From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53573) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d429B-00054P-RM for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d4298-0000Vk-I9 for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:45389) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d4298-0000VP-Eb for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1d4298-0005zw-4I for guix-patches@gnu.org; Fri, 28 Apr 2017 05:25:02 -0400 Subject: bug#26685: certbot service Resent-Message-ID: References: From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-reply-to: Date: Fri, 28 Apr 2017 11:24:47 +0200 Message-ID: <87mvb0ubog.fsf@lassieur.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Andy Wingo Cc: 26685@debbugs.gnu.org Hi Andy, Thanks for working on this! > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright © 2016 ng0 > +;;; Copyright © 2016 Sou Bunnbu Or maybe you didn't work on this?.. > +(define certbot-renewal-jobs > + (match-lambda > + (($ package webroot hosts default-location) > + (match hosts > + ;; Avoid pinging certbot if we have no hosts. > + (() '()) > + (_ > + (list > + ;; Attempt to renew the certificates twice a week. > + #~(job (lambda (now) > + (next-day-from (next-hour-from now '(3)) > + '(2 5))) This is not twice a week, but twice a month at days 2 and 5, because 'next-day-from' will look after the next day (in month) that has number 2 and 5. 'next-hour-from' is not taken into account because next day from any hour still runs at 0 o'clock. But anyway I think it should be twice a day, and at a random minute within the hour, as advised by certbot: --8<---------------cut here---------------start------------->8--- from https://certbot.eff.org/all-instructions/ if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks. --8<---------------cut here---------------end--------------->8--- What do you think of: '(next-minute-from (next-hour '(0 12)) (list (random 60))) instead? Schedules can be debbuged with '--schedule=count' option. Also I think some services have to be reloaded/restarted after their certificates are upgraded. That could be done via a mcron post-hook, but I'm not sure how to pass the list of services that have to be restarted. WDYT? Clément