1TCzwinqgymkR17krDJ/+hj2GZBsiEHlMDbWskgwIc7Wldh
+cmxsOvsvRrHSCcw7ZFD+iA9l6XJoUrtP9QhJLaj6WoX0fU377t3me6hji5387pzY
+oDKiq8cfJu4q/K6oB42kmo+LPVub+DvBBZPDakDnE46v0LfbgvPqjaVxM2KHjqll
+epk1CIOAbUbtyC9kVuavDgnIOMe1couHsy0+7fXeQE0xMLPjGGZAXt6OVI8o/1Ib
+gA2EbiVR225Tu2cAEQEAAcLAdgQYAQIACQUCUV8aEwIbDAAhCRCcTb5s9DjzMxYh
+BDwvJgXgeKHhj0eTkJxNvmz0OPMzT1wIAIZ0Q23vWXHnoSPMfpbmj8U5gcdObh7B
+x+AZIdaZ1JyryA4jjXiQGQ6D12z0gxC3mGnrSFe15LEbWXSrERdsxftw7kU2eN6v
++KRzA8NLp5nZrkaeL+H9QVGdVhzDZz7tQACCi6zCHCpuRVStEwOh0bYNPTl9Ah2B
+9tAtQFbmoVOhL8Jc3O8bjuOoERRL+YUy1mAXb6bJTZu4yUheZqtOLQoRgy3SB4Ze
+GlLYM32JCtDNDyCNXP8QGB0dsRk6wdbgkxBrJxi+i48VWoIhxmg3Szxz0CKWoS71
+XxcstYDTNFULwWnqb9mkxfy3aRVB0EowdvU1TPRv64fKcA0JFBQYoiDOwU0EWpna
+/QEQAJqV4HrVPY3MiFYjBbxVl9isBIRG73ySOcOFLKILe1PUre2gz5cIvFzoM+jQ
+vtZH5lxndUaC6NEAxFLZVICLIkXF0mv0DreLrjbN+bZiqh1FQ6qJvKKvMSwSTZAh
+e/2Fe5frKImEEKlpxB/JdMMTbESHeGs1523Yndmcd6DsgpjfTdoX2b9MmwtBZipE
+2ybyzoFo7QDjioIsPTerAvZLf/EsfC8X5XG6uGDE7u/k0i/EnefBmqErXeV3hziq
++YLN0Ja7ltGsl6B0ZLb86HMSj2ZpuGkzWrDzX3JyZVGDMrBie/wKXCxWAOaAwOfJ
+F3BTp3LA5Bajg6VzJMGxoQUGiXcoJxAixwC9jUlIj48K3nnS9Wz3mAa3N/UXIr81
+wEKhGpSW+/KuQdLjLXW9W1BF+cJWze0yA6eJzLiQYt6R64p9jIKTWUaPnVg6yrB6
+vbAeecFLZPqjXnzVcb51GvuTWrKK7PyvNIyic59XZaNujC+Cc4L5AS1svA7VcOAW
+Hepl3F5JwNhYcKxgpY7J5FCq24B3/xQ4UQb52hh6Rfhv4s9KoeaqDGhObBZ6cBz9
+SVqGGipnyQq6vg7h5Az3hcrC6/blf/IibtkXJzf8Z3N/Jk3zg3AQszy79oqz5K/S
+H9Da7Q8drpMWABFldro5eqZ83Agvnje31it/pHJ+ZBYn+dXBABEBAAHCwHYEGAEK
+ACAWIQQ8LyYF4Hih4Y9Hk5CcTb5s9DjzMwUCWpna/QIbIAAKCRCcTb5s9DjzM2rH
+CADYzgi9AQdCbbjCmrrXqY1dom2zz34tZrIvFnm0IMzmXv8mXxwBnWbVC+K6m/nk
+sidv9F9HkErEkc8JVDchnFwVxTEISPQZlg7WHKZri2ILL0NMOzqCpQbJZH1ZkSIh
+sizlD/fJ9Dl/nyzJoJN9TUXe10m7zGURaR9+BB/I5UqaeXI1zJDbFg36vDh1NUNJ
+YUMl+WFjhbOsMcC9FZbQ3IuBzWrWzljtFNwYj3L5JINu+SiBhknJpRAF4Y2lQYEA
+6rQkFR6/k2N9FpetK6hmSo0m/lGC4OvffFEDHKZ8uD5LenRgl8JQSgjHTKViZxCL
+pOgUUMWJjqJmuOp9orbdFSXKzsFNBFqZxdUBEAC13KtkbRv6sBOgqFW3RuGRq0MJ
+82j3HLbWla8FuvnzEM8ekK7Zb7a3q4aLT/P0hKyIrYunKgpKo4mYR5hX8uMQ84Ux
+A/wW9vhM55iDfNxMS7tC3bLICNddz3Xn3do6nwWh3u5hU6ISm3Te/w2ofZtIT2H2
