2017-04-27 08:09:16 -04:00
|
|
|
|
;;; GNU Guix --- Functional package management for GNU
|
mailmap: Update entries for Nikita.
* .mailmap: change email and name for Nikita.
* Makefile.am, doc/guix.texi, etc/completion/fish/guix.fish,
gnu/packages/accessibility.scm, gnu/packages/admin.scm,
gnu/packages/audio.scm, gnu/packages/autotools.scm, gnu/packages/cdrom.scm,
gnu/packages/check.scm, gnu/packages/cinnamon.scm,
gnu/packages/compression.scm, gnu/packages/crypto.scm,
gnu/packages/databases.scm, gnu/packages/django.scm, gnu/packages/dns.scm,
gnu/packages/elixir.scm, gnu/packages/emacs-xyz.scm, gnu/packages/emacs.scm,
gnu/packages/enlightenment.scm, gnu/packages/erlang.scm,
gnu/packages/fonts.scm, gnu/packages/fontutils.scm, gnu/packages/forth.scm,
gnu/packages/fvwm.scm, gnu/packages/games.scm, gnu/packages/gl.scm,
gnu/packages/gnome.scm, gnu/packages/gnunet.scm, gnu/packages/gnupg.scm,
gnu/packages/gtk.scm, gnu/packages/guile-wm.scm, gnu/packages/guile-xyz.scm,
gnu/packages/haskell-apps.scm, gnu/packages/haskell-check.scm,
gnu/packages/haskell-crypto.scm, gnu/packages/haskell-xyz.scm,
gnu/packages/haskell.scm, gnu/packages/image-viewers.scm,
gnu/packages/image.scm, gnu/packages/irc.scm, gnu/packages/language.scm,
gnu/packages/libcanberra.scm, gnu/packages/linux.scm,
gnu/packages/lisp-xyz.scm, gnu/packages/lisp.scm, gnu/packages/lolcode.scm,
gnu/packages/lxde.scm, gnu/packages/lxqt.scm, gnu/packages/mail.scm,
gnu/packages/markup.scm, gnu/packages/mate.scm, gnu/packages/maths.scm,
gnu/packages/mc.scm, gnu/packages/messaging.scm, gnu/packages/music.scm,
gnu/packages/ncurses.scm, gnu/packages/networking.scm,
gnu/packages/nickle.scm, gnu/packages/openbox.scm, gnu/packages/pdf.scm,
gnu/packages/perl-check.scm, gnu/packages/perl.scm,
gnu/packages/python-compression.scm, gnu/packages/python-crypto.scm,
gnu/packages/python-web.scm, gnu/packages/python-xyz.scm,
gnu/packages/python.scm, gnu/packages/qt.scm, gnu/packages/ruby.scm,
gnu/packages/rust.scm, gnu/packages/scheme.scm,
gnu/packages/serialization.scm, gnu/packages/shells.scm,
gnu/packages/ssh.scm, gnu/packages/suckless.scm, gnu/packages/tbb.scm,
gnu/packages/telephony.scm, gnu/packages/text-editors.scm,
gnu/packages/textutils.scm, gnu/packages/time.scm, gnu/packages/tls.scm,
gnu/packages/tor.scm, gnu/packages/version-control.scm,
gnu/packages/video.scm, gnu/packages/vim.scm, gnu/packages/web.scm,
gnu/packages/wm.scm, gnu/packages/xdisorg.scm, gnu/packages/xfce.scm,
gnu/packages/xml.scm, gnu/packages/xorg.scm, gnu/services/certbot.scm,
gnu/services/desktop.scm, gnu/services/version-control.scm,
gnu/services/web.scm, guix/import/hackage.scm, guix/licenses.scm: Likewise.
