services: certbot: Allow to set a deploy hook.

* doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (<certificate-configuration>, certbot-command): Add it.
2018-02-11 10:53:10 +01:00 · 2018-02-11 10:53:10 +01:00 · fece75fe35
parent e216c797f7
commit fece75fe35
2 changed files with 27 additions and 5 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -15733,7 +15733,9 @@ signature.
 The certbot service automates this process: the initial key
 generation, the initial certification request to the Let's Encrypt
 service, the web server challenge/response integration, writing the
-certificate to disk, and the automated periodic renewals.
+certificate to disk, the automated periodic renewals, and the deployment
+tasks associated with the renewal (e.g. reloading services, copying keys
+with different permissions).

 Certbot is run twice a day, at a random minute within the hour.  It
 won't do anything until your certificates are due for renewal or
@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt client.  Its value
 must be a @code{certbot-configuration} record as in this example:

@example
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
 (service certbot-service-type
         (certbot-configuration
          (email "foo@@example.net")
          (certificates
           (list
            (certificate-configuration
-             (domains '("example.net" "www.example.net")))
+             (domains '("example.net" "www.example.net"))
+             (deploy-hook %nginx-deploy-hook))
            (certificate-configuration
             (domains '("bar.example.net")))))))
@end example
@ -15826,6 +15835,15 @@ Its default is the first provided domain.
 The first domain provided will be the subject CN of the certificate, and
 all domains will be Subject Alternative Names on the certificate.

+@item @code{deploy-hook} (default: @code{#f})
+Command to be run in a shell once for each successfully issued
+certificate.  For this command, the shell variable
+@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
+example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+contain a space-delimited list of renewed certificate domains (for
+example, @samp{"example.com www.example.com"}.
+
@end table
@end deftp

--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@ -48,7 +48,9 @@
  (name                certificate-configuration-name
                       (default #f))
  (domains             certificate-configuration-domains
-                       (default '())))
+                       (default '()))
+  (deploy-hook         certificate-configuration-deploy-hook
+                       (default #f)))

 (define-record-type* <certbot-configuration>
  certbot-configuration make-certbot-configuration
@ -78,7 +80,8 @@
            (commands
             (map
              (match-lambda
-                (($ <certificate-configuration> custom-name domains)
+                (($ <certificate-configuration> custom-name domains
+                                                deploy-hook)
                 (let ((name (or custom-name (car domains))))
                   (append
                    (list name certbot "certonly" "-n" "--agree-tos"
@ -86,7 +89,8 @@
                          "--webroot" "-w" webroot
                          "--cert-name" name
                          "-d" (string-join domains ","))
-                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))))
+                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                    (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
              certificates)))
       (program-file
        "certbot-command"