* [bug#67497] [PATCH 2/4] In certbot documentation, call environment variables by their proper name.
2023-11-27 21:20 ` [bug#67497] [PATCH 1/4] In documentation, rename %certbot-deploy-hook back to %nginx-deploy-hook Felix Lechner via Guix-patches via
@ 2023-11-27 21:20 ` Felix Lechner via Guix-patches via
2023-12-16 20:58 ` Bruno Victal
2023-11-27 21:20 ` [bug#67497] [PATCH 3/4] In certbot service, reduce code duplication Felix Lechner via Guix-patches via
2023-11-27 21:20 ` [bug#67497] [PATCH 4/4] In certbot's client configuration, offer multiple deploy-hooks Felix Lechner via Guix-patches via
2 siblings, 1 reply; 9+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-11-27 21:20 UTC (permalink / raw)
To: 67497; +Cc: Bruno Victal, Felix Lechner
Certbot's hooks can be written in any language. in fact, they can be any kind
of executable. Environment variables are widely used to communicate values
across that type of fork(2) boundary. In the context here, it is more accurate
to talk about environment variables.
Change-Id: If0b476c3367a3108d9365d718a74faa7d9fe7530
---
doc/guix.texi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b0b1c05c73..440a5f3efa 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32139,24 +32139,24 @@ Certificate Services
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
-answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
+answered. For this command, the environment variable @code{$CERTBOT_DOMAIN}
will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
contains the validation string and @code{$CERTBOT_TOKEN} contains the
file name of the resource requested when performing an HTTP-01 challenge.
@item @code{cleanup-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge that
-have been answered by the @code{auth-hook}. For this command, the shell
+have been answered by the @code{auth-hook}. For this command, the environment
variables available in the @code{auth-hook} script are still available, and
additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
of the @code{auth-hook} script.
@item @code{deploy-hook} (default: @code{#f})
Command to be run in a shell once for each successfully issued
-certificate. For this command, the shell variable
+certificate. For this command, the environment variable
@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
-certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}.
--
2.41.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [bug#67497] [PATCH 2/4] In certbot documentation, call environment variables by their proper name.
2023-11-27 21:20 ` [bug#67497] [PATCH 2/4] In certbot documentation, call environment variables by their proper name Felix Lechner via Guix-patches via
@ 2023-12-16 20:58 ` Bruno Victal
0 siblings, 0 replies; 9+ messages in thread
From: Bruno Victal @ 2023-12-16 20:58 UTC (permalink / raw)
To: Felix Lechner; +Cc: 67497
[-- Attachment #1.1: Type: text/plain, Size: 1995 bytes --]
On 2023-11-27 21:20, Felix Lechner wrote:
> Certbot's hooks can be written in any language. in fact, they can be any kind
> of executable. Environment variables are widely used to communicate values
> across that type of fork(2) boundary. In the context here, it is more accurate
> to talk about environment variables.
>
> Change-Id: If0b476c3367a3108d9365d718a74faa7d9fe7530
> ---
> doc/guix.texi | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index b0b1c05c73..440a5f3efa 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -32139,24 +32139,24 @@ Certificate Services
>
> @item @code{authentication-hook} (default: @code{#f})
> Command to be run in a shell once for each certificate challenge to be
> -answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
> +answered. For this command, the environment variable @code{$CERTBOT_DOMAIN}
[…]
> will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
[…]
> contains the validation string and @code{$CERTBOT_TOKEN} contains the
[…]
> variables available in the @code{auth-hook} script are still available, and
> additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
[…]
> @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
> example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
> -certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
> +certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will
> contain a space-delimited list of renewed certificate domains (for
> example, @samp{"example.com www.example.com"}.
The correct Texinfo @-command should be @env{CERTBOT_DOMAIN}, ….
Could you amend and send a v2 that addresses these issues as well?
Other than that, it LGTM.