+Y+O9avLfZLQ5SHVL0wwNNXOpJa3VmCn5CeZ7MADnlRMK+vRE20et8mjEkRZMVqwA
+jDnQCQi9Qh/EQAl82yI4P6a2HZuDb4iVi/U1rGtZnAS11eIrjp2+WPuECcMkSg3i
+fA2gk1Qt1CFQSurTPQfDJEB/nf7atdRajAjF27fgSWAppKbBNn7zjH8HOpxWt0QS
+0Lj371eDJmKV0F5r+kZRLaiCT8kksVNR6P5wEQgYvDIUQbWskSbMFzu8oMGt+AKS
+fm2341itRNoyjwMGPTTuFkjMRcaLuygheZIbWa3sSny955qNxiujBYdJrYHMn/ja
+WYKQA0F6LYyuFgwmUJGc3qdibZ3/Mj8MU/f7uodC23IJTGuFHNJFy9uYzCmTkptG
+0yVsSs8fPSjToxdiEb2dgp7XT37qQDrWMIzgFg2WOcyFR6mSwjre2VogPXog2o+i
+2l/7ze9Lx+9gF9wZcOvP3pJMS8b9ALIJT48w0mricBcblUWD5IJ4X3NgGn9fJMcH
+NtSS4dCyOhAxPYB5wQARAQABwsB2BCgBCgAgFiEEPC8mBeB4oeGPR5OQnE2+bPQ4
+8zMFAlqZ2uACHQMACgkQnE2+bPQ48zPlhQgA4tu4Wey8dT/NTDZZiihT77wxdcXP
+w5wO6Bg/lr9BRVJh73kiTIRzQbH3LDnP7y2ZIAH192k6wmM1PFrl9ivaKVocq5Iu
+AuJmUQ47vRj0o4zHGss0G6js1K9P2oqt0v2evDK1VRNunOQNA7fubwYL1Mb0J4pl
+dfOBKpFzUpo6MKhSKiU4rcNrBYAlbM5m7z6h6PNal/bXWhjJv5HnJD73CqNpinuz
+RwefjQqtrjz3kjm8Ss8DhVuVYi3damDiIvQFuOabBWtuGPtnHX0QgH5qS+kIDPYp
+zPJTabKAFLuZwZWFRM7WZilELrZfAZrcXFaPdTYCyfPdiLM5BmIHA7r7gcLAdgQY
+AQoAIBYhBDwvJgXgeKHhj0eTkJxNvmz0OPMzBQJamcXVAhsgAAoJEJxNvmz0OPMz
+T2oIAI56dTjge+TgsloxgGu+Ajlu/eH+oOhyqulqMasWYUemTlQKwGEtrHRNFMB2
+dWOmSWAcJgQ2w3nLmpugFquusZ1zZO7Dkgzw8Krz8a93OXdR08qew8xDSbHGNT6W
+20bnP3fGIKt/FwT3Sus5WfWpAjVxsDF7LPy4p4DYGJchi+VSIjwSKR+4cAVP/xBi
+evicQSEdZpc2idCEmJtBTDo75dALiEt5vYzCvteFJagI18PzCCdIT+YhONrf8w8j
+4CAlh1ZpYqjCb1Vp774YDPqZxn1MBXa8+tCO5rw8F6P6kOE291mblSMQ/3ED6kx/
+yLl3pAvi+WLjSZiq64goYOxF2PjOwU0EW5UcwgEQAM9Hn/9qevhbi6CRF7DBhqDR
+KCG/+vWMsyercQgFqd10n4DmRJy3ZBe2035UrnOANJ/l+y8c/wAAPTeSJHhXHZqh
+Kd968H118UMe6o9xb7gjDCUmUoEnDEmvM3sygbd76jBeS/6CWfLviRj4eeHuifUw
+y9uljVtcqvo2ZiOxuVPKlh2MZU8CCil3WHU+8ZsypSl/sXgljk+QajTm5lFVOS37
+7s72hkekGs9XE+nZqY72v3PD1oev9f1ARwsStFm4WajJ4eWjlmp5NshGowd5Cb6F
+0m7iDanqqNNnsJZS6IMEqw8rFJLihtpqkYHRJ9yYq1nofP2wzJraPYAp2zV6hmw8
+45mfkkGYybfSyUtoV21REq6C/0sV7khAzjIa+a7V/6fks6+xlpR9yck97Hgo+iSU
+WchacxjSVlvcibf9CadiYYSaN/8JlxM/QSx39AxTrfBI7NZMnR5wmYKCUhskb+rR
+QjKWXmkuyaDuVA4dmahZL3OawqSGbt91mpdZIh3tvEP1vGPKnHqt+9WcTQSuPYDY
+bM1nXwN5+ZzYlCg92rk8nzdGjPyBT4BkCeGVsjYoY3OcyY/mfyqkfFoqi+4p8/VJ
