Hi all, Friendly ping on this series :-). Thanks, Pierre Pierre Langlois writes: > * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field. > (certbot-command): Use it to pass --dry-run to certbot. > * doc/guix.texi (Certificate Services): Document dry-run? option. > --- > doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++ > gnu/services/certbot.scm | 10 +++++++--- > 2 files changed, 42 insertions(+), 3 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index ec449b1772..322c717941 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will > contain a space-delimited list of renewed certificate domains (for > example, @samp{"example.com www.example.com"}. > > +@item @code{dry-run?} (default: @code{#f}) > +Communitcate with the ACME server but do not update certificates nor note-to-self, typo here: Communicate > +trigger @code{deploy-hook}. This is useful as a temporary setting to > +test the challenge procedure, especially the @code{authentication-hook} > +and @code{cleanup-hook} while working on them. It's also a good idea to > +use Let's Encrypt's staging server at > +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while > +testing, which allows for higher rate limits, but with which > +@code{certbot} will helpfully refuse to update certificates and > +recommend the @code{dry-run?} option. For example: > + > +@lisp > +(define %authentication-hook > + (program-file "authentication-hook" > + #~(let ((domain (getenv "CERTBOT_DOMAIN")) > + (token (getenv "CERTBOT_TOKEN"))) > + (format #t "Hey, can you authenticate ~a with ~a for me?" > + domain token)))) > + > +(define %cleanup-hook > + (program-file "authentication-hook" > + #~(display "Bye") > + > +(service certbot-service-type > + (certbot-configuration > + (server "https://acme-staging-v02.api.letsencrypt.org/directory") > + (certificates > + (list > + (certificate-configuration > + (dry-run? #t) > + (authentication-hook %authentication-hook) > + (cleanup-hook %cleanup-hook) > + (domains '("example.net" "www.example.net"))))))) > +@end lisp > + > @end table > @end deftp > > diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm > index 1cea68fc2a..15274cf0ed 100644 > --- a/gnu/services/certbot.scm > +++ b/gnu/services/certbot.scm > @@ -61,6 +61,8 @@ > (cleanup-hook certificate-cleanup-hook > (default #f)) > (deploy-hook certificate-configuration-deploy-hook > + (default #f)) > + (dry-run? certbot-configuration-dry-run? > (default #f))) > > (define-record-type* > @@ -96,7 +98,7 @@ > (match-lambda > (($ custom-name domains challenge > authentication-hook cleanup-hook > - deploy-hook) > + deploy-hook dry-run?) > (let ((name (or custom-name (car domains)))) > (if challenge > (append > @@ -114,7 +116,8 @@ > `("--manual-auth-hook" ,authentication-hook) > '()) > (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) > - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) > + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) > + (if dry-run? '("--dry-run"))) > (append > (list name certbot "certonly" "-n" "--agree-tos" > "--webroot" "-w" webroot > @@ -125,7 +128,8 @@ > '("--register-unsafely-without-email")) > (if server `("--server" ,server) '()) > (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) > - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) > + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) > + (if dry-run? '("--dry-run") '())))))) > certificates))) > (program-file > "certbot-command"