tribes/guix
1
0
Fork 0
mirror of https://git.savannah.gnu.org/git/guix.git synced 2026-04-06 13:10:33 +02:00
Code Activity

services: certbot: Add dry-run? certificate option.

Browse Source 
* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.

Change-Id: I26b0dc06e2b7e5fb34305deee09e311d085f8a4b
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
This commit is contained in:
Pierre Langlois
2021-03-14 13:15:43 +00:00
committed by Maxim Cournoyer
parent c603068f6f
commit 57fc58ba48
2 changed files with 75 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
doc/guix.texi
View File

@@ -35816,6 +35816,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}. example, @samp{"example.com www.example.com"}.
@item @code{dry-run?} (default: @code{#f})
Communicate with the ACME server but do not update certificates nor
trigger @code{deploy-hook}. This is useful as a temporary setting to
test the challenge procedure, especially the @code{authentication-hook}
and @code{cleanup-hook} while working on them. It's also a good idea to
use the Let's Encrypt staging server at
@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
testing, which allows for higher rate limits, but with which
@code{certbot} will helpfully refuse to update certificates and
recommend the @code{dry-run?} option. For example:
@lisp
(define %authentication-hook
(program-file "authentication-hook"
#~(let ((domain (getenv "CERTBOT_DOMAIN"))
(token (getenv "CERTBOT_TOKEN")))
(format #t "Hey, can you authenticate ~a with ~a for me?"
domain token))))
(define %cleanup-hook
(program-file "authentication-hook"
#~(display "Bye")))
(service certbot-service-type
(certbot-configuration
(server "https://acme-staging-v02.api.letsencrypt.org/directory")
(certificates
(list
(certificate-configuration
(dry-run? #t)
(authentication-hook %authentication-hook)
(cleanup-hook %cleanup-hook)
(domains '("example.net" "www.example.net")))))))
@end lisp
@item @code{start-self-signed?} (default: @code{#t}) @item @code{start-self-signed?} (default: @code{#t})
Whether to generate an initial self-signed certificate during system Whether to generate an initial self-signed certificate during system
activation. This option is particularly useful to allow @code{nginx} to activation. This option is particularly useful to allow @code{nginx} to

74
gnu/services/certbot.scm
View File

@@ -66,6 +66,8 @@
(default #f)) (default #f))
(deploy-hook certificate-configuration-deploy-hook (deploy-hook certificate-configuration-deploy-hook
(default #f)) (default #f))
(dry-run? certbot-configuration-dry-run?
(default #f))
(start-self-signed? certificate-configuration-start-self-signed? (start-self-signed? certificate-configuration-start-self-signed?
(default #t))) (default #t)))
@@ -141,40 +143,44 @@ deploy."
(match-lambda (match-lambda
(($ <certificate-configuration> custom-name domains challenge (($ <certificate-configuration> custom-name domains challenge
csr authentication-hook csr authentication-hook
cleanup-hook deploy-hook) cleanup-hook deploy-hook
(let ((name (or custom-name (car domains)))) dry-run?)
(if challenge (append
(append (let ((name (or custom-name (car domains))))
(list name certbot "certonly" "-n" "--agree-tos" (if challenge
"--manual" (append
(string-append "--preferred-challenges=" challenge) (list name certbot "certonly" "-n" "--agree-tos"
"--cert-name" name "--manual"
"-d" (string-join domains ",")) (string-append "--preferred-challenges=" challenge)
(if csr `("--csr" ,csr) '()) "--cert-name" name
(if email "-d" (string-join domains ","))
`("--email" ,email) (if csr `("--csr" ,csr) '())
'("--register-unsafely-without-email")) (if email
(if server `("--server" ,server) '()) `("--email" ,email)
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) '("--register-unsafely-without-email"))
(if authentication-hook (if server `("--server" ,server) '())
`("--manual-auth-hook" ,authentication-hook) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
'()) (if authentication-hook
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) `("--manual-auth-hook" ,authentication-hook)
(list "--deploy-hook" '())
(certbot-deploy-hook name deploy-hook))) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
(append (list "--deploy-hook"
(list name certbot "certonly" "-n" "--agree-tos" (certbot-deploy-hook name deploy-hook)))
"--webroot" "-w" webroot (append
"--cert-name" name (list name certbot "certonly" "-n" "--agree-tos"
"-d" (string-join domains ",")) "--webroot" "-w" webroot
(if csr `("--csr" ,csr) '()) "--cert-name" name
(if email "-d" (string-join domains ","))
`("--email" ,email) (if csr `("--csr" ,csr) '())
'("--register-unsafely-without-email")) (if email
(if server `("--server" ,server) '()) `("--email" ,email)
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) '("--register-unsafely-without-email"))
(list "--deploy-hook" (if server `("--server" ,server) '())
(certbot-deploy-hook name deploy-hook))))))) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(list "--deploy-hook"
(certbot-deploy-hook name deploy-hook)))))
;; Common options.
(if dry-run? '("--dry-run") '()))))
certificates))) certificates)))
(program-file (program-file
"certbot-command" "certbot-command"