+Il560v3SJW7ZwMRiAWV4WTwsxk0Z4nnQuNy9zbD7wNWUywK3oOkaTBZS7s/bCKWH
+dDs0ED0OcdzThAH1aS3vABEBAAHCwHYEGAEKACAWIQQ8LyYF4Hih4Y9Hk5CcTb5s
+9DjzMwUCW5UcwgIbIAAKCRCcTb5s9DjzMxJGB/9vTHH4v1GQho6QDVUrn7qd9DWN
+4L+OECYIMc0WS4v1OLiFdJvNXQUuldQUqttF5Fb211RFNnXE8F8GyBWbIkyFV+Kr
+Sj7uncbmoijnFEsFUh8NSWF9XGDMlvRxV7njGIBNXu0Zks5rydOT9LStuQO9lYYR
+Cvzfyi/ZT/Qu6VKcIcoDazU/PqyAmWbbsncdAibvhjumEHCVw0MNdl6h9XhCI69b
+dssYonLOao4NX8Kf1+vu1q39oVI5E2DEAOG6/FOXGa1Y73iBcccd7c26HnCY4CkJ
+ekb/rlxYhCOaoqRGiSmODvfl6IkQdGhiEjXrgJmT9SWmA8SFMikCen8Tvfdg
+=rFgw
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/50-dehydrated.preset b/50-dehydrated.preset
new file mode 100644
index 0000000..ea5c6ad
--- /dev/null
+++ b/50-dehydrated.preset
@@ -0,0 +1 @@
+enable dehydrated.timer
diff --git a/dehydrated-autowash.patch b/dehydrated-autowash.patch
new file mode 100644
index 0000000..22b9e31
--- /dev/null
+++ b/dehydrated-autowash.patch
@@ -0,0 +1,12 @@
+diff -up dehydrated-0.7.0/dehydrated.autowash dehydrated-0.7.0/dehydrated
+--- dehydrated-0.7.0/dehydrated.autowash	2021-01-22 13:11:47.018517599 +0200
++++ dehydrated-0.7.0/dehydrated	2021-01-22 13:12:44.673042823 +0200
+@@ -1734,7 +1734,7 @@ command_sign_domains() {
+ 
+   [[ -n "${HOOK}" ]] && ("${HOOK}" "exit_hook" || echo 'exit_hook returned with non-zero exit code!' >&2)
+   if [[ "${AUTO_CLEANUP}" == "yes" ]]; then
+-    echo "+ Running automatic cleanup"
++    echo " + Running automatic cleanup"
+     command_cleanup noinit
+   fi
+ 
diff --git a/dehydrated-cron b/dehydrated-cron
new file mode 100644
index 0000000..75c9976
--- /dev/null
+++ b/dehydrated-cron
@@ -0,0 +1,21 @@
+#!/bin/bash
+# Run dehydrated if there is configured domains
+if [ -s /etc/dehydrated/domains.txt ]; then
+    tempfile=$(mktemp -p /run/dehydrated)
+    if [ $? -gt 0 ]; then
+	echo "ERROR, could not create tempfile" >&2
+	exit 1
+    else
+	# clean up tempfile on exit
+	trap "rm -f ${tempfile}" EXIT TERM
+    fi
+    set -o pipefail
+    /usr/bin/dehydrated --cron 2>&1 | tee -a ${tempfile}
+    RC=$?
