guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

11/11: services: certbot: Allow to set a deploy hook.


From: Clément Lassieur
Subject: 11/11: services: certbot: Allow to set a deploy hook.
Date: Thu, 22 Feb 2018 15:44:42 -0500 (EST)

snape pushed a commit to branch master
in repository guix.

commit fece75fe356ce9f99d1d13baaa5f195c510f187b
Author: Clément Lassieur <address@hidden>
Date:   Sun Feb 11 10:53:10 2018 +0100

    services: certbot: Allow to set a deploy hook.
    
    * doc/guix.texi (Certificate Services): Document it.
    * gnu/services/certbot.scm (<certificate-configuration>, certbot-command): 
Add
    it.
---
 doc/guix.texi            | 22 ++++++++++++++++++++--
 gnu/services/certbot.scm | 10 +++++++---
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index e180297..6911645 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15733,7 +15733,9 @@ signature.
 The certbot service automates this process: the initial key
 generation, the initial certification request to the Let's Encrypt
 service, the web server challenge/response integration, writing the
-certificate to disk, and the automated periodic renewals.
+certificate to disk, the automated periodic renewals, and the deployment
+tasks associated with the renewal (e.g. reloading services, copying keys
+with different permissions).
 
 Certbot is run twice a day, at a random minute within the hour.  It
 won't do anything until your certificates are due for renewal or
@@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt 
client.  Its value
 must be a @code{certbot-configuration} record as in this example:
 
 @example
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
 (service certbot-service-type
          (certbot-configuration
           (email "foo@@example.net")
           (certificates
            (list
             (certificate-configuration
-             (domains '("example.net" "www.example.net")))
+             (domains '("example.net" "www.example.net"))
+             (deploy-hook %nginx-deploy-hook))
             (certificate-configuration
              (domains '("bar.example.net")))))))
 @end example
@@ -15826,6 +15835,15 @@ Its default is the first provided domain.
 The first domain provided will be the subject CN of the certificate, and
 all domains will be Subject Alternative Names on the certificate.
 
address@hidden @code{deploy-hook} (default: @code{#f})
+Command to be run in a shell once for each successfully issued
+certificate.  For this command, the shell variable
address@hidden will point to the config live subdirectory (for
+example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+contain a space-delimited list of renewed certificate domains (for
+example, @samp{"example.com www.example.com"}.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index f90e4f0..066b824 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -48,7 +48,9 @@
   (name                certificate-configuration-name
                        (default #f))
   (domains             certificate-configuration-domains
-                       (default '())))
+                       (default '()))
+  (deploy-hook         certificate-configuration-deploy-hook
+                       (default #f)))
 
 (define-record-type* <certbot-configuration>
   certbot-configuration make-certbot-configuration
@@ -78,7 +80,8 @@
             (commands
              (map
               (match-lambda
-                (($ <certificate-configuration> custom-name domains)
+                (($ <certificate-configuration> custom-name domains
+                                                deploy-hook)
                  (let ((name (or custom-name (car domains))))
                    (append
                     (list name certbot "certonly" "-n" "--agree-tos"
@@ -86,7 +89,8 @@
                           "--webroot" "-w" webroot
                           "--cert-name" name
                           "-d" (string-join domains ","))
-                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))))
+                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                    (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
               certificates)))
        (program-file
         "certbot-command"



reply via email to

[Prev in Thread] Current Thread [Next in Thread]