From fece75fe356ce9f99d1d13baaa5f195c510f187b Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sun, 11 Feb 2018 10:53:10 +0100 Subject: services: certbot: Allow to set a deploy hook. * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (, certbot-command): Add it. --- doc/guix.texi | 22 ++++++++++++++++++++-- gnu/services/certbot.scm | 10 +++++++--- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index e1802978b0..691164502b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15733,7 +15733,9 @@ signature. The certbot service automates this process: the initial key generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the -certificate to disk, and the automated periodic renewals. +certificate to disk, the automated periodic renewals, and the deployment +tasks associated with the renewal (e.g. reloading services, copying keys +with different permissions). Certbot is run twice a day, at a random minute within the hour. It won't do anything until your certificates are due for renewal or @@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt client. Its value must be a @code{certbot-configuration} record as in this example: @example +(define %nginx-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration - (domains '("example.net" "www.example.net"))) + (domains '("example.net" "www.example.net")) + (deploy-hook %nginx-deploy-hook)) (certificate-configuration (domains '("bar.example.net"))))))) @end example @@ -15826,6 +15835,15 @@ Its default is the first provided domain. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. +@item @code{deploy-hook} (default: @code{#f}) +Command to be run in a shell once for each successfully issued +certificate. For this command, the shell variable +@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for +example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will +contain a space-delimited list of renewed certificate domains (for +example, @samp{"example.com www.example.com"}. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index f90e4f04b2..066b8241b2 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -48,7 +48,9 @@ (name certificate-configuration-name (default #f)) (domains certificate-configuration-domains - (default '()))) + (default '())) + (deploy-hook certificate-configuration-deploy-hook + (default #f))) (define-record-type* certbot-configuration make-certbot-configuration @@ -78,7 +80,8 @@ (commands (map (match-lambda - (($ custom-name domains) + (($ custom-name domains + deploy-hook) (let ((name (or custom-name (car domains)))) (append (list name certbot "certonly" "-n" "--agree-tos" @@ -86,7 +89,8 @@ "--webroot" "-w" webroot "--cert-name" name "-d" (string-join domains ",")) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()))))) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))) certificates))) (program-file "certbot-command" -- cgit v1.2.3