+    if [ ${RC} -gt 0 ]; then
+	cat ${tempfile} | mailx -S sendwait -s "dehydrated --cron returned error" ${NOTIFY_EMAIL:=root}
+    fi
+    exit ${RC}
+else
+    echo "No domains configured" >&2
+fi
diff --git a/dehydrated-hook.sh-defaults.patch b/dehydrated-hook.sh-defaults.patch
new file mode 100644
index 0000000..495fa3c
--- /dev/null
+++ b/dehydrated-hook.sh-defaults.patch
@@ -0,0 +1,52 @@
+diff -up dehydrated-0.7.1/docs/examples/hook.sh.orig dehydrated-0.7.1/docs/examples/hook.sh
+--- dehydrated-0.7.1/docs/examples/hook.sh.orig	2022-10-31 15:12:38.000000000 +0100
++++ dehydrated-0.7.1/docs/examples/hook.sh	2023-05-31 03:12:35.312025334 +0200
+@@ -21,7 +21,7 @@ deploy_challenge() {
+   #   be found in the $TOKEN_FILENAME file.
+ 
+   # Simple example: Use nsupdate with local named
+-  # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
++  # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 30 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key
+ }
+ 
+ clean_challenge() {
+@@ -34,7 +34,7 @@ clean_challenge() {
+   # The parameters are the same as for deploy_challenge.
+ 
+   # Simple example: Use nsupdate with local named
+-  # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
++  # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /etc/named/session.key
+ }
+ 
+ sync_cert() {
+@@ -86,8 +86,14 @@ deploy_cert() {
+   #   Timestamp when the specified certificate was created.
+ 
+   # Simple example: Copy file to nginx config
+-  # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
+-  # systemctl reload nginx
++  # umask=$(umask)	# save original umask
++  # umask 077		# use secure umask for key file creation
++  # cat "${KEYFILE}" > /etc/pki/tls/private/${DOMAIN}.key
++  # touch --reference="${KEYFILE}" /etc/pki/tls/private/${DOMAIN}.key
++  # umask 022		# wider permission for certificates
++  # cat "${FULLCHAINFILE}" > /etc/pki/tls/certs/${DOMAIN}.crt
++  # umask ${umask}	# restore umask
++  # systemctl reload nginx.service
+ }
+ 
+ deploy_ocsp() {
+@@ -214,6 +220,13 @@ exit_hook() {
+   #   Contains error message if dehydrated exits with error
+ }
+ 
++# Include local overrides for hook.sh functions
++if [ -d /etc/dehydrated/hook.d ]; then
++    for localhook in $(ls -1 /etc/dehydrated/hook.d/*.sh 2>/dev/null); do
++        . "${localhook}"
++    done
++fi
++
+ HANDLER="$1"; shift
+ if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
+   "$HANDLER" "$@"
diff --git a/dehydrated-improve-trap-handling.patch b/dehydrated-improve-trap-handling.patch
new file mode 100644
index 0000000..a4da047
--- /dev/null
+++ b/dehydrated-improve-trap-handling.patch
@@ -0,0 +1,12 @@
+diff -up dehydrated-0.7.0/dehydrated.improve-trap-handling dehydrated-0.7.0/dehydrated
+--- dehydrated-0.7.0/dehydrated.improve-trap-handling	2021-01-23 10:53:56.138791571 +0200
++++ dehydrated-0.7.0/dehydrated	2021-01-23 11:02:55.124007858 +0200
+@@ -528,7 +528,7 @@ init_system() {
+     [[ -w "${LOCKDIR}" ]] || _exiterr "Directory ${LOCKDIR} for LOCKFILE ${LOCKFILE} is not writable, aborting."
