From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53573)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d429B-00054P-RM
	for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d4298-0000Vk-I9
	for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:45389)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1d4298-0000VP-Eb
	for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d4298-0005zw-4I
	for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:02 -0400
Subject: bug#26685: certbot service
Resent-Message-ID: <handler.26685.B26685.149337149323032@debbugs.gnu.org>
References: <cucmvb1ehiv.fsf@igalia.com>
From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur <clement@lassieur.org>
In-reply-to: <cucmvb1ehiv.fsf@igalia.com>
Date: Fri, 28 Apr 2017 11:24:47 +0200
Message-ID: <87mvb0ubog.fsf@lassieur.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Andy Wingo <wingo@igalia.com>
Cc: 26685@debbugs.gnu.org

Hi Andy,

Thanks for working on this!

> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
> +;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>

Or maybe you didn't work on this?..

> +(define certbot-renewal-jobs
> +  (match-lambda
> +    (($ <certbot-configuration> package webroot hosts default-location)
> +     (match hosts
> +       ;; Avoid pinging certbot if we have no hosts.
> +       (() '())
> +       (_
> +        (list
> +         ;; Attempt to renew the certificates twice a week.
> +         #~(job (lambda (now)
> +                  (next-day-from (next-hour-from now '(3))
> +                                 '(2 5)))

This is not twice a week, but twice a month at days 2 and 5, because
'next-day-from' will look after the next day (in month) that has number
2 and 5.  'next-hour-from' is not taken into account because next day
from any hour still runs at 0 o'clock.

But anyway I think it should be twice a day, and at a random minute
within the hour, as advised by certbot:

--8<---------------cut here---------------start------------->8---
from https://certbot.eff.org/all-instructions/

if you're setting up a cron or systemd job, we recommend running it
twice per day (it won't do anything until your certificates are due for
renewal or revoked, but running it regularly would give your site a
chance of staying online in case a Let's Encrypt-initiated revocation
happened for some reason). Please select a random minute within the hour
for your renewal tasks.
--8<---------------cut here---------------end--------------->8---

What do you think of:

    '(next-minute-from (next-hour '(0 12)) (list (random 60)))

instead?  Schedules can be debbuged with '--schedule=count' option.

Also I think some services have to be reloaded/restarted after their
certificates are upgraded.  That could be done via a mcron post-hook,
but I'm not sure how to pass the list of services that have to be
restarted.  WDYT?

Clément