[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook.
From: |
Clément Lassieur |
Subject: |
[bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook. |
Date: |
Wed, 14 Feb 2018 22:35:04 +0100 |
* doc/guix.texi (Certificate Services): Document it.
* gnu/services/certbot.scm (<certificate-configuration>, certbot-command): Add
it.
---
doc/guix.texi | 22 ++++++++++++++++++++--
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 8500cda6d..2092e1d3b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15668,7 +15668,9 @@ signature.
The certbot service automates this process: the initial key
generation, the initial certification request to the Let's Encrypt
service, the web server challenge/response integration, writing the
-certificate to disk, and the automated periodic renewals.
+certificate to disk, the automated periodic renewals, and the deployment
+tasks associated with the renewal (e.g. reloading services, copying keys
+with different permissions).
Certbot is run twice a day, at a random minute within the hour. It
won't do anything until your certificates are due for renewal or
@@ -15681,13 +15683,20 @@ A service type for the @code{certbot} Let's Encrypt
client. Its value
must be a @code{certbot-configuration} record as in this example:
@example
+(define %nginx-deploy-hook
+ (program-file
+ "nginx-deploy-hook"
+ #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+ (kill pid SIGHUP))))
+
(service certbot-service-type
(certbot-configuration
(email "foo@@example.net")
(certificates
(list
(certificate-configuration
- (domains '("example.net" "www.example.net")))
+ (domains '("example.net" "www.example.net"))
+ (deploy-hook %nginx-deploy-hook))
(certificate-configuration
(domains '("bar.example.net")))))))
@end example
@@ -15757,6 +15766,15 @@ Its default is the first provided domain.
The first domain provided will be the subject CN of the certificate, and
all domains will be Subject Alternative Names on the certificate.
address@hidden @code{deploy-hook} (default: @code{#f})
+Command to be run in a shell once for each successfully issued
+certificate. For this command, the shell variable
address@hidden will point to the config live subdirectory (for
+example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+contain a space-delimited list of renewed certificate domains (for
+example, @samp{"example.com www.example.com"}.
+
@end table
@end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index f90e4f04b..066b8241b 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -48,7 +48,9 @@
(name certificate-configuration-name
(default #f))
(domains certificate-configuration-domains
- (default '())))
+ (default '()))
+ (deploy-hook certificate-configuration-deploy-hook
+ (default #f)))
(define-record-type* <certbot-configuration>
certbot-configuration make-certbot-configuration
@@ -78,7 +80,8 @@
(commands
(map
(match-lambda
- (($ <certificate-configuration> custom-name domains)
+ (($ <certificate-configuration> custom-name domains
+ deploy-hook)
(let ((name (or custom-name (car domains))))
(append
(list name certbot "certonly" "-n" "--agree-tos"
@@ -86,7 +89,8 @@
"--webroot" "-w" webroot
"--cert-name" name
"-d" (string-join domains ","))
- (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))))
+ (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
certificates)))
(program-file
"certbot-command"
--
2.16.1
- [bug#30459] [PATCH 06/11] services: certbot: Get certbot to run non-interactively., (continued)
[bug#30459] [PATCH 02/11] services: certbot: Run certbot twice a day at a random minute., Clément Lassieur, 2018/02/14
[bug#30459] [PATCH 07/11] services: certbot: Associate one certificate with several domains., Clément Lassieur, 2018/02/14
[bug#30459] [PATCH 04/11] services: certbot: Rename 'host' to 'domain'., Clément Lassieur, 2018/02/14
[bug#30459] [PATCH 03/11] services: certbot: Fix indentation., Clément Lassieur, 2018/02/14
[bug#30459] [PATCH 09/11] services: certbot: Allow to set RSA key size., Clément Lassieur, 2018/02/14
[bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook.,
Clément Lassieur <=
[bug#30459] [PATCH 10/11] services: certbot: Add verbosity., Clément Lassieur, 2018/02/14