Signed-off-by: Efraim Flashner <efraim@flashner.co.il>
2020-05-11 07:05:45 -04:00
|
|
|
|
;;; Copyright © 2016 Nikita <nikita@n0.is>
|
2017-04-27 08:09:16 -04:00
|
|
|
|
;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>
|
2018-02-08 19:00:33 -05:00
|
|
|
|
;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
|
2019-04-19 16:28:30 -04:00
|
|
|
|
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
|
2020-03-05 15:39:48 -05:00
|
|
|
|
;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
|
|
|
|
|
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
|
2021-06-24 14:14:37 -04:00
|
|
|
|
;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
|
2024-01-31 06:46:22 -05:00
|
|
|
|
;;; Copyright © 2024 Carlo Zancanaro <carlo@zancanaro.id.au>
|
2017-04-27 08:09:16 -04:00
|
|
|
|
;;;
|
|
|
|
|
;;; This file is part of GNU Guix.
|
|
|
|
|
;;;
|
|
|
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
|
|
|
;;; under the terms of the GNU General Public License as published by
|
|
|
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
|
;;; your option) any later version.
|
|
|
|
|
;;;
|
|
|
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
|
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
|
;;;
|
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
(define-module (gnu services certbot)
|
|
|
|
|
#:use-module (gnu services)
|
|
|
|
|
#:use-module (gnu services base)
|
|
|
|
|
#:use-module (gnu services shepherd)
|
|
|
|
|
#:use-module (gnu services mcron)
|
|
|
|
|
#:use-module (gnu services web)
|
|
|
|
|
#:use-module (gnu system shadow)
|
|
|
|
|
#:use-module (gnu packages tls)
|
2018-03-19 16:10:31 -04:00
|
|
|
|
#:use-module (guix i18n)
|
2017-04-27 08:09:16 -04:00
|
|
|
|
#:use-module (guix records)
|
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
|
#:use-module (srfi srfi-1)
|
2024-01-31 06:46:23 -05:00
|
|
|
|
#:use-module (ice-9 format)
|
2017-04-27 08:09:16 -04:00
|
|
|
|
#:use-module (ice-9 match)
|
|
|
|
|
#:export (certbot-service-type
|
|
|
|
|
certbot-configuration
|
2018-02-10 11:20:22 -05:00
|
|
|
|
certbot-configuration?
|
|
|
|
|
certificate-configuration))
|
2017-04-27 08:09:16 -04:00
|
|
|
|
|
|
|
|
|
;;; Commentary:
|
|
|
|
|
;;;
|
|
|
|
|
;;; Automatically obtaining TLS certificates from Let's Encrypt.
|
|
|
|
|
;;;
|
|
|
|
|
;;; Code:
|
|
|
|
|
|
|
|
|
|
|
2018-02-10 11:20:22 -05:00
|
|
|
|
(define-record-type* <certificate-configuration>
|
|
|
|
|
certificate-configuration make-certificate-configuration
|
|
|
|
|
certificate-configuration?
|
|
|
|
|
(name certificate-configuration-name
|
|
|
|
|
(default #f))
|
|
|
|
|
(domains certificate-configuration-domains
|
2018-02-11 04:53:10 -05:00
|
|
|
|
(default '()))
|
2019-04-19 16:28:30 -04:00
|
|
|
|
(challenge certificate-configuration-challenge
|
|
|
|
|
(default #f))
|
2021-06-24 14:14:37 -04:00
|
|
|
|
(csr certificate-configuration-csr
|
|
|
|
|
(default #f))
|
2019-04-19 16:28:30 -04:00
|
|
|
|
(authentication-hook certificate-authentication-hook
|
|
|
|
|
(default #f))
|
|
|
|
|
(cleanup-hook certificate-cleanup-hook
|
|
|
|
|
(default #f))
|
2018-02-11 04:53:10 -05:00
|
|
|
|
(deploy-hook certificate-configuration-deploy-hook
|
2024-01-31 06:46:23 -05:00
|
|
|
|
(default #f))
|
|
|
|
|
(start-self-signed? certificate-configuration-start-self-signed?
|
|
|
|
|
(default #t)))
|
2018-02-10 11:20:22 -05:00
|
|
|
|
|
2017-04-27 08:09:16 -04:00
|
|
|
|
(define-record-type* <certbot-configuration>
|
|
|
|
|
certbot-configuration make-certbot-configuration
|
|
|
|
|
certbot-configuration?
