mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-25 05:48:07 -05:00
services: certbot: Allow to set a deploy hook.
* doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (<certificate-configuration>, certbot-command): Add it.
This commit is contained in:
parent
e216c797f7
commit
fece75fe35
2 changed files with 27 additions and 5 deletions
|
@ -15733,7 +15733,9 @@ signature.
|
|||
The certbot service automates this process: the initial key
|
||||
generation, the initial certification request to the Let's Encrypt
|
||||
service, the web server challenge/response integration, writing the
|
||||
certificate to disk, and the automated periodic renewals.
|
||||
certificate to disk, the automated periodic renewals, and the deployment
|
||||
tasks associated with the renewal (e.g. reloading services, copying keys
|
||||
with different permissions).
|
||||
|
||||
Certbot is run twice a day, at a random minute within the hour. It
|
||||
won't do anything until your certificates are due for renewal or
|
||||
|
@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt client. Its value
|
|||
must be a @code{certbot-configuration} record as in this example:
|
||||
|
||||
@example
|
||||
(define %nginx-deploy-hook
|
||||
(program-file
|
||||
"nginx-deploy-hook"
|
||||
#~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
|
||||
(kill pid SIGHUP))))
|
||||
|
||||
(service certbot-service-type
|
||||
(certbot-configuration
|
||||
(email "foo@@example.net")
|
||||
(certificates
|
||||
(list
|
||||
(certificate-configuration
|
||||
(domains '("example.net" "www.example.net")))
|
||||
(domains '("example.net" "www.example.net"))
|
||||
(deploy-hook %nginx-deploy-hook))
|
||||
(certificate-configuration
|
||||
(domains '("bar.example.net")))))))
|
||||
@end example
|
||||
|
@ -15826,6 +15835,15 @@ Its default is the first provided domain.
|
|||
The first domain provided will be the subject CN of the certificate, and
|
||||
all domains will be Subject Alternative Names on the certificate.
|
||||
|
||||
@item @code{deploy-hook} (default: @code{#f})
|
||||
Command to be run in a shell once for each successfully issued
|
||||
certificate. For this command, the shell variable
|
||||
@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
|
||||
example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
|
||||
certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
|
||||
contain a space-delimited list of renewed certificate domains (for
|
||||
example, @samp{"example.com www.example.com"}.
|
||||
|
||||
@end table
|
||||
@end deftp
|
||||
|
||||
|
|
|
@ -48,7 +48,9 @@ (define-record-type* <certificate-configuration>
|
|||
(name certificate-configuration-name
|
||||
(default #f))
|
||||
(domains certificate-configuration-domains
|
||||
(default '())))
|
||||
(default '()))
|
||||
(deploy-hook certificate-configuration-deploy-hook
|
||||
(default #f)))
|
||||
|
||||
(define-record-type* <certbot-configuration>
|
||||
certbot-configuration make-certbot-configuration
|
||||
|
@ -78,7 +80,8 @@ (define certbot-command
|
|||
(commands
|
||||
(map
|
||||
(match-lambda
|
||||
(($ <certificate-configuration> custom-name domains)
|
||||
(($ <certificate-configuration> custom-name domains
|
||||
deploy-hook)
|
||||
(let ((name (or custom-name (car domains))))
|
||||
(append
|
||||
(list name certbot "certonly" "-n" "--agree-tos"
|
||||
|
@ -86,7 +89,8 @@ (define certbot-command
|
|||
"--webroot" "-w" webroot
|
||||
"--cert-name" name
|
||||
"-d" (string-join domains ","))
|
||||
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))))
|
||||
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
|
||||
(if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
|
||||
certificates)))
|
||||
(program-file
|
||||
"certbot-command"
|
||||
|
|
Loading…
Reference in a new issue