+     ( set -C; date > "${LOCKFILE}" ) 2>/dev/null || _exiterr "Lock file '${LOCKFILE}' present, aborting."
+     remove_lock() { rm -f "${LOCKFILE}"; }
+-    trap 'remove_lock' EXIT
++    trap 'remove_lock' EXIT TERM
+   fi
+ 
+   # Get CA URLs
diff --git a/dehydrated.service b/dehydrated.service
new file mode 100644
index 0000000..6a55914
--- /dev/null
+++ b/dehydrated.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=dehydrated client for signing certificates with an ACME server
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/dehydrated-cron
diff --git a/dehydrated.spec b/dehydrated.spec
index c37c733..eaf1da0 100644
--- a/dehydrated.spec
+++ b/dehydrated.spec
@@ -1,20 +1,41 @@
-%{!?_rundir:%global _rundir %%{_localstatedir}/run}
-
-Summary: A client for signing certificates with an ACME server
+Summary: Client for signing certificates with an ACME server
 Name: dehydrated
-Version: 0.6.5
-Release: 1%{?dist}
+Version: 0.7.1
+Release: 8%{?dist}
 License: MIT
-URL: https://github.com/lukas2511/dehydrated
-Source0: https://github.com/lukas2511/dehydrated/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Source1: dehydrated.tmpfiles
-Requires: openssl
-Requires: curl
-Requires: sed
-%if 0%{?fedora} || 0%{?rhel} >= 7
-BuildRequires: systemd
-%endif
+URL: https://github.com/dehydrated-io/dehydrated
+Source0: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz
+Source1: https://github.com/dehydrated-io/dehydrated/releases/download/v%{version}/dehydrated-%{version}.tar.gz.asc
+Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/3C2F2605E078A1E18F4793909C4DBE6CF438F333
+Source3: dehydrated.tmpfiles
+Source4: dehydrated.timer
+Source5: dehydrated.service
+Source6: 50-dehydrated.preset
+Source7: dehydrated-cron
+
+Patch0: dehydrated-autowash.patch
+Patch1: dehydrated-improve-trap-handling.patch
+Patch2: dehydrated-hook.sh-defaults.patch
+
 BuildArch: noarch
+BuildRequires: gnupg2
+BuildRequires: systemd-rpm-macros
+%{?systemd_requires}
+Requires: coreutils
+Requires: curl
+Requires: diffutils
+Requires: gawk
+Requires: grep
+%if 0%{?fedora} || 0%{?rhel} >= 9
+# Usually provided by s-nail, historically by mailx
+Requires: /usr/bin/mailx
+%else
+# s-nail (EPEL 8) provides /usr/bin/mailx, mailx (RHEL 8) provides /bin/mailx
+Requires: (/usr/bin/mailx or /bin/mailx)
+%endif
+Requires: openssl
+Requires: sed
+Requires: util-linux
 
 %description
 This is a client for signing certificates with an ACME-server (currently
@@ -23,45 +44,70 @@ script. Dehydrated supports both ACME v1 and the new ACME v2 including
 support for wildcard certificates!
 
 Current features:
-* Signing of a list of domains
-* Signing of a CSR
-* Renewal if a certificate is about to expire or SAN (subdomains) changed
-* Certificate revocation
+- Signing of a list of domains (including wildcard domains!)
+- Signing of a custom CSR (either standalone or completely automated using
+  hooks!)
