From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id aPD+OR37uGU/OAEA62LTzQ:P1 (envelope-from ) for ; Tue, 30 Jan 2024 14:35:26 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id aPD+OR37uGU/OAEA62LTzQ (envelope-from ) for ; Tue, 30 Jan 2024 14:35:26 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=RsDEZiyJ; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706621725; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=pIScMdXFckbnj/r3VrdTLXwNutinaJONMT2IVnzA2ug=; b=UJL4dW/ydeoAviBB7BF/2us2N1eV8VXXB9KjEAu/X/lPKClIOF26AQBIt7tDKDLX1miuKC upwbBXSvpia1liY0weoWBdTI7O8o8VOdAQAtzc6Sh2YBVUyRYholh8aLhl/y4Wc4QcY/DB npOQLDLXFoz7iinmLudOvuSimkc6c5qMQ92qgzXKDp+Zi4YGlk8+tqK6k+T+BzzZV36Gdn 2sg/oVjEzc2/fqdxKzMLehxL0RMqsnf93h00GpJXv2ZdaJcGiFRYA9Auy1IQ9cKB3t+uRy 9rmvySh2lO5JUUKTJnxsUxc1xciz39biRu7EOW8p9pLy23StifurqqmgdBOn9A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=RsDEZiyJ; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706621725; a=rsa-sha256; cv=none; b=EYcfx54XybfAJGiQ4oOwxHo7iFL67y6688pTX/dCUZYanMZvW4GQBFuFGa+XbdVYrr+iBy 7Q8AerDmCfF1/XRE4KuTizvmAjWLPSlEWcGBL4ch5jrYl8x08pwX1xYXEGylz4zbpX/+mS 3OEhNB058Der39mYWWAJPOVYXWi5R5Ce5ECM5Ze4gOM92iU0U3KP89p9k138QPmQxXWLJP +mFvqdIgYZsexuieI9KxwYO8tBSHttZ2KVOppLYl73w0LojXa5oYjPebWyIDCXy2IzzpWv 7W7tZBPw3sF6qkF2VBbNmnjhNdAUtdVnHBD8osdeTR1eWSDbBJDprNVXBos7yw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 978D23E13A for ; Tue, 30 Jan 2024 14:35:25 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rUoFQ-0007PO-9W; Tue, 30 Jan 2024 08:33:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUoFJ-0007O9-FJ for guix-devel@gnu.org; Tue, 30 Jan 2024 08:33:49 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUoFG-0006BO-Iv for guix-devel@gnu.org; Tue, 30 Jan 2024 08:33:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=pIScMdXFckbnj/r 3VrdTLXwNutinaJONMT2IVnzA2ug=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=RsDEZiyJkE/FhkWp5zWQ4AEIi32exaZed1oRK A0ESiVOxaYC9DnS3D00lzj/vp0Y8eOxTjtjfiSvPHXdO5ypRGbMu5tc8+xiGj/j9DchurO 7ATionsBVe6aS/HjEwghixFlkjQwyxc+kK5WlYmi+JSCwR5wCwwHwrASAlFd6T7s= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 64110594 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:27 +0000 (UTC) From: Carlo Zancanaro To: 46961@debbugs.gnu.org Cc: clement@lassieur.org, brice@waegenei.re, guix-devel@gnu.org Subject: [PATCH v2 1/4] services: certbot: Symlink certificates to /etc/certs. Date: Tue, 30 Jan 2024 13:26:37 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=45.77.50.64; envelope-from=carlo@zancanaro.id.au; helo=voltorb.zancanaro.id.au X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -9.16 X-Migadu-Queue-Id: 978D23E13A X-Spam-Score: -9.16 X-Migadu-Scanner: mx11.migadu.com X-TUID: YHRBLYDzPxN2 * gnu/services/certbot.scm (certbot-deploy-hook): New procedure. (certbot-command): Pass new deploy hook to certbot. * doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout. Change-Id: I2ba5e4903d1e293e566b732a84b07d5a134b697d --- doc/guix.texi | 26 +++++++++++++------------- gnu/services/certbot.scm | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 15 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index bb0af26d93..b134d45a16 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43,7 +43,7 @@ Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@* Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* -Copyright @copyright{} 2017, 2018 Carlo Zancanaro@* +Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@* @@ -28135,7 +28135,7 @@ Messaging Services them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl --root cert import /etc/letsencrypt/live +prosodyctl --root cert import /etc/certs @end example The available configuration parameters follow. Each parameter @@ -28846,8 +28846,8 @@ Telephony Services (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins - (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") - (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem"))) + (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem") + (ssl-key "/etc/certs/mumble.example.com/privkey.pem"))) @end lisp After reconfiguring your system, you can manually set the mumble-server @@ -28965,12 +28965,12 @@ Telephony Services File name of the SSL/TLS certificate used for encrypted connections. @lisp -(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem") +(ssl-cert "/etc/certs/example.com/fullchain.pem") @end lisp @item @code{ssl-key} (default: @code{#f}) Filepath to the ssl private key used for encrypted connections. @lisp -(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem") +(ssl-key "/etc/certs/example.com/privkey.pem") @end lisp @item @code{ssl-dh-params} (default: @code{#f}) @@ -32685,7 +32685,7 @@ Certificate Services Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for -example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +example, @samp{"/etc/certs/example.com"}) containing the new certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. @@ -32694,8 +32694,8 @@ Certificate Services @end deftp For each @code{certificate-configuration}, the certificate is saved to -@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is -saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. +@code{/etc/certs/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/certs/@var{name}/privkey.pem}. @node DNS Services @subsection DNS Services @cindex DNS (domain name system) @@ -37381,9 +37381,9 @@ Version Control Services (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate - "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + "/etc/certs/git.my-host.org/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + "/etc/certs/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration @@ -38508,9 +38508,9 @@ Version Control Services (nginx-server-block (nginx-server-configuration (ssl-certificate - "/etc/letsencrypt/live/myweb.site/fullchain.pem") + "/etc/certs/myweb.site/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/myweb.site/privkey.pem") + "/etc/certs/myweb.site/privkey.pem") (listen '("443 ssl http2" "[::]:443 ssl http2")) (locations (list diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..3926d0551a 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2021 Raghav Gururajan +;;; Copyright © 2024 Carlo Zancanaro ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (define-record-type* (body (list "return 301 https://$host$request_uri;")))))) +(define (certbot-deploy-hook name deploy-hook-script) + "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem +from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is +not #f then it is run after the symlinks have been created." + (program-file + (string-append name "-deploy-hook") + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$(string-append "/etc/certs/" name)) + (chmod #$(string-append "/etc/certs/" name) #o755) + + ;; Create new symlinks + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/privkey.pem") + #$(string-append "/etc/certs/" name "/privkey.pem.new")) + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/fullchain.pem") + #$(string-append "/etc/certs/" name "/fullchain.pem.new")) + + ;; Rename over the top of the old ones, if there are any. + (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") + #$(string-append "/etc/certs/" name "/privkey.pem")) + (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") + #$(string-append "/etc/certs/" name "/fullchain.pem")) + #$@(if deploy-hook-script + (list #~(invoke #$deploy-hook-script)) + '()))))) + (define certbot-command (match-lambda (($ package webroot certificates email @@ -118,7 +148,8 @@ (define certbot-command `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -130,7 +161,8 @@ (define certbot-command '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))))))) certificates))) (program-file "certbot-command" -- 2.41.0