[bug#30459] [PATCH 11/11] services: certbot: Allow to set a deploy hook.

[Clément Lassieur]

* doc/guix.texi (Certificate Services): Document it.
* gnu/services/certbot.scm (<certificate-configuration>, certbot-command): Add
it.
---
 doc/guix.texi            | 22 ++++++++++++++++++++--
 gnu/services/certbot.scm | 10 +++++++---
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 8500cda6d..2092e1d3b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15668,7 +15668,9 @@ signature.
 The certbot service automates this process: the initial key
 generation, the initial certification request to the Let's Encrypt
 service, the web server challenge/response integration, writing the
-certificate to disk, and the automated periodic renewals.
+certificate to disk, the automated periodic renewals, and the deployment
+tasks associated with the renewal (e.g. reloading services, copying keys
+with different permissions).
 
 Certbot is run twice a day, at a random minute within the hour.  It
 won't do anything until your certificates are due for renewal or
@@ -15681,13 +15683,20 @@ A service type for the @code{certbot} Let's Encrypt 
client.  Its value
 must be a @code{certbot-configuration} record as in this example:
 
 @example
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
 (service certbot-service-type
          (certbot-configuration
           (email "foo@@example.net")
           (certificates
            (list
             (certificate-configuration
-             (domains '("example.net" "www.example.net")))
+             (domains '("example.net" "www.example.net"))
+             (deploy-hook %nginx-deploy-hook))
             (certificate-configuration
              (domains '("bar.example.net")))))))
 @end example
@@ -15757,6 +15766,15 @@ Its default is the first provided domain.
 The first domain provided will be the subject CN of the certificate, and
 all domains will be Subject Alternative Names on the certificate.
 
address@hidden @code{deploy-hook} (default: @code{#f})
+Command to be run in a shell once for each successfully issued
+certificate.  For this command, the shell variable
address@hidden will point to the config live subdirectory (for
+example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+contain a space-delimited list of renewed certificate domains (for
+example, @samp{"example.com www.example.com"}.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index f90e4f04b..066b8241b 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -48,7 +48,9 @@
   (name                certificate-configuration-name
                        (default #f))
   (domains             certificate-configuration-domains
-                       (default '())))
+                       (default '()))
+  (deploy-hook         certificate-configuration-deploy-hook
+                       (default #f)))
 
 (define-record-type* <certbot-configuration>
   certbot-configuration make-certbot-configuration
@@ -78,7 +80,8 @@
             (commands
              (map
               (match-lambda
-                (($ <certificate-configuration> custom-name domains)
+                (($ <certificate-configuration> custom-name domains
+                                                deploy-hook)
                  (let ((name (or custom-name (car domains))))
                    (append
                     (list name certbot "certonly" "-n" "--agree-tos"
@@ -86,7 +89,8 @@
                           "--webroot" "-w" webroot
                           "--cert-name" name
                           "-d" (string-join domains ","))
-                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))))
+                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                    (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
               certificates)))
        (program-file
         "certbot-command"
-- 
2.16.1