--
Furthermore, I consider that nonfree software must be eradicated.
Cheers,
Bruno.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* [bug#67497] [PATCH 3/4] In certbot service, reduce code duplication.
2023-11-27 21:20 ` [bug#67497] [PATCH 1/4] In documentation, rename %certbot-deploy-hook back to %nginx-deploy-hook Felix Lechner via Guix-patches via
2023-11-27 21:20 ` [bug#67497] [PATCH 2/4] In certbot documentation, call environment variables by their proper name Felix Lechner via Guix-patches via
@ 2023-11-27 21:20 ` Felix Lechner via Guix-patches via
2023-11-27 21:20 ` [bug#67497] [PATCH 4/4] In certbot's client configuration, offer multiple deploy-hooks Felix Lechner via Guix-patches via
2 siblings, 0 replies; 9+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-11-27 21:20 UTC (permalink / raw)
To: 67497; +Cc: Bruno Victal, Felix Lechner
The certbot command is can only be changed with a great deal of attention. The
program branches early and constructs two separate invocations. Changes would
generally have to be made in two places. Otherwise, a new bug might be
introduced.
This commit places the conditional inquestion inside the list so that future
edits are more fool-proof.
Change-Id: I4a54f8b78ff4722688de7772d3c26a6191d6ff89
---
gnu/services/certbot.scm | 58 +++++++++++++++++++---------------------
1 file changed, 27 insertions(+), 31 deletions(-)
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 0c45471659..8490a69a99 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -100,37 +100,33 @@ (define certbot-command
csr authentication-hook
cleanup-hook deploy-hook)
(let ((name (or custom-name (car domains))))
- (if challenge
- (append
- (list name certbot "certonly" "-n" "--agree-tos"
- "--manual"
- (string-append "--preferred-challenges=" challenge)
- "--cert-name" name
- "--manual-public-ip-logging-ok"
- "-d" (string-join domains ","))
- (if csr `("--csr" ,csr) '())
- (if email
- `("--email" ,email)
- '("--register-unsafely-without-email"))
- (if server `("--server" ,server) '())
- (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if authentication-hook
- `("--manual-auth-hook" ,authentication-hook)
- '())
- (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
- (append
- (list name certbot "certonly" "-n" "--agree-tos"
- "--webroot" "-w" webroot
- "--cert-name" name
- "-d" (string-join domains ","))
- (if csr `("--csr" ,csr) '())
- (if email
- `("--email" ,email)
- '("--register-unsafely-without-email"))
- (if server `("--server" ,server) '())
- (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+ (append
+ (list name
+ certbot
+ "certonly"
+ "-n"
+ "--agree-tos")
+ (if challenge
+ (append
+ (list "--manual"
+ (string-append "--preferred-challenges=" challenge)
+ "--manual-public-ip-logging-ok")
+ (if authentication-hook
+ (list "--manual-auth-hook" authentication-hook)
+ '())
+ (if cleanup-hook
+ (list "--manual-cleanup-hook" cleanup-hook)
+ '()))
+ (list "--webroot" "-w" webroot))
+ (list "--cert-name" name
+ "-d" (string-join domains ","))
+ (if csr (list "--csr" csr) '())
+ (if email
+ (list "--email" email)
+ (list "--register-unsafely-without-email"))
+ (if server (list "--server" server) '())
+ (if rsa-key-size (list "--rsa-key-size" rsa-key-size) '())
+ (if deploy-hook (list "--deploy-hook" deploy-hook) '())))))
certificates)))
(program-file
"certbot-command"
--
2.41.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [bug#67497] [PATCH 4/4] In certbot's client configuration, offer multiple deploy-hooks.
