summary refs log tree commit diff
path: root/doc/guix.texi
diff options
context:
space:
mode:
authorClément Lassieur <clement@lassieur.org>2018-02-11 10:53:10 +0100
committerClément Lassieur <clement@lassieur.org>2018-02-22 21:43:54 +0100
commitfece75fe356ce9f99d1d13baaa5f195c510f187b (patch)
tree175aa8d3787d7338b4747f12f6f0ba8edab02e35 /doc/guix.texi
parente216c797f7432cbf21f991b1eff97821ace17140 (diff)
downloadguix-fece75fe356ce9f99d1d13baaa5f195c510f187b.tar.gz
services: certbot: Allow to set a deploy hook.
* doc/guix.texi (Certificate Services): Document it.
* gnu/services/certbot.scm (<certificate-configuration>, certbot-command): Add
it.
Diffstat (limited to 'doc/guix.texi')
-rw-r--r--doc/guix.texi22
1 files changed, 20 insertions, 2 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index e1802978b0..691164502b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15733,7 +15733,9 @@ signature.
 The certbot service automates this process: the initial key
 generation, the initial certification request to the Let's Encrypt
 service, the web server challenge/response integration, writing the
-certificate to disk, and the automated periodic renewals.
+certificate to disk, the automated periodic renewals, and the deployment
+tasks associated with the renewal (e.g. reloading services, copying keys
+with different permissions).
 
 Certbot is run twice a day, at a random minute within the hour.  It
 won't do anything until your certificates are due for renewal or
@@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt client.  Its value
 must be a @code{certbot-configuration} record as in this example:
 
 @example
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
 (service certbot-service-type
          (certbot-configuration
           (email "foo@@example.net")
           (certificates
            (list
             (certificate-configuration
-             (domains '("example.net" "www.example.net")))
+             (domains '("example.net" "www.example.net"))
+             (deploy-hook %nginx-deploy-hook))
             (certificate-configuration
              (domains '("bar.example.net")))))))
 @end example
@@ -15826,6 +15835,15 @@ Its default is the first provided domain.
 The first domain provided will be the subject CN of the certificate, and
 all domains will be Subject Alternative Names on the certificate.
 
+@item @code{deploy-hook} (default: @code{#f})
+Command to be run in a shell once for each successfully issued
+certificate.  For this command, the shell variable
+@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
+example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+contain a space-delimited list of renewed certificate domains (for
+example, @samp{"example.com www.example.com"}.
+
 @end table
 @end deftp