|
|
|
|
|
(package certbot-configuration-package
|
|
|
|
|
(default certbot))
|
|
|
|
|
(webroot certbot-configuration-webroot
|
|
|
|
|
(default "/var/www"))
|
2018-02-10 11:20:22 -05:00
|
|
|
|
(certificates certbot-configuration-certificates
|
2017-04-27 08:09:16 -04:00
|
|
|
|
(default '()))
|
2020-09-11 07:55:55 -04:00
|
|
|
|
(email certbot-configuration-email
|
|
|
|
|
(default #f))
|
2020-03-05 15:39:48 -05:00
|
|
|
|
(server certbot-configuration-server
|
|
|
|
|
(default #f))
|
2018-02-10 11:27:19 -05:00
|
|
|
|
(rsa-key-size certbot-configuration-rsa-key-size
|
|
|
|
|
(default #f))
|
2017-04-27 08:09:16 -04:00
|
|
|
|
(default-location certbot-configuration-default-location
|
|
|
|
|
(default
|
|
|
|
|
(nginx-location-configuration
|
|
|
|
|
(uri "/")
|
|
|
|
|
(body
|
|
|
|
|
(list "return 301 https://$host$request_uri;"))))))
|
|
|
|
|
|
2024-01-31 06:46:22 -05:00
|
|
|
|
(define (certbot-deploy-hook name deploy-hook-script)
|
|
|
|
|
"Returns a gexp which creates symlinks for privkey.pem and fullchain.pem
|
|
|
|
|
from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is
|
2024-01-31 06:46:23 -05:00
|
|
|
|
not #f then it is run after the symlinks have been created. This wrapping is
|
|
|
|
|
necessary for certificates with start-self-signed? set to #t, as it will
|
|
|
|
|
overwrite the initial self-signed certificates upon the first successful
|
|
|
|
|
deploy."
|
2024-01-31 06:46:22 -05:00
|
|
|
|
(program-file
|
|
|
|
|
(string-append name "-deploy-hook")
|
2024-01-31 06:46:24 -05:00
|
|
|
|
(with-imported-modules '((gnu services herd)
|
|
|
|
|
(guix build utils))
|
2024-01-31 06:46:22 -05:00
|
|
|
|
#~(begin
|
2024-01-31 06:46:24 -05:00
|
|
|
|
(use-modules (gnu services herd)
|
|
|
|
|
(guix build utils))
|
2024-01-31 06:46:22 -05:00
|
|
|
|
(mkdir-p #$(string-append "/etc/certs/" name))
|
|
|
|
|
(chmod #$(string-append "/etc/certs/" name) #o755)
|
|
|
|
|
|
|
|
|
|
;; Create new symlinks
|
|
|
|
|
(symlink #$(string-append
|
|
|
|
|
"/etc/letsencrypt/live/" name "/privkey.pem")
|
|
|
|
|
#$(string-append "/etc/certs/" name "/privkey.pem.new"))
|
|
|
|
|
(symlink #$(string-append
|
|
|
|
|
"/etc/letsencrypt/live/" name "/fullchain.pem")
|
|
|
|
|
#$(string-append "/etc/certs/" name "/fullchain.pem.new"))
|
|
|
|
|
|
2024-01-31 06:46:23 -05:00
|
|
|
|
;; Rename over the top of the old ones, just in case they were the
|
|
|
|
|
;; original self-signed certificates.
|
2024-01-31 06:46:22 -05:00
|
|
|
|
(rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new")
|
|
|
|
|
#$(string-append "/etc/certs/" name "/privkey.pem"))
|
|
|
|
|
(rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new")
|
|
|
|
|
#$(string-append "/etc/certs/" name "/fullchain.pem"))
|
2024-01-31 06:46:24 -05:00
|
|
|
|
|
|
|
|
|
;; With the new certificates in place, tell nginx to reload them.
