From 736e45a278b44208fa6ded58a71e57081a58b1bf Mon Sep 17 00:00:00 2001 From: Danny Milosavljevic Date: Sat, 17 Feb 2018 17:34:12 +0100 Subject: services: slim: Make the logged-in session show up in "w". * gnu/services/xorg.scm (slim-shepherd-service): Use SESSREG to register X11 session. * doc/guix.texi (slim-configuration): Document new field "sessreg". --- doc/guix.texi | 3 +++ 1 file changed, 3 insertions(+) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 7ed39ff132..ee70994585 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11263,6 +11263,9 @@ The XAuth package to use. The Shepherd package used when invoking @command{halt} and @command{reboot}. +@item @code{sessreg} (default: @code{sessreg}) +The sessreg package used in order to register the session. + @item @code{slim} (default: @code{slim}) The SLiM package to use. @end table -- cgit 1.4.1 From 267379f852f9d6d00c76120963711d54357ba53d Mon Sep 17 00:00:00 2001 From: David Thompson Date: Thu, 15 Feb 2018 20:54:28 -0500 Subject: environment: Add --manifest option. * guix/scripts/environment.scm (show-help, %options): Add -m/--manifest. (options/resolve-packages): Handle manifests. * tests/guix-envronment.sh: Add a test. * doc/guix.texi (Invoking guix environment): Document it. --- doc/guix.texi | 9 +++++++++ guix/scripts/environment.scm | 22 +++++++++++++++++++++- tests/guix-environment.sh | 9 +++++++++ 3 files changed, 39 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index ee70994585..fb2834942b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -7231,6 +7231,15 @@ As an example, @var{file} might contain a definition like this @verbatiminclude environment-gdb.scm @end example +@item --manifest=@var{file} +@itemx -m @var{file} +Create an environment for the packages contained in the manifest object +returned by the Scheme code in @var{file}. + +This is similar to the same-named option in @command{guix package} +(@pxref{profile-manifest, @option{--manifest}}) and uses the same +manifest files. + @item --ad-hoc Include all specified packages in the resulting environment, as if an @i{ad hoc} package were defined with them as inputs. This option is diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index d2568e6a7d..67da6fc3bf 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2014, 2015 David Thompson +;;; Copyright © 2014, 2015, 2018 David Thompson ;;; Copyright © 2015, 2016, 2017 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. @@ -141,6 +141,8 @@ COMMAND or an interactive shell in that environment.\n")) (display (G_ " -l, --load=FILE create environment for the package that the code within FILE evaluates to")) + (display (G_ " + -m, --manifest=FILE create environment with the manifest from FILE")) (display (G_ " --ad-hoc include all specified packages in the environment instead of only their inputs")) @@ -220,6 +222,11 @@ COMMAND or an interactive shell in that environment.\n")) (alist-cons 'expression (tag-package-arg result arg) result))) + (option '(#\m "manifest") #t #f + (lambda (opt name arg result) + (alist-cons 'manifest + arg + result))) (option '("ad-hoc") #f #f (lambda (opt name arg result) (alist-cons 'ad-hoc? #t result))) @@ -286,6 +293,16 @@ packages." (((? package-or-package+output?) ...) ; many packages (map (cut package->output <> mode) packages)))) + (define (manifest->outputs manifest) + (map (lambda (entry) + (cons 'ad-hoc-package ; manifests are implicitly ad-hoc + (if (package? (manifest-entry-item entry)) + (list (manifest-entry-item entry) + (manifest-entry-output entry)) + ;; Direct store paths have no output. + (list (manifest-entry-item entry))))) + (manifest-entries manifest))) + (compact (append-map (match-lambda (('package mode (? string? spec)) @@ -299,6 +316,9 @@ packages." ;; Add all the outputs of the package defined in FILE. (let ((module (make-user-module '()))) (packages->outputs (load* file module) mode))) + (('manifest . file) + (let ((module (make-user-module '()))) + (manifest->outputs (load* file module)))) (_ '(#f))) opts))) diff --git a/tests/guix-environment.sh b/tests/guix-environment.sh index bf5ca17fa5..b44aca099d 100644 --- a/tests/guix-environment.sh +++ b/tests/guix-environment.sh @@ -62,6 +62,15 @@ fi guix environment --bootstrap --ad-hoc guile-bootstrap --pure \ -- "$SHELL" -c 'test -f "$GUIX_ENVIRONMENT/bin/guile"' +# Make sure 'GUIX_ENVIRONMENT' points to the profile when building from a +# manifest. +echo "(use-modules (guix profiles) (gnu packages bootstrap)) + +(packages->manifest (list %bootstrap-guile)) +" > $tmpdir/manifest.scm +guix environment --bootstrap --manifest=$tmpdir/manifest.scm --pure \ + -- "$SHELL" -c 'test -f "$GUIX_ENVIRONMENT/bin/guile"' + # Make sure '-r' works as expected. rm -f "$gcroot" expected="`guix environment --bootstrap --ad-hoc guile-bootstrap \ -- cgit 1.4.1 From 7ab04c17c01a926660cd1c9fa9311a5efc6716da Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Fri, 9 Feb 2018 01:01:17 +0100 Subject: services: certbot: Run certbot twice a day at a random minute. * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (certbot-renewal-jobs): Change job's time specification. --- doc/guix.texi | 8 +++++++- gnu/services/certbot.scm | 8 ++++---- 2 files changed, 11 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index fb2834942b..03cd2d5d71 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -30,7 +30,7 @@ Copyright @copyright{} 2016, 2017 ng0@* Copyright @copyright{} 2016, 2017 Jan Nieuwenhuizen@* Copyright @copyright{} 2016 Julien Lepiller@* Copyright @copyright{} 2016 Alex ter Weele@* -Copyright @copyright{} 2017 Clément Lassieur@* +Copyright @copyright{} 2017, 2018 Clément Lassieur@* Copyright @copyright{} 2017 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* Copyright @copyright{} 2017 Carlo Zancanaro@* @@ -15735,6 +15735,12 @@ generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the certificate to disk, and the automated periodic renewals. +Certbot is run twice a day, at a random minute within the hour. It +won't do anything until your certificates are due for renewal or +revoked, but running it regularly would give your service a chance of +staying online in case a Let's Encrypt-initiated revocation happened for +some reason. + @defvr {Scheme Variable} certbot-service-type A service type for the @code{certbot} Let's Encrypt client. @end defvr diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 91249ed3e3..1728d126f4 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -65,10 +65,10 @@ (() '()) (_ (list - ;; Attempt to renew the certificates twice a week. - #~(job (lambda (now) - (next-day-from (next-hour-from now '(3)) - '(2 5))) + ;; Attempt to renew the certificates twice per day, at a random + ;; minute within the hour. See + ;; https://certbot.eff.org/all-instructions/. + #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) (string-append #$package "/bin/certbot renew" (string-concatenate (map (lambda (host) -- cgit 1.4.1 From 966fd7b7e9f321a02e740659ab1c1853e34533b5 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sat, 10 Feb 2018 14:56:53 +0100 Subject: services: certbot: Rename 'host' to 'domain'. * doc/guix.texi (Certificate Services): Rename 'host' to 'domain'. * gnu/services/certbot.scm (, certbot-renewal-jobs, certbot-activation, certbot-nginx-server-configurations, certbot-service-type): Rename 'host' to 'domain'. --- doc/guix.texi | 14 +++++++------- gnu/services/certbot.scm | 42 ++++++++++++++++++++++-------------------- 2 files changed, 29 insertions(+), 27 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 03cd2d5d71..ff3fa97d7f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15757,8 +15757,8 @@ The certbot package to use. The directory from which to serve the Let's Encrypt challenge/response files. -@item @code{hosts} (default: @code{()}) -A list of hosts for which to generate certificates and request +@item @code{domains} (default: @code{()}) +A list of domains for which to generate certificates and request signatures. @item @code{default-location} (default: @i{see below}) @@ -15766,7 +15766,7 @@ The default @code{nginx-location-configuration}. Because @code{certbot} needs to be able to serve challenges and responses, it needs to be able to run a web server. It does so by extending the @code{nginx} web service with an @code{nginx-server-configuration} listening on the -@var{hosts} on port 80, and which has a +@var{domains} on port 80, and which has a @code{nginx-location-configuration} for the @code{/.well-known/} URI path subspace used by Let's Encrypt. @xref{Web Services}, for more on these nginx configuration data types. @@ -15776,7 +15776,7 @@ Requests to other URL paths will be matched by the @code{nginx-server-configuration}s. By default, the @code{default-location} will issue a redirect from -@code{http://@var{host}/...} to @code{https://@var{host}/...}, leaving +@code{http://@var{domain}/...} to @code{https://@var{domain}/...