diff options
| author | Wojtek Kosior <koszko@koszko.org> | 2024-03-18 22:26:41 +0100 |
|---|---|---|
| committer | W. Kosior <koszko@koszko.org> | 2025-05-26 14:07:22 +0200 |
| commit | efdd284c3b864bebb33a5fa7b0252010eba5d273 (patch) | |
| tree | aa57adc07ce5b820bd40ced2c533c127f57ad6b2 | |
| parent | bcd9c49e153fda43595e3ba23a7735619ca4d093 (diff) | |
| download | guix-efdd284c3b864bebb33a5fa7b0252010eba5d273.tar.gz guix-efdd284c3b864bebb33a5fa7b0252010eba5d273.zip | |
services: certbot: Allow it to be used without Nginx.
* gnu/services/certbot.scm (define-module)[#:export]: Add
`certbot-sans-nginx-service-type'.
(certbot-configuration)[service-reload]: Add field.
(certbot-configuration)[service-requirement]: Add field.
(certbot-deploy-hook): Reload requested services rather than hardcoded Nginx.
(certbot-command): Pass services to reload to `certbot-deploy-hook'.
(certbot-configuration-service-requirement*): New variable.
(certbot-renewal-shepherd-services): Pass depended services to Shepherd as
configured instead of passing hardcoded Nginx.
(certbot-sans-nginx-service-type): New variable.
(certbot-service-type): Avoid code duplication by inheriting from the above
service type.
Change-Id: Ic833f24989bbcdcbbc273f9c8eae4c56992aafa0
| -rw-r--r-- | gnu/services/certbot.scm | 54 |
1 files changed, 39 insertions, 15 deletions
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index d6c7d175ff..5e603dd225 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -36,7 +36,8 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 format) #:use-module (ice-9 match) - #:export (certbot-service-type + #:export (certbot-sans-nginx-service-type + certbot-service-type certbot-configuration certbot-configuration? certificate-configuration)) @@ -88,9 +89,13 @@ (nginx-location-configuration (uri "/") (body - (list "return 301 https://$host$request_uri;")))))) + (list "return 301 https://$host$request_uri;"))))) + (service-reload certbot-configuration-service-reload + (default '(nginx))) + (service-requirement certbot-configuration-service-requirement + (default '(nginx)))) -(define (certbot-deploy-hook name deploy-hook-script) +(define (certbot-deploy-hook name deploy-hook-script reload-service-names) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is not #f then it is run after the symlinks have been created. This wrapping is @@ -122,8 +127,11 @@ deploy." (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") #$(string-append "/etc/certs/" name "/fullchain.pem")) - ;; With the new certificates in place, tell nginx to reload them. - (with-shepherd-action 'nginx ('reload) result result) + ;; With the new certificates in place, tell nginx/apache/whatever to + ;; reload them. + (for-each (lambda (service) + (with-shepherd-action service ('reload) result result)) + '#$reload-service-names) #$@(if deploy-hook-script (list #~(invoke #$deploy-hook-script)) @@ -132,7 +140,8 @@ deploy." (define certbot-command (match-lambda (($ <certbot-configuration> package webroot certificates email - server rsa-key-size default-location) + server rsa-key-size default-location + service-reload) (let* ((certbot (file-append package "/bin/certbot")) (rsa-key-size (and rsa-key-size (number->string rsa-key-size))) (commands @@ -161,7 +170,8 @@ deploy." '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))) + (certbot-deploy-hook name deploy-hook + service-reload))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -174,7 +184,8 @@ deploy." (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))))))) + (certbot-deploy-hook name deploy-hook + service-reload))))))) certificates))) (program-file "certbot-command" @@ -219,10 +230,14 @@ deploy." '#$commands) (exit script-code)))))))) +(define* (certbot-configuration-service-requirement* config) + (lset-adjoin eq? (certbot-configuration-service-requirement config) + 'user-processes)) + (define (certbot-renewal-shepherd-services config) (list (shepherd-service (provision '(certbot-certificate-renewal)) - (requirement '(user-processes nginx)) + (requirement (certbot-configuration-service-requirement* config)) (modules '((shepherd service timer))) (start #~(make-timer-constructor ;; Attempt to renew the certificates twice per day. See @@ -244,7 +259,7 @@ certificates.") ;; possible without user intervention. (shepherd-service (provision '(renew-certbot-certificates)) - (requirement '(user-processes nginx)) + (requirement (certbot-configuration-service-requirement* config)) (one-shot? #t) (start #~(lambda _ ;; This needs the network, but there's no reliable way to know @@ -354,12 +369,10 @@ certificates.") (list default-location))))))) (map certificate->nginx-server certificates)))) -(define certbot-service-type +(define certbot-sans-nginx-service-type (service-type (name 'certbot) (extensions - (list (service-extension nginx-service-type - certbot-nginx-server-configurations) - (service-extension profile-service-type + (list (service-extension profile-service-type (compose list certbot-configuration-package)) (service-extension activation-service-type certbot-activation) @@ -375,5 +388,16 @@ certificates.") additional-certificates))))) (description "Automatically renew @url{https://letsencrypt.org, Let's +Encrypt} HTTPS certificates by periodically invoking @command{certbot}."))) + +(define certbot-service-type + (let ((base certbot-sans-nginx-service-type)) + (service-type (inherit base) + (extensions (cons (service-extension + nginx-service-type + certbot-nginx-server-configurations) + (service-type-extensions base))) + (description + "Automatically renew @url{https://letsencrypt.org, Let's Encrypt} HTTPS certificates by adjusting the nginx web server configuration -and periodically invoking @command{certbot}."))) +and periodically invoking @command{certbot}.")))) |