|
|
|
|
|
(with-shepherd-action 'nginx ('reload) result result)
|
|
|
|
|
|
2024-01-31 06:46:22 -05:00
|
|
|
|
#$@(if deploy-hook-script
|
|
|
|
|
(list #~(invoke #$deploy-hook-script))
|
|
|
|
|
'())))))
|
|
|
|
|
|
2018-02-10 10:06:12 -05:00
|
|
|
|
(define certbot-command
|
2017-04-27 08:09:16 -04:00
|
|
|
|
(match-lambda
|
2018-02-10 11:20:22 -05:00
|
|
|
|
(($ <certbot-configuration> package webroot certificates email
|
2020-03-05 15:39:48 -05:00
|
|
|
|
server rsa-key-size default-location)
|
2018-02-10 10:06:12 -05:00
|
|
|
|
(let* ((certbot (file-append package "/bin/certbot"))
|
2018-02-10 11:27:19 -05:00
|
|
|
|
(rsa-key-size (and rsa-key-size (number->string rsa-key-size)))
|
2018-02-10 10:06:12 -05:00
|
|
|
|
(commands
|
|
|
|
|
(map
|
2018-02-10 11:20:22 -05:00
|
|
|
|
(match-lambda
|
2019-04-19 16:28:30 -04:00
|
|
|
|
(($ <certificate-configuration> custom-name domains challenge
|
2021-06-24 14:14:37 -04:00
|
|
|
|
csr authentication-hook
|
|
|
|
|
cleanup-hook deploy-hook)
|
2018-02-10 19:19:56 -05:00
|
|
|
|
(let ((name (or custom-name (car domains))))
|
2019-04-19 16:28:30 -04:00
|
|
|
|
(if challenge
|
|
|
|
|
(append
|
|
|
|
|
(list name certbot "certonly" "-n" "--agree-tos"
|
|
|
|
|
"--manual"
|
|
|
|
|
(string-append "--preferred-challenges=" challenge)
|
|
|
|
|
"--cert-name" name
|
2019-08-10 08:52:50 -04:00
|
|
|
|
"--manual-public-ip-logging-ok"
|
2019-04-19 16:28:30 -04:00
|
|
|
|
"-d" (string-join domains ","))
|
2021-06-24 14:14:37 -04:00
|
|
|
|
(if csr `("--csr" ,csr) '())
|
2020-09-11 07:55:55 -04:00
|
|
|
|
(if email
|
|
|
|
|
`("--email" ,email)
|
|
|
|
|
'("--register-unsafely-without-email"))
|
2020-03-05 15:39:48 -05:00
|
|
|
|
(if server `("--server" ,server) '())
|
2019-04-19 16:28:30 -04:00
|
|
|
|
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
|
|
|
|
|
(if authentication-hook
|
|
|
|
|
`("--manual-auth-hook" ,authentication-hook)
|
|
|
|
|
'())
|
|
|
|
|
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
|
2024-01-31 06:46:22 -05:00
|
|
|
|
(list "--deploy-hook"
|
|
|
|
|
(certbot-deploy-hook name deploy-hook)))
|
2019-04-19 16:28:30 -04:00
|
|
|
|
(append
|
|
|
|
|
(list name certbot "certonly" "-n" "--agree-tos"
|
|
|
|
|
"--webroot" "-w" webroot
|
|
|
|
|
"--cert-name" name
|
|
|
|
|
"-d" (string-join domains ","))
|
2021-06-24 14:14:37 -04:00
|
|
|
|
(if csr `("--csr" ,csr) '())
|
2020-09-11 07:55:55 -04:00
|
|
|
|
(if email
|
|
|
|
|
`("--email" ,email)
|
|
|
|
|
'("--register-unsafely-without-email"))
|
2020-03-05 15:39:48 -05:00
|
|
|
|
(if server `("--server" ,server) '())
|
2019-04-19 16:28:30 -04:00
|
|
|
|
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
|
2024-01-31 06:46:22 -05:00
|
|
|
|
(list "--deploy-hook"
|
|
|
|
|
(certbot-deploy-hook name deploy-hook)))))))
|
2018-02-10 11:20:22 -05:00
|
|
|
|
certificates)))
|
2018-02-10 10:06:12 -05:00
|
|
|
|
(program-file
|
|
|
|
|
"certbot-command"
|
2018-02-10 19:19:56 -05:00
|
|
|
|
#~(begin
|
2024-01-31 06:46:25 -05:00
|
|
|
|
(use-modules (ice-9 match)
|
|
|
|
|
(ice-9 textual-ports))
|
|
|
|
|
|
|
|
|
|
(define (log format-string . args)
|
|
|
|
|
(apply format #t format-string args)
|
|
|
|
|
(force-output))
|
|
|
|
|
|
|
|
|
|
(define (file-contains? file string)
|
|
|
|
|
(string-contains (call-with-input-file file
|
|
|
|
|
get-string-all)
|
|
|
|
|
string))
|
|
|
|
|
|
|
|
|
|
(define (connection-error?)