2023-11-27 21:20 ` [bug#67497] [PATCH 1/4] In documentation, rename %certbot-deploy-hook back to %nginx-deploy-hook Felix Lechner via Guix-patches via
2023-11-27 21:20 ` [bug#67497] [PATCH 2/4] In certbot documentation, call environment variables by their proper name Felix Lechner via Guix-patches via
2023-11-27 21:20 ` [bug#67497] [PATCH 3/4] In certbot service, reduce code duplication Felix Lechner via Guix-patches via
@ 2023-11-27 21:20 ` Felix Lechner via Guix-patches via
2 siblings, 0 replies; 9+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-11-27 21:20 UTC (permalink / raw)
To: 67497; +Cc: Bruno Victal, Felix Lechner
The certbot program can accept multiple deploy hooks by repeating the relevant
option on the command line. This commit makes that capability available to
users.
Certificates are often used to secure multiple services. It is helpful to have
separate hooks for each service. It makes those hooks easier to maintain. It's
also easier that way to re-use a hook for another certificate that may not
serve to secure the same combination of services.
Change-Id: I3a293daee47030d9bee7f366605aa63a14e98e38
---
doc/guix.texi | 11 ++++++-----
gnu/services/certbot.scm | 20 +++++++++++++++++---
2 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 440a5f3efa..c5cbd0275d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32046,7 +32046,7 @@ Certificate Services
(list
(certificate-configuration
(domains '("example.net" "www.example.net"))
- (deploy-hook %nginx-deploy-hook))
+ (deploy-hooks '(%nginx-deploy-hook)))
(certificate-configuration
(domains '("bar.example.net")))))))
@end lisp
@@ -32151,14 +32151,15 @@ Certificate Services
additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
of the @code{auth-hook} script.
-@item @code{deploy-hook} (default: @code{#f})
-Command to be run in a shell once for each successfully issued
-certificate. For this command, the environment variable
+@item @code{deploy-hooks} (default: @code{'()})
+Commands to be run in a shell once for each successfully issued
+certificate. For these commands, the environment variable
@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
-example, @samp{"example.com www.example.com"}.
+example, @samp{"example.com www.example.com"}. Please note that the singular
+field @code{deploy-hook} was replaced by this field in the plural.
@end table
@end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 8490a69a99..9d5305174b 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -30,6 +30,7 @@ (define-module (gnu services certbot)
#:use-module (gnu services web)
#:use-module (gnu system shadow)
#:use-module (gnu packages tls)
+ #:use-module (guix deprecation)
#:use-module (guix i18n)
#:use-module (guix records)
#:use-module (guix gexp)
@@ -62,8 +63,11 @@ (define-record-type* <certificate-configuration>
(default #f))
(cleanup-hook certificate-cleanup-hook
(default #f))
+ ;; TODO: remove singular deploy-hook; is deprecated
(deploy-hook certificate-configuration-deploy-hook
- (default #f)))
+ (default #f))
+ (deploy-hooks certificate-configuration-deploy-hooks
+ (default '())))
(define-record-type* <certbot-configuration>
certbot-configuration make-certbot-configuration
@@ -98,7 +102,8 @@ (define certbot-command
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
csr authentication-hook
- cleanup-hook deploy-hook)
+ cleanup-hook
+ deploy-hook deploy-hooks)
(let ((name (or custom-name (car domains))))
(append
(list name
@@ -126,7 +131,16 @@ (define certbot-command
(list "--register-unsafely-without-email"))
(if server (list "--server" server) '())
(if rsa-key-size (list "--rsa-key-size" rsa-key-size) '())
- (if deploy-hook (list "--deploy-hook" deploy-hook) '())))))
+
+ (if deploy-hook
+ (begin
+ (warn-about-deprecation 'deploy-hook #f
+ #:replacement 'deploy-hooks)
+ (list "--deploy-hook" deploy-hook))
+ '())
+ (append-map (lambda (hook)
+ (list "--deploy-hook" hook))
+ deploy-hooks)))))
certificates)))
(program-file
"certbot-command"
--
2.41.0
^ permalink raw reply related [flat|nested] 9+ messages in thread