[bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook.

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: "Clément Lassieur" <clement@lassieur.org>
To: 30459@debbugs.gnu.org
Subject: [bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook.
Date: Wed, 14 Feb 2018 22:35:04 +0100	[thread overview]
Message-ID: <20180214213504.29984-11-clement@lassieur.org> (raw)
In-Reply-To: <20180214213504.29984-1-clement@lassieur.org>

* doc/guix.texi (Certificate Services): Document it.
* gnu/services/certbot.scm (<certificate-configuration>, certbot-command): Add
it.
---
 doc/guix.texi            | 22 ++++++++++++++++++++--
 gnu/services/certbot.scm | 10 +++++++---
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 8500cda6d..2092e1d3b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15668,7 +15668,9 @@ signature.
 The certbot service automates this process: the initial key
 generation, the initial certification request to the Let's Encrypt
 service, the web server challenge/response integration, writing the
-certificate to disk, and the automated periodic renewals.
+certificate to disk, the automated periodic renewals, and the deployment
+tasks associated with the renewal (e.g. reloading services, copying keys
+with different permissions).
 
 Certbot is run twice a day, at a random minute within the hour.  It
 won't do anything until your certificates are due for renewal or
@@ -15681,13 +15683,20 @@ A service type for the @code{certbot} Let's Encrypt client.  Its value
 must be a @code{certbot-configuration} record as in this example:
 
 @example
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
 (service certbot-service-type
          (certbot-configuration
           (email "foo@@example.net")
           (certificates
            (list
             (certificate-configuration
-             (domains '("example.net" "www.example.net")))
+             (domains '("example.net" "www.example.net"))
+             (deploy-hook %nginx-deploy-hook))
             (certificate-configuration
              (domains '("bar.example.net")))))))
 @end example
@@ -15757,6 +15766,15 @@ Its default is the first provided domain.
 The first domain provided will be the subject CN of the certificate, and
 all domains will be Subject Alternative Names on the certificate.
 
+@item @code{deploy-hook} (default: @code{#f})
+Command to be run in a shell once for each successfully issued
+certificate.  For this command, the shell variable
+@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
+example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+contain a space-delimited list of renewed certificate domains (for
+example, @samp{"example.com www.example.com"}.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index f90e4f04b..066b8241b 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -48,7 +48,9 @@
   (name                certificate-configuration-name
                        (default #f))
   (domains             certificate-configuration-domains
-                       (default '())))
+                       (default '()))
+  (deploy-hook         certificate-configuration-deploy-hook
+                       (default #f)))
 
 (define-record-type* <certbot-configuration>
   certbot-configuration make-certbot-configuration
@@ -78,7 +80,8 @@
             (commands
              (map
               (match-lambda
-                (($ <certificate-configuration> custom-name domains)
+                (($ <certificate-configuration> custom-name domains
+                                                deploy-hook)
                  (let ((name (or custom-name (car domains))))
                    (append
                     (list name certbot "certonly" "-n" "--agree-tos"
@@ -86,7 +89,8 @@
                           "--webroot" "-w" webroot
                           "--cert-name" name
                           "-d" (string-join domains ","))
-                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))))
+                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                    (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
               certificates)))
        (program-file
         "certbot-command"
-- 
2.16.1

     prev parent reply	other threads:[~2018-02-14 21:36 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-14 21:33 [bug#30459] Certbot service patches Clément Lassieur
2018-02-14 21:34 ` [bug#30459] [PATCH 01/11] services: certbot: Listen on IPv6 Clément Lassieur
2018-02-14 21:34   ` [bug#30459] [PATCH 02/11] services: certbot: Run certbot twice a day at a random minute Clément Lassieur
2018-02-14 21:34   ` [bug#30459] [PATCH 03/11] services: certbot: Fix indentation Clément Lassieur
2018-02-14 21:34   ` [bug#30459] [PATCH 04/11] services: certbot: Rename 'host' to 'domain' Clément Lassieur
2018-02-14 21:34   ` [bug#30459] [PATCH 05/11] services: certbot: Refactor certbot command Clément Lassieur
2018-02-14 21:34   ` [bug#30459] [PATCH 06/11] services: certbot: Get certbot to run non-interactively Clément Lassieur
2018-02-17 15:13     ` Marius Bakke
2018-02-19 22:46       ` Clément Lassieur
2018-02-22 13:57         ` Marius Bakke
2018-02-22 20:49           ` Clément Lassieur
2018-03-03 21:52             ` bug#30459: " Ludovic Courtès
2018-03-03 22:09               ` [bug#30459] " Clément Lassieur
2018-02-14 21:35   ` [bug#30459] [PATCH 07/11] services: certbot: Associate one certificate with several domains Clément Lassieur
2018-02-14 21:35   ` [bug#30459] [PATCH 08/11] doc: Fix typo in certbot-configuration description Clément Lassieur
2018-02-14 21:35   ` [bug#30459] [PATCH 09/11] services: certbot: Allow to set RSA key size Clément Lassieur
2018-02-14 21:35   ` [bug#30459] [PATCH 10/11] services: certbot: Add verbosity Clément Lassieur
2018-02-14 21:35   ` Clément Lassieur [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8500cda6 dfblob:2092e1d3 dfblob:f90e4f04 dfblob:066b8241 )
 OR (
bs:"[bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180214213504.29984-11-clement@lassieur.org \
    --to=clement@lassieur.org \
    --cc=30459@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.