|
|
|
|
|
;; Certbot errors are always exit code 1, so we need to look at
|
|
|
|
|
;; the log file to see if there was a connection error.
|
|
|
|
|
(file-contains? "/var/log/letsencrypt/letsencrypt.log"
|
|
|
|
|
"Failed to establish a new connection"))
|
|
|
|
|
|
|
|
|
|
(let ((script-code 0))
|
2018-02-10 19:19:56 -05:00
|
|
|
|
(for-each
|
|
|
|
|
(match-lambda
|
|
|
|
|
((name . command)
|
2024-01-31 06:46:25 -05:00
|
|
|
|
(log "Acquiring or renewing certificate: ~a~%" name)
|
|
|
|
|
(cond
|
|
|
|
|
((zero? (status:exit-val (apply system* command)))
|
|
|
|
|
(log "Certificate successfully acquired: ~a~%" name))
|
|
|
|
|
((connection-error?)
|
|
|
|
|
;; If we have a connection error, then bail early with
|
|
|
|
|
;; exit code 2. We don't expect this to resolve within the
|
|
|
|
|
;; timespan of this script.
|
|
|
|
|
(log "Connection error - bailing out~%")
|
|
|
|
|
(exit 2))
|
|
|
|
|
(else
|
|
|
|
|
;; If we have any other type of error, then continue but
|
|
|
|
|
;; exit with a failing status code in the end.
|
|
|
|
|
(log "Error: ~a - continuing with other domains~%" name)
|
|
|
|
|
(set! script-code 1)))))
|
|
|
|
|
'#$commands)
|
|
|
|
|
(exit script-code))))))))
|
2017-04-27 08:09:16 -04:00
|
|
|
|
|
2018-02-10 10:06:12 -05:00
|
|
|
|
(define (certbot-renewal-jobs config)
|
|
|
|
|
(list
|
|
|
|
|
;; Attempt to renew the certificates twice per day, at a random minute
|
2022-12-25 16:03:17 -05:00
|
|
|
|
;; within the hour. See https://eff-certbot.readthedocs.io/.
|
2018-02-10 10:06:12 -05:00
|
|
|
|
#~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
|
|
|
|
|
#$(certbot-command config))))
|
|
|
|
|
|
2024-01-31 06:46:25 -05:00
|
|
|
|
(define (certbot-renewal-one-shot config)
|
|
|
|
|
(list
|
|
|
|
|
;; Renew certificates when the system first starts. This is a one-shot
|
|
|
|
|
;; service, because the mcron configuration will take care of running this
|
|
|
|
|
;; periodically. This is most useful the very first time the system starts,
|
|
|
|
|
;; to overwrite our self-signed certificates as soon as possible without
|
|
|
|
|
;; user intervention.
|
|
|
|
|
(shepherd-service
|
|
|
|
|
(provision '(renew-certbot-certificates))
|
|
|
|
|
(requirement '(nginx))
|
|
|
|
|
(one-shot? #t)
|
|
|
|
|
(start #~(lambda _
|
|
|
|
|
;; This needs the network, but there's no reliable way to know
|
|
|
|
|
;; if the network is up other than trying. If we fail due to a
|
|
|
|
|
;; connection error we retry a number of times in the hope that
|
|
|
|
|
;; the network comes up soon.
