From 755de4c9500fa9fdafc5ac82ee16dd7a19013b9f Mon Sep 17 00:00:00 2001
From: Curtis McEnroe <june@causal.agency>
Date: Sun, 27 Oct 2019 00:44:14 -0400
Subject: Reload certificate on SIGUSR1

---
 bounce.c |  8 +++++++-
 listen.c |  8 ++++----
 pounce.1 | 15 +++++++++++++--
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/bounce.c b/bounce.c
index b96326b..1015625 100644
--- a/bounce.c
+++ b/bounce.c
@@ -159,14 +159,20 @@ int main(int argc, char *argv[]) {
 
 	signal(SIGINT, signalHandler);
 	signal(SIGTERM, signalHandler);
+	signal(SIGUSR1, signalHandler);
 
 	size_t clients = 0;
 	for (;;) {
 		int nfds = poll(event.fds, event.len, -1);
 		if (nfds < 0 && errno != EINTR) err(EX_IOERR, "poll");
+
 		if (signals[SIGINT] || signals[SIGTERM]) break;
-		if (nfds < 0) continue;
+		if (signals[SIGUSR1]) {
+			listenConfig(certPath, privPath);
+			signals[SIGUSR1] = 0;
+		}
 
+		if (nfds < 0) continue;
 		for (size_t i = 0; i < event.len; ++i) {
 			short revents = event.fds[i].revents;
 			if (!revents) continue;
diff --git a/listen.c b/listen.c
index d6e561f..952d798 100644
--- a/listen.c
+++ b/listen.c
@@ -27,8 +27,11 @@
 
 static struct tls *server;
 
-// TODO: Make this callable more than once to reload certificates?
 void listenConfig(const char *cert, const char *priv) {
+	tls_free(server);
+	server = tls_server();
+	if (!server) errx(EX_SOFTWARE, "tls_server");
+
 	struct tls_config *config = tls_config_new();
 	if (!config) errx(EX_SOFTWARE, "tls_config_new");
 
@@ -40,9 +43,6 @@ void listenConfig(const char *cert, const char *priv) {
 		);
 	}
 
-	server = tls_server();
-	if (!server) errx(EX_SOFTWARE, "tls_server");
-
 	error = tls_configure(server, config);
 	if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(server));
 	tls_config_free(config);
diff --git a/pounce.1 b/pounce.1
index b76d819..34f10d2 100644
--- a/pounce.1
+++ b/pounce.1
@@ -1,4 +1,4 @@
-.Dd October 26, 2019
+.Dd October 27, 2019
 .Dt POUNCE 1
 .Os
 .
@@ -152,9 +152,20 @@ to the first line read from
 When using
 .Xr certbot 8
 to obtain TLS certificates,
-is it sufficient to specify the domain with
+it is sufficient to specify the domain with
 .Fl H .
 .
+.Pp
+Upon receiving the
+.Dv SIGUSR1
+signal,
+the certificate and private key
+will be reloaded from the paths
+specified by
+.Fl C
+and
+.Fl K .
+.
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
 .It Ev USER
-- 
cgit 1.4.1