gnu: certbot: Add support for manual plugin.

* gnu/services/certbot.scm (certificate-configuration): Add challenge,
auth-hook and cleanup-hook fields.
(certbot-command): Use them.
* doc/guix.texi (Certificate Services): Document them.

2 files changed, 51 insertions, 9 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index 879cb562e9..dbbb811a60 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19425,6 +19425,26 @@ Its default is the first provided domain.
 The first domain provided will be the subject CN of the certificate, and
 all domains will be Subject Alternative Names on the certificate.
 
+@item @code{challenge} (default: @code{#f})
+The challenge type that has to be run by certbot.  If @code{#f} is specified,
+default to the HTTP challenge.  If a value is specified, defaults to the
+manual plugin (see @code{authentication-hook}, @code{cleanup-hook} and
+the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}).
+
+@item @code{authentication-hook} (default: @code{#f})
+Command to be run in a shell once for each certificate challenge to be
+answered.  For this command, the shell variable @code{$CERTBOT_DOMAIN}
+will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
+contains the validation string and @code{$CERTBOT_TOKEN} contains the
+file name of the resource requested when performing an HTTP-01 challenge.
+
+@item @code{cleanup-hook} (default: @code{#f})
+Command to be run in a shell once for each certificate challenge that
+have been answered by the @code{auth-hook}.  For this command, the shell
+variables available in the @code{auth-hook} script are still available, and
+additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
+of the @code{auth-hook} script.
+
 @item @code{deploy-hook} (default: @code{#f})
 Command to be run in a shell once for each successfully issued
 certificate.  For this command, the shell variable
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 7565bc97ca..ae34ad17bb 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2016 ng0 <ng0@n0.is>
 ;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>
 ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
+;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -50,6 +51,12 @@
                        (default #f))
   (domains             certificate-configuration-domains
                        (default '()))
+  (challenge           certificate-configuration-challenge
+                       (default #f))
+  (authentication-hook certificate-authentication-hook
+                       (default #f))
+  (cleanup-hook        certificate-cleanup-hook
+                       (default #f))
   (deploy-hook         certificate-configuration-deploy-hook
                        (default #f)))
 
@@ -81,17 +88,32 @@
             (commands
              (map
               (match-lambda
-                (($ <certificate-configuration> custom-name domains
+                (($ <certificate-configuration> custom-name domains challenge
+                                                authentication-hook cleanup-hook
                                                 deploy-hook)
                  (let ((name (or custom-name (car domains))))
-                   (append
-                    (list name certbot "certonly" "-n" "--agree-tos"
-                          "-m" email
-                          "--webroot" "-w" webroot
-                          "--cert-name" name
-                          "-d" (string-join domains ","))
-                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                    (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
+                   (if challenge
+                     (append
+                      (list name certbot "certonly" "-n" "--agree-tos"
+                            "-m" email
+                            "--manual"
+                            (string-append "--preferred-challenges=" challenge)
+                            "--cert-name" name
+                            "-d" (string-join domains ","))
+                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                      (if authentication-hook
+                          `("--manual-auth-hook" ,authentication-hook)
+                          '())
+                      (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+                     (append
+                      (list name certbot "certonly" "-n" "--agree-tos"
+                            "-m" email
+                            "--webroot" "-w" webroot
+                            "--cert-name" name
+                            "-d" (string-join domains ","))
+                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
               certificates)))
        (program-file
         "certbot-command"