From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45256) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d45Jd-0001xj-Sy for guix-patches@gnu.org; Fri, 28 Apr 2017 08:48:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d45Ja-0005ro-MF for guix-patches@gnu.org; Fri, 28 Apr 2017 08:48:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:45543) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d45Ja-0005rd-ES for guix-patches@gnu.org; Fri, 28 Apr 2017 08:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1d45Ja-0004S9-2J for guix-patches@gnu.org; Fri, 28 Apr 2017 08:48:02 -0400 Subject: bug#26685: certbot service Resent-Message-ID: From: Andy Wingo References: <87mvb0ubog.fsf@lassieur.org> Date: Fri, 28 Apr 2017 14:47:41 +0200 In-Reply-To: <87mvb0ubog.fsf@lassieur.org> ("=?UTF-8?Q?Cl=C3=A9ment?= Lassieur"'s message of "Fri, 28 Apr 2017 11:24:47 +0200") Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Cc: 26685@debbugs.gnu.org On Fri 28 Apr 2017 11:24, Cl=C3=A9ment Lassieur writ= es: > Hi Andy, > > Thanks for working on this! Thanks for the review :-) >> +;;; GNU Guix --- Functional package management for GNU >> +;;; Copyright =C2=A9 2016 ng0 >> +;;; Copyright =C2=A9 2016 Sou Bunnbu > > Or maybe you didn't work on this?.. I did but also parts of it came from: https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/bayfron= t.scm I should fix the attribution I guess! >> +(define certbot-renewal-jobs >> + (match-lambda >> + (($ package webroot hosts default-location) >> + (match hosts >> + ;; Avoid pinging certbot if we have no hosts. >> + (() '()) >> + (_ >> + (list >> + ;; Attempt to renew the certificates twice a week. >> + #~(job (lambda (now) >> + (next-day-from (next-hour-from now '(3)) >> + '(2 5))) > > This is not twice a week, but twice a month at days 2 and 5, because > 'next-day-from' will look after the next day (in month) that has number > 2 and 5. 'next-hour-from' is not taken into account because next day > from any hour still runs at 0 o'clock. > > But anyway I think it should be twice a day, and at a random minute > within the hour, as advised by certbot: > > from https://certbot.eff.org/all-instructions/ > > if you're setting up a cron or systemd job, we recommend running it > twice per day (it won't do anything until your certificates are due for > renewal or revoked, but running it regularly would give your site a > chance of staying online in case a Let's Encrypt-initiated revocation > happened for some reason). Please select a random minute within the hour > for your renewal tasks. > > What do you think of: > > '(next-minute-from (next-hour '(0 12)) (list (random 60))) > > instead? Schedules can be debbuged with '--schedule=3Dcount' option. Sounds fine to me! > Also I think some services have to be reloaded/restarted after their > certificates are upgraded. That could be done via a mcron post-hook, > but I'm not sure how to pass the list of services that have to be > restarted. WDYT? Good question. I don't even know how to know when running certbot results in a rotation and when it leaves things as-is. It's a great question though! BTW if you are interested in using/hacking on this, I think we could just get it into master and patch it from there. WDYT? Andy