|
|
|
|
|
(let loop ((attempt 0))
|
|
|
|
|
(let ((code (status:exit-val
|
|
|
|
|
(system* #$(certbot-command config)))))
|
|
|
|
|
(cond
|
|
|
|
|
((and (= code 2) ; Exit code 2 means connection error
|
|
|
|
|
(< attempt 12)) ; Arbitrarily chosen max attempts
|
|
|
|
|
(sleep 10) ; Arbitrarily chosen retry delay
|
|
|
|
|
(loop (1+ attempt)))
|
|
|
|
|
((zero? code)
|
|
|
|
|
;; Success!
|
|
|
|
|
#t)
|
|
|
|
|
(else
|
|
|
|
|
;; Failure.
|
|
|
|
|
#f))))))
|
|
|
|
|
(auto-start? #t)
|
|
|
|
|
(documentation "Call certbot to renew certificates.")
|
|
|
|
|
(actions (list (shepherd-configuration-action (certbot-command config)))))))
|
|
|
|
|
|
2024-01-31 06:46:23 -05:00
|
|
|
|
(define (generate-certificate-gexp certbot-cert-directory rsa-key-size)
|
|
|
|
|
(match-lambda
|
|
|
|
|
(($ <certificate-configuration> name (primary-domain other-domains ...)
|
|
|
|
|
challenge
|
|
|
|
|
csr authentication-hook
|
|
|
|
|
cleanup-hook deploy-hook)
|
|
|
|
|
(let (;; Arbitrary default subject, with just the
|
|
|
|
|
;; right domain filled in. These values don't
|
|
|
|
|
;; have any real significance.
|
|
|
|
|
(subject (string-append
|
|
|
|
|
"/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN="
|
|
|
|
|
primary-domain))
|
|
|
|
|
(alt-names (if (null? other-domains)
|
|
|
|
|
#f
|
|
|
|
|
(format #f "subjectAltName=~{DNS:~a~^,~}"
|
|
|
|
|
other-domains)))
|
|
|
|
|
(directory (string-append "/etc/certs/" (or name primary-domain))))
|
|
|
|
|
#~(when (not (file-exists? #$directory))
|
|
|
|
|
;; We generate self-signed certificates in /etc/certs/{domain},
|
|
|
|
|
;; because certbot is very sensitive to its directory
|
|
|
|
|
;; structure. It refuses to write over the top of existing files,
|
|
|
|
|
;; so we need to use a directory outside of its control.
|
|
|
|
|
;;
|
|
|
|
|
;; These certificates are overwritten by the certbot deploy hook
|
|
|
|
|
;; the first time it successfully obtains a letsencrypt-signed
|
|
|
|
|
;; certificate.
|
|
|
|
|
(mkdir-p #$directory)
|
|
|
|
|
(chmod #$directory #o755)
|
|
|
|
|
(invoke #$(file-append openssl "/bin/openssl")
|
|
|
|
|
"req" "-x509"
|
|
|
|
|
"-newkey" #$(string-append "rsa:" (or rsa-key-size "4096"))
|
|
|
|
|
"-keyout" #$(string-append directory "/privkey.pem")
|
|
|
|
|
"-out" #$(string-append directory "/fullchain.pem")
|
|
|
|
|
"-sha256"
|
|
|
|
|
"-days" "1" ; Only one day, because we expect certbot to run
|
|
|
|
|
"-nodes"
|
|
|
|
|
"-subj" #$subject
|
|
|
|
|
#$@(if alt-names
|
|
|
|
|
(list "-addext" alt-names)
|
|
|
|
|
(list))))))))
|
|
|
|
|
|
2018-02-10 10:06:12 -05:00
|
|
|
|
(define (certbot-activation config)
|
2018-03-19 16:10:31 -04:00
|
|
|
|
(let* ((certbot-directory "/var/lib/certbot")
|
2024-01-31 06:46:25 -05:00
|
|
|
|
(certbot-cert-directory "/etc/letsencrypt/live"))
|
2018-03-19 16:10:31 -04:00
|
|
|
|
(match config
|
|
|
|
|
(($ <certbot-configuration> package webroot certificates email
|
2020-03-05 15:39:48 -05:00
|
|
|
|
server rsa-key-size default-location)
|
2018-03-19 16:10:31 -04:00
|
|
|
|
(with-imported-modules '((guix build utils))
|
|
|
|
|
#~(begin
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
(mkdir-p #$webroot)
|
|
|
|
|
(mkdir-p #$certbot-directory)
|
2022-09-23 06:27:03 -04:00
|
|
|
|
(mkdir-p #$certbot-cert-directory)
|
2024-01-31 06:46:23 -05:00
|
|
|
|
|
|
|
|
|
#$@(let ((rsa-key-size (and rsa-key-size
|
|
|
|
|
(number->string rsa-key-size))))
|
|
|
|
|
(map (generate-certificate-gexp certbot-cert-directory
|
|
|
|
|
rsa-key-size)
|
|
|
|
|
(filter certificate-configuration-start-self-signed?
