From 9392c2b8d4efe2949e04a25e786c21db168efc72 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Mon, 18 Mar 2024 22:26:41 +0100 Subject: services: certbot: Allow it to be used without Nginx. * gnu/services/certbot.scm (define-module)[#:export]: Add `certbot-sans-nginx-service-type'. (certbot-configuration)[service-reload]: Add field. (certbot-configuration)[service-requirement]: Add field. (certbot-deploy-hook): Reload requested services rather than hardcoded Nginx. (certbot-command): Pass services to reload to `certbot-deploy-hook'. (certbot-renewal-one-shot): Pass depended services to Shepherd as configured instead of passing hardcoded Nginx. (certbot-sans-nginx-service-type): New variable. (certbot-service-type): Avoid code duplication by inheriting from the above service type. Change-Id: Ic833f24989bbcdcbbc273f9c8eae4c56992aafa0 --- gnu/services/certbot.scm | 48 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 14 deletions(-) (limited to 'gnu') diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index f287c8367f..c79cf84391 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -37,7 +37,8 @@ (define-module (gnu services certbot) #:use-module (srfi srfi-1) #:use-module (ice-9 format) #:use-module (ice-9 match) - #:export (certbot-service-type + #:export (certbot-sans-nginx-service-type + certbot-service-type certbot-configuration certbot-configuration? certificate-configuration)) @@ -89,9 +90,13 @@ (define-record-type* (nginx-location-configuration (uri "/") (body - (list "return 301 https://$host$request_uri;")))))) + (list "return 301 https://$host$request_uri;"))))) + (service-reload certbot-configuration-service-reload + (default '(nginx))) + (service-requirement certbot-configuration-service-requirement + (default '(nginx)))) -(define (certbot-deploy-hook name deploy-hook-script) +(define (certbot-deploy-hook name deploy-hook-script reload-service-names) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is not #f then it is run after the symlinks have been created. This wrapping is @@ -123,8 +128,11 @@ (define (certbot-deploy-hook name deploy-hook-script) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") #$(string-append "/etc/certs/" name "/fullchain.pem")) - ;; With the new certificates in place, tell nginx to reload them. - (with-shepherd-action 'nginx ('reload) result result) + ;; With the new certificates in place, tell nginx/apache/whatever to + ;; reload them. + (for-each (lambda (service) + (with-shepherd-action service ('reload) result result)) + '#$reload-service-names) #$@(if deploy-hook-script (list #~(invoke #$deploy-hook-script)) @@ -133,7 +141,8 @@ (define (certbot-deploy-hook name deploy-hook-script) (define certbot-command (match-lambda (($ package webroot certificates email - server rsa-key-size default-location) + server rsa-key-size default-location + service-reload) (let* ((certbot (file-append package "/bin/certbot")) (rsa-key-size (and rsa-key-size (number->string rsa-key-size))) (commands @@ -162,7 +171,8 @@ (define certbot-command '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))) + (certbot-deploy-hook name deploy-hook + service-reload))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -175,7 +185,8 @@ (define certbot-command (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))))))) + (certbot-deploy-hook name deploy-hook + service-reload))))))) certificates))) (program-file "certbot-command" @@ -236,7 +247,7 @@ (define (certbot-renewal-one-shot config) ;; user intervention. (shepherd-service (provision '(renew-certbot-certificates)) - (requirement '(nginx)) + (requirement (certbot-configuration-service-requirement config)) (one-shot? #t) (start #~(lambda _ ;; This needs the network, but there's no reliable way to know @@ -345,12 +356,10 @@ (define (certificate->nginx-server certificate-configuration) (list default-location))))))) (map certificate->nginx-server certificates)))) -(define certbot-service-type +(define certbot-sans-nginx-service-type (service-type (name 'certbot) (extensions - (list (service-extension nginx-service-type - certbot-nginx-server-configurations) - (service-extension activation-service-type + (list (service-extension activation-service-type certbot-activation) (service-extension mcron-service-type certbot-renewal-jobs) @@ -366,5 +375,16 @@ (define certbot-service-type additional-certificates))))) (description "Automatically renew @url{https://letsencrypt.org, Let's +Encrypt} HTTPS certificates by periodically invoking @command{certbot}."))) + +(define certbot-service-type + (let ((base certbot-sans-nginx-service-type)) + (service-type (inherit base) + (extensions (cons (service-extension + nginx-service-type + certbot-nginx-server-configurations) + (service-type-extensions base))) + (description + "Automatically renew @url{https://letsencrypt.org, Let's Encrypt} HTTPS certificates by adjusting the nginx web server configuration -and periodically invoking @command{certbot}."))) +and periodically invoking @command{certbot}.")))) -- cgit v1.2.3