From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56751) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1em4io-0005Fy-D4 for guix-patches@gnu.org; Wed, 14 Feb 2018 16:36:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1em4in-000191-1F for guix-patches@gnu.org; Wed, 14 Feb 2018 16:36:10 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:35488) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1em4im-00018i-Sh for guix-patches@gnu.org; Wed, 14 Feb 2018 16:36:08 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1em4im-0001yZ-MZ for guix-patches@gnu.org; Wed, 14 Feb 2018 16:36:08 -0500 Subject: [bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook. Resent-Message-ID: From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Date: Wed, 14 Feb 2018 22:35:04 +0100 Message-Id: <20180214213504.29984-11-clement@lassieur.org> In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 30459@debbugs.gnu.org * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (, certbot-command): Add it. --- doc/guix.texi | 22 ++++++++++++++++++++-- gnu/services/certbot.scm | 10 +++++++--- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 8500cda6d..2092e1d3b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15668,7 +15668,9 @@ signature. The certbot service automates this process: the initial key generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the -certificate to disk, and the automated periodic renewals. +certificate to disk, the automated periodic renewals, and the deployment +tasks associated with the renewal (e.g. reloading services, copying keys +with different permissions). Certbot is run twice a day, at a random minute within the hour. It won't do anything until your certificates are due for renewal or @@ -15681,13 +15683,20 @@ A service type for the @code{certbot} Let's Encrypt client. Its value must be a @code{certbot-configuration} record as in this example: @example +(define %nginx-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration - (domains '("example.net" "www.example.net"))) + (domains '("example.net" "www.example.net")) + (deploy-hook %nginx-deploy-hook)) (certificate-configuration (domains '("bar.example.net"))))))) @end example @@ -15757,6 +15766,15 @@ Its default is the first provided domain. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. +@item @code{deploy-hook} (default: @code{#f}) +Command to be run in a shell once for each successfully issued +certificate. For this command, the shell variable +@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for +example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will +contain a space-delimited list of renewed certificate domains (for +example, @samp{"example.com www.example.com"}. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index f90e4f04b..066b8241b 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -48,7 +48,9 @@ (name certificate-configuration-name (default #f)) (domains certificate-configuration-domains - (default '()))) + (default '())) + (deploy-hook certificate-configuration-deploy-hook + (default #f))) (define-record-type* certbot-configuration make-certbot-configuration @@ -78,7 +80,8 @@ (commands (map (match-lambda - (($ custom-name domains) + (($ custom-name domains + deploy-hook) (let ((name (or custom-name (car domains)))) (append (list name certbot "certonly" "-n" "--agree-tos" @@ -86,7 +89,8 @@ "--webroot" "-w" webroot "--cert-name" name "-d" (string-join domains ",")) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()))))) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))) certificates))) (program-file "certbot-command" -- 2.16.1