|
2024-01-31 06:46:25 -05:00
|
|
|
|
certificates)))))))))
|
2017-04-27 08:09:16 -04:00
|
|
|
|
|
|
|
|
|
(define certbot-nginx-server-configurations
|
|
|
|
|
(match-lambda
|
2018-02-10 11:20:22 -05:00
|
|
|
|
(($ <certbot-configuration> package webroot certificates email
|
2020-03-05 15:39:48 -05:00
|
|
|
|
server rsa-key-size default-location)
|
2023-04-04 16:43:46 -04:00
|
|
|
|
(define (certificate->nginx-server certificate-configuration)
|
|
|
|
|
(match-record certificate-configuration <certificate-configuration>
|
|
|
|
|
(domains challenge)
|
|
|
|
|
(nginx-server-configuration
|
|
|
|
|
(listen '("80" "[::]:80"))
|
|
|
|
|
(ssl-certificate #f)
|
|
|
|
|
(ssl-certificate-key #f)
|
|
|
|
|
(server-name domains)
|
|
|
|
|
(locations
|
|
|
|
|
(filter identity
|
|
|
|
|
(append
|
|
|
|
|
(if challenge
|
|
|
|
|
'()
|
|
|
|
|
(list (nginx-location-configuration
|
|
|
|
|
(uri "/.well-known")
|
|
|
|
|
(body (list (list "root " webroot ";"))))))
|
|
|
|
|
(list default-location)))))))
|
|
|
|
|
(map certificate->nginx-server certificates))))
|
2017-04-27 08:09:16 -04:00
|
|
|
|
|
|
|
|
|
(define certbot-service-type
|
|
|
|
|
(service-type (name 'certbot)
|
|
|
|
|
(extensions
|
|
|
|
|
(list (service-extension nginx-service-type
|
|
|
|
|
certbot-nginx-server-configurations)
|
|
|
|
|
(service-extension activation-service-type
|
|
|
|
|
certbot-activation)
|
|
|
|
|
(service-extension mcron-service-type
|
2024-01-31 06:46:25 -05:00
|
|
|
|
certbot-renewal-jobs)
|
|
|
|
|
(service-extension shepherd-root-service-type
|
|
|
|
|
certbot-renewal-one-shot)))
|
2017-04-27 08:09:16 -04:00
|
|
|
|
(compose concatenate)
|
2018-02-10 11:20:22 -05:00
|
|
|
|
(extend (lambda (config additional-certificates)
|
2017-04-27 08:09:16 -04:00
|
|
|
|
(certbot-configuration
|
|
|
|
|
(inherit config)
|
2018-02-10 11:20:22 -05:00
|
|
|
|
(certificates
|
|
|
|
|
(append
|
|
|
|
|
(certbot-configuration-certificates config)
|
|
|
|
|
additional-certificates)))))
|
2017-11-28 17:31:48 -05:00
|
|
|
|
(description
|
|
|
|
|
"Automatically renew @url{https://letsencrypt.org, Let's
|
|
|
|
|
Encrypt} HTTPS certificates by adjusting the nginx web server configuration
|
|
|
|
|
and periodically invoking @command{certbot}.")))
|