bug#26685: certbot service - Clément Lassieur

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

From: "Clément Lassieur" <clement@lassieur.org>
To: Andy Wingo <wingo@igalia.com>
Cc: 26685@debbugs.gnu.org
Subject: bug#26685: certbot service
Date: Fri, 28 Apr 2017 11:24:47 +0200	[thread overview]
Message-ID: <87mvb0ubog.fsf@lassieur.org> (raw)
In-Reply-To: <cucmvb1ehiv.fsf@igalia.com>

Hi Andy,

Thanks for working on this!

> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
> +;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>

Or maybe you didn't work on this?..

> +(define certbot-renewal-jobs
> +  (match-lambda
> +    (($ <certbot-configuration> package webroot hosts default-location)
> +     (match hosts
> +       ;; Avoid pinging certbot if we have no hosts.
> +       (() '())
> +       (_
> +        (list
> +         ;; Attempt to renew the certificates twice a week.
> +         #~(job (lambda (now)
> +                  (next-day-from (next-hour-from now '(3))
> +                                 '(2 5)))

This is not twice a week, but twice a month at days 2 and 5, because
'next-day-from' will look after the next day (in month) that has number
2 and 5.  'next-hour-from' is not taken into account because next day
from any hour still runs at 0 o'clock.

But anyway I think it should be twice a day, and at a random minute
within the hour, as advised by certbot:

--8<---------------cut here---------------start------------->8---
from https://certbot.eff.org/all-instructions/

if you're setting up a cron or systemd job, we recommend running it
twice per day (it won't do anything until your certificates are due for
renewal or revoked, but running it regularly would give your site a
chance of staying online in case a Let's Encrypt-initiated revocation
happened for some reason). Please select a random minute within the hour
for your renewal tasks.
--8<---------------cut here---------------end--------------->8---

What do you think of:

    '(next-minute-from (next-hour '(0 12)) (list (random 60)))

instead?  Schedules can be debbuged with '--schedule=count' option.

Also I think some services have to be reloaded/restarted after their
certificates are upgraded.  That could be done via a mcron post-hook,
but I'm not sure how to pass the list of services that have to be
restarted.  WDYT?

Clément

next prev parent reply	other threads:[~2017-04-28  9:25 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-27 20:12 bug#26685: certbot service Andy Wingo
2017-04-28  9:24 ` Clément Lassieur [this message]
2017-04-28 12:47   ` Andy Wingo
2017-04-29  9:14     ` Clément Lassieur
2017-05-02  7:31       ` Andy Wingo
2017-05-02 19:40         ` Clément Lassieur
2017-04-29  9:25     ` Clément Lassieur
2017-04-28 19:33   ` Leo Famulari
2017-04-29  9:44     ` Clément Lassieur
     [not found] ` <87tw56dhlp.fsf@dustycloud.org>
2017-07-26  8:59   ` [bug#26685] certbot service experience Ludovic Courtès
2017-07-27 13:24     ` Christopher Allan Webber
2017-07-30  9:17       ` ng0
2017-07-30  9:22         ` ng0
2017-07-30  9:56           ` Julien Lepiller
2017-07-27 17:30     ` Tobias Geerinckx-Rice
2017-08-22 13:19       ` Ludovic Courtès
2017-08-23 14:57         ` Christopher Allan Webber
2017-10-24 14:26           ` Christopher Allan Webber
2017-10-24 15:27             ` Leo Famulari
2017-10-24 16:27             ` Ludovic Courtès
2017-11-28 22:41               ` bug#26685: " Ludovic Courtès
2017-11-29  5:45                 ` [bug#26685] " Christopher Allan Webber
2017-11-29 16:55                   ` Ludovic Courtès
2017-11-29 19:08                     ` Christopher Allan Webber
2017-10-24 14:53       ` Leo Famulari
2017-10-24 15:25         ` Christopher Allan Webber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87mvb0ubog.fsf@lassieur.org \
    --to=clement@lassieur.org \
    --cc=26685@debbugs.gnu.org \
    --cc=wingo@igalia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).