Raghav Gururajan writes: > Hi Pierre! > >> --8<---------------cut here---------------start------------->8--- >> (define certbot-authentication-hook >> (program-file "certbot-authentication-hook" >> (with-imported-modules '((guix build utils)) >> #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")) >> (validation (getenv "CERTBOT_VALIDATION"))) >> (use-modules ((guix build utils))) >> (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") >> (invoke gandi "dns" "create" "example.com" "_acme-challenge" > "TXT" validation))))) >> (define certbot-cleanup-hook >> (program-file "certbot-cleanup-hook" >> (with-imported-modules '((guix build utils)) >> #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))) >> (use-modules ((guix build utils))) >> (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") >> (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT"))))) >> (...) >> (service certbot-service-type >> (certbot-configuration >> (email "me@example.com") >> (certificates >> (list >> (certificate-configuration >> (domains '("*.example.com")) >> (challenge "dns") >> (authentication-hook certbot-authentication-hook) >> (cleanup-hook certbot-cleanup-hook)))))) >> --8<---------------cut here---------------end--------------->8--- > > Thank you so much! I appreciate it. > > I am using deSEC (https://desec.io) and have their hook.sh > (https://github.com/desec-io/desec-certbot-hook) stored as > "/etc/desec/hook.sh" on my system. > > So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh", > right? Is the "hook.sh" script copied directly from the desec-certbot-hook package? In which case, I think you'll want to use `file-append` to directly refer to the package's script, something like this? --8<---------------cut here---------------start------------->8--- (authentication-hook (file-append desec-certbot-hook "/etc/hook.sh") (cleanup-hook (file-append desec-certbot-hook "/etc/hook.sh") --8<---------------cut here---------------end--------------->8--- If you look at the Gexp part of the manual, there's more info on what's available to build those procedures: https://guix.gnu.org/manual/en/guix.html#G_002dExpressions That's off the top of my head! > > Also, does using "*.example.com" means that the generated cert can be used both > for apex/naked domain and any of the subdomains? I /believe/ so yeah, it's a wildcard certificate (https://en.wikipedia.org/wiki/Wildcard_certificate) so that should work. That's what I use personally so that I can use a certificate for subdomains that only exist in the local network, that way the subdomain names don't "leak" publicly. The drawback being I only get a single certificate for multiple things. I suppose if you're setting up public facing services with subdomains, you're probably better off with different certificates for each. My knownledge of DNS stuff is pretty limited though. Hope that's useful! Pierre