diff options
Diffstat (limited to 'gnu/services/certbot.scm')
-rw-r--r-- | gnu/services/certbot.scm | 48 |
1 files changed, 34 insertions, 14 deletions
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index b276c49e0f..c62e5492dc 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -37,7 +37,8 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 format) #:use-module (ice-9 match) - #:export (certbot-service-type + #:export (certbot-sans-nginx-service-type + certbot-service-type certbot-configuration certbot-configuration? certificate-configuration)) @@ -89,9 +90,13 @@ (nginx-location-configuration (uri "/") (body - (list "return 301 https://$host$request_uri;")))))) + (list "return 301 https://$host$request_uri;"))))) + (service-reload certbot-configuration-service-reload + (default '(nginx))) + (service-requirement certbot-configuration-service-requirement + (default '(nginx)))) -(define (certbot-deploy-hook name deploy-hook-script) +(define (certbot-deploy-hook name deploy-hook-script reload-service-names) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is not #f then it is run after the symlinks have been created. This wrapping is @@ -123,8 +128,11 @@ deploy." (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") #$(string-append "/etc/certs/" name "/fullchain.pem")) - ;; With the new certificates in place, tell nginx to reload them. - (with-shepherd-action 'nginx ('reload) result result) + ;; With the new certificates in place, tell nginx/apache/whatever to + ;; reload them. + (for-each (lambda (service) + (with-shepherd-action service ('reload) result result)) + '#$reload-service-names) #$@(if deploy-hook-script (list #~(invoke #$deploy-hook-script)) @@ -133,7 +141,8 @@ deploy." (define certbot-command (match-lambda (($ <certbot-configuration> package webroot certificates email - server rsa-key-size default-location) + server rsa-key-size default-location + service-reload) (let* ((certbot (file-append package "/bin/certbot")) (rsa-key-size (and rsa-key-size (number->string rsa-key-size))) (commands @@ -162,7 +171,8 @@ deploy." '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))) + (certbot-deploy-hook name deploy-hook + service-reload))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -175,7 +185,8 @@ deploy." (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))))))) + (certbot-deploy-hook name deploy-hook + service-reload))))))) certificates))) (program-file "certbot-command" @@ -236,7 +247,7 @@ deploy." ;; user intervention. (shepherd-service (provision '(renew-certbot-certificates)) - (requirement '(nginx)) + (requirement (certbot-configuration-service-requirement config)) (one-shot? #t) (start #~(lambda _ ;; This needs the network, but there's no reliable way to know @@ -345,12 +356,10 @@ deploy." (list default-location))))))) (map certificate->nginx-server certificates)))) -(define certbot-service-type +(define certbot-sans-nginx-service-type (service-type (name 'certbot) (extensions - (list (service-extension nginx-service-type - certbot-nginx-server-configurations) - (service-extension profile-service-type + (list (service-extension profile-service-type (compose list certbot-configuration-package)) (service-extension activation-service-type certbot-activation) @@ -368,5 +377,16 @@ deploy." additional-certificates))))) (description "Automatically renew @url{https://letsencrypt.org, Let's +Encrypt} HTTPS certificates by periodically invoking @command{certbot}."))) + +(define certbot-service-type + (let ((base certbot-sans-nginx-service-type)) + (service-type (inherit base) + (extensions (cons (service-extension + nginx-service-type + certbot-nginx-server-configurations) + (service-type-extensions base))) + (description + "Automatically renew @url{https://letsencrypt.org, Let's Encrypt} HTTPS certificates by adjusting the nginx web server configuration -and periodically invoking @command{certbot}."))) +and periodically invoking @command{certbot}.")))) |