diff options
| author | Carlo Zancanaro <carlo@zancanaro.id.au> | 2024-01-31 11:46:22 +0000 |
|---|---|---|
| committer | Clément Lassieur <clement@lassieur.org> | 2024-01-31 16:54:03 +0100 |
| commit | a2b1ef903be001d5abfc47fc3e8add04fb748ff3 (patch) | |
| tree | b6c46b03499678d8fd6a04e9fa893e6addffbdfe /gnu/services | |
| parent | 7a45f7b9e1b34912ee087daf4014aa4f67b11bf0 (diff) | |
services: certbot: Symlink certificates to /etc/certs.
* gnu/services/certbot.scm (certbot-deploy-hook): New procedure.
(certbot-command): Pass new deploy hook to certbot.
* doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout, except in
the certbot deploy-hook description.
Change-Id: I2ba5e4903d1e293e566b732a84b07d5a134b697d
Signed-off-by: Clément Lassieur <clement@lassieur.org>
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/certbot.scm | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..3926d0551a 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name> +;;; Copyright © 2024 Carlo Zancanaro <carlo@zancanaro.id.au> ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (body (list "return 301 https://$host$request_uri;")))))) +(define (certbot-deploy-hook name deploy-hook-script) + "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem +from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is +not #f then it is run after the symlinks have been created." + (program-file + (string-append name "-deploy-hook") + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$(string-append "/etc/certs/" name)) + (chmod #$(string-append "/etc/certs/" name) #o755) + + ;; Create new symlinks + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/privkey.pem") + #$(string-append "/etc/certs/" name "/privkey.pem.new")) + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/fullchain.pem") + #$(string-append "/etc/certs/" name "/fullchain.pem.new")) + + ;; Rename over the top of the old ones, if there are any. + (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") + #$(string-append "/etc/certs/" name "/privkey.pem")) + (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") + #$(string-append "/etc/certs/" name "/fullchain.pem")) + #$@(if deploy-hook-script + (list #~(invoke #$deploy-hook-script)) + '()))))) + (define certbot-command (match-lambda (($ <certbot-configuration> package webroot certificates email @@ -118,7 +148,8 @@ `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -130,7 +161,8 @@ '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))))))) certificates))) (program-file "certbot-command" |