+- Renewal if a certificate is about to expire or defined set of domains changed
+- Certificate revocation
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q
+%patch -P0 -p1 -b .autowash
+%patch -P1 -p1 -b .improve-trap-handling
+%patch -P2 -p1
 
 %build
 : nothing to do
 
 %install
+mkdir -p %{buildroot}%{_rundir}/dehydrated
 mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/accounts
 mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/archive
 mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/certs
 mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/conf.d
-mkdir -p %{buildroot}%{_rundir}/dehydrated
-%if 0%{?fedora} || 0%{?rhel} >= 7
-install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/dehydrated.conf
-%endif
+mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/domains.txt.d
+mkdir -p %{buildroot}%{_sysconfdir}/dehydrated/hook.d
+install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/dehydrated.conf
+install -D -p -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/dehydrated.timer
+install -D -p -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/dehydrated.service
+install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_presetdir}/50-dehydrated.preset
+install -D -p -m 0755 %{SOURCE7} %{buildroot}%{_libexecdir}/dehydrated-cron
 sed \
     -e 's|^#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_rundir}/dehydrated/lock"|' \
     -e 's|^#CONFIG_D=|CONFIG_D="\${BASEDIR}/conf.d"|' \
     -e 's|^#HOOK=|HOOK="\${BASEDIR}/hook.sh"|' \
     -e 's|^#PRIVATE_KEY_RENEW="yes"|PRIVATE_KEY_RENEW="no"|' \
+    -e 's|^#AUTO_CLEANUP="no"|AUTO_CLEANUP="yes"|' \
+    -e 's|^#KEY_ALGO=secp384r1|KEY_ALGO=rsa|' \
     docs/examples/config >%{buildroot}%{_sysconfdir}/dehydrated/config
-install -p docs/examples/hook.sh %{buildroot}%{_sysconfdir}/dehydrated/
+touch --reference=docs/examples/config \
+    %{buildroot}%{_sysconfdir}/dehydrated/config
+sed -i.orig -e 's|^\#!/usr/bin/env bash|#!/bin/bash|' \
+    docs/examples/hook.sh
+touch --reference=docs/examples/hook.sh.orig \
+    docs/examples/hook.sh && rm docs/examples/hook.sh.orig
+install -p docs/examples/hook.sh %{buildroot}%{_sysconfdir}/dehydrated/hook.sh
+sed -i.orig -e 's|^\#!/usr/bin/env bash|#!/bin/bash|' \
+    dehydrated
+touch --reference=dehydrated.orig dehydrated && \
+    rm dehydrated.orig
+
 install -D -p -m 0755 dehydrated %{buildroot}%{_bindir}/dehydrated
-install -D -p -m 0644 docs/man/dehydrated.1 %{buildroot}%{_mandir}/man1/dehydrated.1
+install -D -p -m 0644 docs/man/dehydrated.1 \
+    %{buildroot}%{_mandir}/man1/dehydrated.1
 rm -rf docs/man/
+# remove execute bits from documentation
+chmod a-x docs/examples/hook.sh
 
 %post
-if [ ! -f %{_sysconfdir}/cron.d/dehydrated ]; then
-    echo "$(($RANDOM % 60)) $(($RANDOM % 6)) * * $(($RANDOM % 7)) root test -s %{_sysconfdir}/dehydrated/domains.txt && %{_bindir}/dehydrated --cron" \
-	>%{_sysconfdir}/cron.d/dehydrated
+%systemd_post dehydrated.timer dehydrated.service
+if [ $1 -eq 1 ]; then
+    systemctl start dehydrated.timer >/dev/null 2>&1 || :
 fi
 umask=$(umask)
 umask 027
-if [ -z "$(ls %{_sysconfdir}/dehydrated/conf.d/*.sh 2>/dev/null)" ]; then
+if [ -z "$(ls -1 %{_sysconfdir}/dehydrated/conf.d/*.sh 2>/dev/null)" ]; then
     touch %{_sysconfdir}/dehydrated/conf.d/local.sh
 fi
 if [ ! -e %{_sysconfdir}/dehydrated/domains.txt ]; then
@@ -69,10 +115,25 @@ if [ ! -e %{_sysconfdir}/dehydrated/domains.txt ]; then
 fi
 umask ${umask} || :
 
+%preun
