aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2024-03-18 22:26:41 +0100
committerW. Kosior <koszko@koszko.org>2024-12-24 09:35:57 +0100
commit88841cadef596f3c67072f2afbb6adaf2999da11 (patch)
treedc00e2da36e08b7a65348d62b4413c5560e5b4c7 /gnu
parent38aad7dd6492f589459fdfa97bd7bd71b544ec13 (diff)
downloadguix-88841cadef596f3c67072f2afbb6adaf2999da11.tar.gz
guix-88841cadef596f3c67072f2afbb6adaf2999da11.zip
services: certbot: Allow it to be used without Nginx.
* gnu/services/certbot.scm (define-module)[#:export]: Add `certbot-sans-nginx-service-type'. (certbot-configuration)[service-reload]: Add field. (certbot-configuration)[service-requirement]: Add field. (certbot-deploy-hook): Reload requested services rather than hardcoded Nginx. (certbot-command): Pass services to reload to `certbot-deploy-hook'. (certbot-renewal-one-shot): Pass depended services to Shepherd as configured instead of passing hardcoded Nginx. (certbot-sans-nginx-service-type): New variable. (certbot-service-type): Avoid code duplication by inheriting from the above service type. Change-Id: Ic833f24989bbcdcbbc273f9c8eae4c56992aafa0
Diffstat (limited to 'gnu')
-rw-r--r--gnu/services/certbot.scm48
1 files changed, 34 insertions, 14 deletions
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index b276c49e0f..c62e5492dc 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -37,7 +37,8 @@
#:use-module (srfi srfi-1)
#:use-module (ice-9 format)
#:use-module (ice-9 match)
- #:export (certbot-service-type
+ #:export (certbot-sans-nginx-service-type
+ certbot-service-type
certbot-configuration
certbot-configuration?
certificate-configuration))
@@ -89,9 +90,13 @@
(nginx-location-configuration
(uri "/")
(body
- (list "return 301 https://$host$request_uri;"))))))
+ (list "return 301 https://$host$request_uri;")))))
+ (service-reload certbot-configuration-service-reload
+ (default '(nginx)))
+ (service-requirement certbot-configuration-service-requirement
+ (default '(nginx))))
-(define (certbot-deploy-hook name deploy-hook-script)
+(define (certbot-deploy-hook name deploy-hook-script reload-service-names)
"Returns a gexp which creates symlinks for privkey.pem and fullchain.pem
from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is
not #f then it is run after the symlinks have been created. This wrapping is
@@ -123,8 +128,11 @@ deploy."
(rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new")
#$(string-append "/etc/certs/" name "/fullchain.pem"))
- ;; With the new certificates in place, tell nginx to reload them.
- (with-shepherd-action 'nginx ('reload) result result)
+ ;; With the new certificates in place, tell nginx/apache/whatever to
+ ;; reload them.
+ (for-each (lambda (service)
+ (with-shepherd-action service ('reload) result result))
+ '#$reload-service-names)
#$@(if deploy-hook-script
(list #~(invoke #$deploy-hook-script))
@@ -133,7 +141,8 @@ deploy."
(define certbot-command
(match-lambda
(($ <certbot-configuration> package webroot certificates email
- server rsa-key-size default-location)
+ server rsa-key-size default-location
+ service-reload)
(let* ((certbot (file-append package "/bin/certbot"))
(rsa-key-size (and rsa-key-size (number->string rsa-key-size)))
(commands
@@ -162,7 +171,8 @@ deploy."
'())
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
(list "--deploy-hook"
- (certbot-deploy-hook name deploy-hook)))
+ (certbot-deploy-hook name deploy-hook
+ service-reload)))
(append
(list name certbot "certonly" "-n" "--agree-tos"
"--webroot" "-w" webroot
@@ -175,7 +185,8 @@ deploy."
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(list "--deploy-hook"
- (certbot-deploy-hook name deploy-hook)))))))
+ (certbot-deploy-hook name deploy-hook
+ service-reload)))))))
certificates)))
(program-file
"certbot-command"
@@ -236,7 +247,7 @@ deploy."
;; user intervention.
(shepherd-service
(provision '(renew-certbot-certificates))
- (requirement '(nginx))
+ (requirement (certbot-configuration-service-requirement config))
(one-shot? #t)
(start #~(lambda _
;; This needs the network, but there's no reliable way to know
@@ -345,12 +356,10 @@ deploy."
(list default-location)))))))
(map certificate->nginx-server certificates))))
-(define certbot-service-type
+(define certbot-sans-nginx-service-type
(service-type (name 'certbot)
(extensions
- (list (service-extension nginx-service-type
- certbot-nginx-server-configurations)
- (service-extension profile-service-type
+ (list (service-extension profile-service-type
(compose list certbot-configuration-package))
(service-extension activation-service-type
certbot-activation)
@@ -368,5 +377,16 @@ deploy."
additional-certificates)))))
(description
"Automatically renew @url{https://letsencrypt.org, Let's
+Encrypt} HTTPS certificates by periodically invoking @command{certbot}.")))
+
+(define certbot-service-type
+ (let ((base certbot-sans-nginx-service-type))
+ (service-type (inherit base)
+ (extensions (cons (service-extension
+ nginx-service-type
+ certbot-nginx-server-configurations)
+ (service-type-extensions base)))
+ (description
+ "Automatically renew @url{https://letsencrypt.org, Let's
Encrypt} HTTPS certificates by adjusting the nginx web server configuration
-and periodically invoking @command{certbot}.")))
+and periodically invoking @command{certbot}."))))