}, leaving you to define what to serve on your site via @code{https}. Pass @code{#f} to not issue a default location. @@ -15784,9 +15784,9 @@ Pass @code{#f} to not issue a default location. @end deftp The public key and its signatures will be written to -@code{/etc/letsencrypt/live/@var{host}/fullchain.pem}, for each -@var{host} in the configuration. The private key is written to -@code{/etc/letsencrypt/live/@var{host}/privkey.pem}. +@code{/etc/letsencrypt/live/@var{domain}/fullchain.pem}, for each +@var{domain} in the configuration. The private key is written to +@code{/etc/letsencrypt/live/@var{domain}/privkey.pem}. @node DNS Services diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 8ca64d9986..0b425bab90 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -48,7 +48,7 @@ (default certbot)) (webroot certbot-configuration-webroot (default "/var/www")) - (hosts certbot-configuration-hosts + (domains certbot-configuration-domains (default '())) (default-location certbot-configuration-default-location (default @@ -59,9 +59,9 @@ (define certbot-renewal-jobs (match-lambda - (($ package webroot hosts default-location) - (match hosts - ;; Avoid pinging certbot if we have no hosts. + (($ package webroot domains default-location) + (match domains + ;; Avoid pinging certbot if we have no domains. (() '()) (_ (list @@ -71,37 +71,38 @@ #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) (string-append #$package "/bin/certbot renew" (string-concatenate - (map (lambda (host) - (string-append " -d " host)) - '#$hosts)))))))))) + (map (lambda (domain) + (string-append " -d " domain)) + '#$domains)))))))))) (define certbot-activation (match-lambda - (($ package webroot hosts default-location) + (($ package webroot domains default-location) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p #$webroot) (for-each - (lambda (host) - (unless (file-exists? (in-vicinity "/etc/letsencrypt/live" host)) + (lambda (domain) + (unless (file-exists? + (in-vicinity "/etc/letsencrypt/live" domain)) (unless (zero? (system* (string-append #$certbot "/bin/certbot") "certonly" "--webroot" "-w" #$webroot - "-d" host)) - (error "failed to acquire cert for host" host)))) - '#$hosts)))))) + "-d" domain)) + (error "failed to acquire cert for domain" domain)))) + '#$domains)))))) (define certbot-nginx-server-configurations (match-lambda - (($ package webroot hosts default-location) + (($ package webroot domains default-location) (map - (lambda (host) + (lambda (domain) (nginx-server-configuration (listen '("80" "[::]:80")) (ssl-certificate #f) (ssl-certificate-key #f) - (server-name (list host)) + (server-name (list domain)) (locations (filter identity (list @@ -109,7 +110,7 @@ (uri "/.well-known") (body (list (list "root " webroot ";")))) default-location))))) - hosts)))) + domains)))) (define certbot-service-type (service-type (name 'certbot) @@ -121,11 +122,12 @@ (service-extension mcron-service-type certbot-renewal-jobs))) (compose concatenate) - (extend (lambda (config additional-hosts) + (extend (lambda (config additional-domains) (certbot-configuration (inherit config) - (hosts (append (certbot-configuration-hosts config) - additional-hosts))))) + (domains (append + (certbot-configuration-domains config) + additional-domains))))) (default-value (certbot-configuration)) (description "Automatically renew @url{https://letsencrypt.org, Let's -- cgit 1.4.1 From 65fc1d890d2e33e62a7c9d9fe31184c48d848e0c Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sat, 10 Feb 2018 16:32:26 +0100 Subject: services: certbot: Get certbot to run non-interactively. * doc/guix.texi (Certificate Services): Add email field and link to the ACME Subscriber Agreement. * gnu/services/certbot.scm (, certbot-command, certbot-activation, certbot-nginx-server-configurations): Add email field. (certbot-command): Add '-n' and '--agree-tos' options. (certbot-service-type): Remove default-value. --- doc/guix.texi | 8 ++++++++ gnu/services/certbot.scm | 14 +++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index ff3fa97d7f..241d41bfd3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15741,6 +15741,10 @@ revoked, but running it regularly would give your service a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason. +By using this service, you agree to the ACME Subscriber Agreement, which +can be found there: +@url{https://acme-v01.api.letsencrypt.org/directory}. + @defvr {Scheme Variable} certbot-service-type A service type for the @code{certbot} Let's Encrypt client. @end defvr @@ -15761,6 +15765,10 @@ files. A list of domains for which to generate certificates and request signatures. +@item @code{email} +Mandatory email used for registration, recovery contact, and important +account notifications. + @item @code{default-location} (default: @i{see below}) The default @code{nginx-location-configuration}. Because @code{certbot} needs to be able to serve challenges and responses, it needs to be able diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 661e174980..379c211430 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -50,6 +50,7 @@ (default "/var/www")) (domains certbot-configuration-domains (default '())) + (email certbot-configuration-email) (default-location certbot-configuration-default-location (default (nginx-location-configuration @@ -59,12 +60,14 @@ (define certbot-command (match-lambda - (($ package webroot domains default-location) + (($ package webroot domains email + default-location) (let* ((certbot (file-append package "/bin/certbot")) (commands (map (lambda (domain) - (list certbot "certonly" + (list certbot "certonly" "-n" "--agree-tos" + "-m" email "--webroot" "-w" webroot "-d" domain)) domains))) @@ -85,7 +88,8 @@ (define (certbot-activation config) (match config - (($ package webroot domains default-location) + (($ package webroot domains email + default-location) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) @@ -94,7 +98,8 @@ (define certbot-nginx-server-configurations (match-lambda - (($ package webroot domains default-location) + (($ package webroot domains email + default-location) (map (lambda (domain) (nginx-server-configuration @@ -127,7 +132,6 @@ (domains (append (certbot-configuration-domains config) additional-domains))))) - (default-value (certbot-configuration)) (description "Automatically renew @url{https://letsencrypt.org, Let's Encrypt} HTTPS certificates by adjusting the nginx web server configuration -- cgit 1.4.1 From c3215d2f9d8fa4b890e3a41ceb4404b76a7c5c49 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sat, 10 Feb 2018 17:20:22 +0100 Subject: services: certbot: Associate one certificate with several domains. * doc/guix.texi (Certificate Services): Document , the change from domains to certificates and the fact that their path is now derived from their name. * gnu/services/certbot.scm (): Add and export it. (certbot-configuration, certbot-command, certbot-activation, certbot-nginx-server-configurations, certbot-service-type): Replace 'domains' with 'certificates'. (certbot-nginx-server-configurations): Use only one nginx-server-configuration and use all certificate domains as the server-name. --- doc/guix.texi | 48 ++++++++++++++++++++++++++------ gnu/services/certbot.scm | 71 ++++++++++++++++++++++++++++-------------------- 2 files changed, 81 insertions(+), 38 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 241d41bfd3..6db58c77b7 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15746,7 +15746,22 @@ can be found there: @url{https://acme-v01.api.letsencrypt.org/directory}. @defvr {Scheme Variable} certbot-service-type -A service type for the @code{certbot} Let's Encrypt client. +A service type for the @code{certbot} Let's Encrypt client. Its value +must be a @code{certbot-configuration} record as in this example: + +@example +(service certbot-service-type + (certbot-configuration + (email "foo@@example.net") + (certificates + (list + (certificate-configuration + (domains '("example.net" "www.example.net"))) + (certificate-configuration + (domains '("bar.example.net"))))))) +@end example + +See below for details about @code{certbot-configuration}. @end defvr @deftp {Data Type} certbot-configuration @@ -15761,9 +15776,10 @@ The certbot package to use. The directory from which to serve the Let's Encrypt challenge/response files. -@item @code{domains} (default: @code{()}) -A list of domains for which to generate certificates and request -signatures. +@item @code{certificates} (default: @code{()}) +A list of @code{certificates-configuration}s for which to generate +certificates and request signatures. Each certificate has a @code{name} +and several @code{domains}. @item @code{email} Mandatory email used for registration, recovery contact, and important @@ -15791,12 +15807,28 @@ Pass @code{#f} to not issue a default location. @end table @end deftp -The public key and its signatures will be written to -@code{/etc/letsencrypt/live/@var{domain}/fullchain.pem}, for each -@var{domain} in the configuration. The private key is written to -@code{/etc/letsencrypt/live/@var{domain}/privkey.pem}. +@deftp {Data Type} certificate-configuration +Data type representing the configuration of a certificate. +This type has the following parameters: + +@table @asis +@item @code{name} (default: @i{see below}) +This name is used by Certbot for housekeeping and in file paths; it +doesn't affect the content of the certificate itself. To see +certificate names, run @code{certbot certificates}. + +Its default is the first provided domain. +@item @code{domains} (default: @code{()}) +The first domain provided will be the subject CN of the certificate, and +all domains will be Subject Alternative Names on the certificate. + +@end table +@end deftp +For each @code{certificate-configuration}, the certificate is saved to +@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. @node DNS Services @subsubsection DNS Services @cindex DNS (domain name system) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 379c211430..a70a36591d 