snape pushed a commit to branch master
in repository guix.
commit fece75fe356ce9f99d1d13baaa5f195c510f187b
Author: Clément Lassieur <clem...@lassieur.org>
Date: Sun Feb 11 10:53:10 2018 +0100
services: certbot: Allow to set a deploy hook.
* doc/guix.texi (Certificate Services): Document it.
* gnu/services/certbot.scm (<certificate-configuration>, certbot-command):
Add
it.
---
doc/guix.texi | 22 ++++++++++++++++++++--
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index e180297..6911645 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15733,7 +15733,9 @@ signature.
The certbot service automates this process: the initial key
generation, the initial certification request to the Let's Encrypt
service, the web server challenge/response integration, writing the
-certificate to disk, and the automated periodic renewals.
+certificate to disk, the automated periodic renewals, and the deployment
+tasks associated with the renewal (e.g. reloading services, copying keys
+with different permissions).
Certbot is run twice a day, at a random minute within the hour. It
won't do anything until your certificates are due for renewal or
@@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt
client. Its value
must be a @code{certbot-configuration} record as in this example:
@example
+(define %nginx-deploy-hook
+ (program-file
+ "nginx-deploy-hook"
+ #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+ (kill pid SIGHUP))))
+
(service certbot-service-type
(certbot-configuration
(email "foo@@example.net")
(certificates
(list
(certificate-configuration
- (domains '("example.net" "www.example.net")))
+ (domains '("example.net" "www.example.net"))
+ (deploy-hook %nginx-deploy-hook))
(certificate-configuration
(domains '("bar.example.net")))))))
@end example
@@ -15826,6 +15835,15 @@ Its default is the first provided domain.
The first domain provided will be the subject CN of the certificate, and
all domains will be Subject Alternative Names on the certificate.
+@item @code{deploy-hook} (default: @code{#f})
+Command to be run in a shell once for each successfully issued
+certificate. For this command, the shell variable
+@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
+example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+contain a space-delimited list of renewed certificate domains (for
+example, @samp{"example.com www.example.com"}.
+
@end table
@end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index f90e4f0..066b824 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -48,7 +48,9 @@
(name certificate-configuration-name
(default #f))
(domains certificate-configuration-domains
- (default '())))
+ (default '()))
+ (deploy-hook certificate-configuration-deploy-hook
+ (default #f)))
(define-record-type* <certbot-configuration>
certbot-configuration make-certbot-configuration
@@ -78,7 +80,8 @@
(commands
(map
(match-lambda
- (($ <certificate-configuration> custom-name domains)
+ (($ <certificate-configuration> custom-name domains
+ deploy-hook)
(let ((name (or custom-name (car domains))))
(append
(list name certbot "certonly" "-n" "--agree-tos"
@@ -86,7 +89,8 @@
"--webroot" "-w" webroot
"--cert-name" name
"-d" (string-join domains ","))
- (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))))
+ (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
certificates)))
(program-file
"certbot-command"