+%systemd_preun dehydrated.timer dehydrated.service
+
+%postun
+%systemd_postun_with_restart dehydrated.timer
+%systemd_postun dehydrated.service
+
+%triggerun -- dehydrated <= 0.7.0-2
+systemctl preset dehydrated.timer dehydrated.service >/dev/null 2>&1 || :
+systemctl start dehydrated.timer >/dev/null 2>&1 || :
+
 %files
-%doc README.md docs/*
+%doc README.md CHANGELOG docs/*
 %license LICENSE
-%attr(0644,root,root) %ghost %{_sysconfdir}/cron.d/dehydrated
+%{_presetdir}/50-dehydrated.preset
+%{_unitdir}/dehydrated.service
+%{_unitdir}/dehydrated.timer
+%{_tmpfilesdir}/dehydrated.conf
+%{_libexecdir}/dehydrated-cron
 %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated
 %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/dehydrated/config
 %attr(0750,root,root) %config(noreplace) %{_sysconfdir}/dehydrated/hook.sh
@@ -82,14 +143,73 @@ umask ${umask} || :
 %attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/conf.d
 %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/conf.d/local.sh
 %attr(0640,root,root) %ghost %{_sysconfdir}/dehydrated/domains.txt
+%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/domains.txt.d
+%attr(0750,root,root) %dir %{_sysconfdir}/dehydrated/hook.d
 %attr(0750,root,root) %dir %{_rundir}/dehydrated
-%if 0%{?fedora} || 0%{?rhel} >= 7
-%{_tmpfilesdir}/dehydrated.conf
-%endif
 %{_bindir}/dehydrated
 %{_mandir}/man1/dehydrated.1*
 
 %changelog
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Thu Dec 26 2024 Robert Scheck <robert@fedoraproject.org> - 0.7.1-6
+- Added missing dehydrated run-time requirements
+- Resolved: rhbz#2279854 dehydrated dependency issue on EL8
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed May 31 2023 Robert Scheck <robert@fedoraproject.org> - 0.7.1-1
+- Resolved: rhbz#2139056 dehydrated-0.7.1 is available
+- Resolved: rhbz#2035549 genkey ecparam - ECDSA key, P-384 (secp384r1)
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Fri Feb 04 2022 Carl George <carl@george.computer> - 0.7.0-5
+- Require path instead of package name for mailx rhbz#2050852
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jun 01 2021 Paul Wouters <paul.wouters@aiven.io> - 0.7.0-2
+- Update trigger to proper version
+
+* Tue Jun 01 2021 Paul Wouters <paul.wouters@aiven.io> - 0.7.0-1
+- Resolved: rhbz#1872621 [RFE] Ship systemd units for auto-renewal
+- Resolved: rhbz#1906674 dehydrated-0.7.0 is available
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
 * Wed Jun 26 2019 Paul Wouters <pwouters@redhat.com> - 0.6.5-1
 - Resolves: rhbz#1723766 Updated to 0.6.5
 
diff --git a/dehydrated.timer b/dehydrated.timer
new file mode 100644
index 0000000..e0024ad
--- /dev/null
+++ b/dehydrated.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=dehydrated client for signing certificates with an ACME server
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=2h
+
+[Install]
+WantedBy=timers.target
diff --git a/sources b/sources
index 7369fd6..1352885 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
-SHA512 (dehydrated-0.6.5.tar.gz) = da8ff3ecb7ddeb25356469fa272aef4e7c3705049caf88d09656dbc4baf29e0efa135e6f154c78cec82da17a27a78f2145ee3b7bd71521a080e10550d09b8a53
+SHA512 (dehydrated-0.7.1.tar.gz) = b7ac078d6034e784f3f485e8ce56b5fa2f1e2a3b5ef014d260046b5f1d5cbd99727501e95a9530d0d1b2f300003d3fa5bf7e7f532092041597236d92fbeb0f3c
+SHA512 (dehydrated-0.7.1.tar.gz.asc) = f03872b7e087b3f719a76aaebd46f017f47595feb03a29f5fcbe33796655cdcd0a34580ae34a85e3280c8305a2fe2ada47e4436bfbec294b7dbf67768df86394