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -32,7 +32,8 @@ #:use-module (ice-9 match) #:export (certbot-service-type certbot-configuration - certbot-configuration?)) + certbot-configuration? + certificate-configuration)) ;;; Commentary: ;;; @@ -41,6 +42,14 @@ ;;; Code: +(define-record-type* + certificate-configuration make-certificate-configuration + certificate-configuration? + (name certificate-configuration-name + (default #f)) + (domains certificate-configuration-domains + (default '()))) + (define-record-type* certbot-configuration make-certbot-configuration certbot-configuration? @@ -48,7 +57,7 @@ (default certbot)) (webroot certbot-configuration-webroot (default "/var/www")) - (domains certbot-configuration-domains + (certificates certbot-configuration-certificates (default '())) (email certbot-configuration-email) (default-location certbot-configuration-default-location @@ -60,17 +69,19 @@ (define certbot-command (match-lambda - (($ package webroot domains email + (($ package webroot certificates email default-location) (let* ((certbot (file-append package "/bin/certbot")) (commands (map - (lambda (domain) - (list certbot "certonly" "-n" "--agree-tos" - "-m" email - "--webroot" "-w" webroot - "-d" domain)) - domains))) + (match-lambda + (($ name domains) + (list certbot "certonly" "-n" "--agree-tos" + "-m" email + "--webroot" "-w" webroot + "--cert-name" (or name (car domains)) + "-d" (string-join domains ",")))) + certificates))) (program-file "certbot-command" #~(let ((code 0)) @@ -88,7 +99,7 @@ (define (certbot-activation config) (match config - (($ package webroot domains email + (($ package webroot certificates email default-location) (with-imported-modules '((guix build utils)) #~(begin @@ -98,23 +109,22 @@ (define certbot-nginx-server-configurations (match-lambda - (($ package webroot domains email + (($ package webroot certificates email default-location) - (map - (lambda (domain) - (nginx-server-configuration - (listen '("80" "[::]:80")) - (ssl-certificate #f) - (ssl-certificate-key #f) - (server-name (list domain)) - (locations - (filter identity - (list - (nginx-location-configuration - (uri "/.well-known") - (body (list (list "root " webroot ";")))) - default-location))))) - domains)))) + (list + (nginx-server-configuration + (listen '("80" "[::]:80")) + (ssl-certificate #f) + (ssl-certificate-key #f) + (server-name + (apply append (map certificate-configuration-domains certificates))) + (locations + (filter identity + (list + (nginx-location-configuration + (uri "/.well-known") + (body (list (list "root " webroot ";")))) + default-location)))))))) (define certbot-service-type (service-type (name 'certbot) @@ -126,12 +136,13 @@ (service-extension mcron-service-type certbot-renewal-jobs))) (compose concatenate) - (extend (lambda (config additional-domains) + (extend (lambda (config additional-certificates) (certbot-configuration (inherit config) - (domains (append - (certbot-configuration-domains config) - additional-domains))))) + (certificates + (append + (certbot-configuration-certificates config) + additional-certificates))))) (description "Automatically renew @url{https://letsencrypt.org, Let's Encrypt} HTTPS certificates by adjusting the nginx web server configuration -- cgit 1.4.1 From 0420a293cc25ccf4c0958fd68e6e3ccb9394cb21 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sun, 11 Feb 2018 23:11:35 +0100 Subject: doc: Fix typo in certbot-configuration description. * doc/guix.texi (Certificate Services): Fix typo. --- doc/guix.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 6db58c77b7..9e51ff3e86 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15765,7 +15765,7 @@ See below for details about @code{certbot-configuration}. @end defvr @deftp {Data Type} certbot-configuration -Data type representing the configuration of the @code{certbot} serice. +Data type representing the configuration of the @code{certbot} service. This type has the following parameters: @table @asis -- cgit 1.4.1 From a2cb2bbc0ba984398dd79ff7bd37af8960f67ced Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sat, 10 Feb 2018 17:27:19 +0100 Subject: services: certbot: Allow to set RSA key size. * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (, certbot-command, certbot-activation, certbot-nginx-server-configurations): Add it. --- doc/guix.texi | 3 +++ gnu/services/certbot.scm | 21 +++++++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 9e51ff3e86..e1802978b0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15785,6 +15785,9 @@ and several @code{domains}. Mandatory email used for registration, recovery contact, and important account notifications. +@item @code{rsa-key-size} (default: @code{2048}) +Size of the RSA key. + @item @code{default-location} (default: @i{see below}) The default @code{nginx-location-configuration}. Because @code{certbot} needs to be able to serve challenges and responses, it needs to be able diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index a70a36591d..51f5d719aa 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -60,6 +60,8 @@ (certificates certbot-configuration-certificates (default '())) (email certbot-configuration-email) + (rsa-key-size certbot-configuration-rsa-key-size + (default #f)) (default-location certbot-configuration-default-location (default (nginx-location-configuration @@ -70,17 +72,20 @@ (define certbot-command (match-lambda (($ package webroot certificates email - default-location) + rsa-key-size default-location) (let* ((certbot (file-append package "/bin/certbot")) + (rsa-key-size (and rsa-key-size (number->string rsa-key-size))) (commands (map (match-lambda (($ name domains) - (list certbot "certonly" "-n" "--agree-tos" - "-m" email - "--webroot" "-w" webroot - "--cert-name" (or name (car domains)) - "-d" (string-join domains ",")))) + (append + (list certbot "certonly" "-n" "--agree-tos" + "-m" email + "--webroot" "-w" webroot + "--cert-name" (or name (car domains)) + "-d" (string-join domains ",")) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))) certificates))) (program-file "certbot-command" @@ -100,7 +105,7 @@ (define (certbot-activation config) (match config (($ package webroot certificates email - default-location) + rsa-key-size default-location) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) @@ -110,7 +115,7 @@ (define certbot-nginx-server-configurations (match-lambda (($ package webroot certificates email - default-location) + rsa-key-size default-location) (list (nginx-server-configuration (listen '("80" "[::]:80")) -- cgit 1.4.1 From fece75fe356ce9f99d1d13baaa5f195c510f187b Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sun, 11 Feb 2018 10:53:10 +0100 Subject: services: certbot: Allow to set a deploy hook. * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (, certbot-command): Add it. --- doc/guix.texi | 22 ++++++++++++++++++++-- gnu/services/certbot.scm | 10 +++++++--- 2 files changed, 27 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index e1802978b0..691164502b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15733,7 +15733,9 @@ signature. The certbot service automates this process: the initial key generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the -certificate to disk, and the automated periodic renewals. +certificate to disk, the automated periodic renewals, and the deployment +tasks associated with the renewal (e.g. reloading services, copying keys +with different permissions). Certbot is run twice a day, at a random minute within the hour. It won't do anything until your certificates are due for renewal or @@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt client. Its value must be a @code{certbot-configuration} record as in this example: @example +(define %nginx-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration - (domains '("example.net" "www.example.net"))) + (domains '("example.net" "www.example.net")) + (deploy-hook %nginx-deploy-hook)) (certificate-configuration (domains '("bar.example.net"))))))) @end example @@ -15826,6 +15835,15 @@ Its default is the first provided domain. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. +@item @code{deploy-hook} (default: @code{#f}) +Command to be run in a shell once for each successfully issued +certificate. For this command, the shell variable +@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for +example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will +contain a space-delimited list of renewed certificate domains (for +example, @samp{"example.com www.example.com"}. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index f90e4f04b2..066b8241b2 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -48,7 +48,9 @@ (name certificate-configuration-name (default #f)) (domains certificate-configuration-domains - (default '()))) + (default '())) + (deploy-hook certificate-configuration-deploy-hook + (default #f))) (define-record-type* certbot-configuration make-certbot-configuration @@ -78,7 +80,8 @@ (commands (map (match-lambda - (($ custom-name domains) + (($ custom-name domains + deploy-hook) (let ((name (or custom-name (car domains)))) (append (list name certbot "certonly" "-n" "--agree-tos" @@ -86,7 +89,8 @@ "--webroot" "-w" webroot "--cert-name" name "-d" (string-join domains ",")) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()))))) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))) certificates))) (program-file "certbot-command" -- cgit 1.4.1