diff options
| -rw-r--r-- | doc/guix.texi | 35 | ||||
| -rw-r--r-- | gnu/services/certbot.scm | 74 |
2 files changed, 75 insertions, 34 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 0b4c3ceac6..d03924ea96 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -35816,6 +35816,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{dry-run?} (default: @code{#f}) +Communicate with the ACME server but do not update certificates nor +trigger @code{deploy-hook}. This is useful as a temporary setting to +test the challenge procedure, especially the @code{authentication-hook} +and @code{cleanup-hook} while working on them. It's also a good idea to +use the Let's Encrypt staging server at +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while +testing, which allows for higher rate limits, but with which +@code{certbot} will helpfully refuse to update certificates and +recommend the @code{dry-run?} option. For example: + +@lisp +(define %authentication-hook + (program-file "authentication-hook" + #~(let ((domain (getenv "CERTBOT_DOMAIN")) + (token (getenv "CERTBOT_TOKEN"))) + (format #t "Hey, can you authenticate ~a with ~a for me?" + domain token)))) + +(define %cleanup-hook + (program-file "authentication-hook" + #~(display "Bye"))) + +(service certbot-service-type + (certbot-configuration + (server "https://acme-staging-v02.api.letsencrypt.org/directory") + (certificates + (list + (certificate-configuration + (dry-run? #t) + (authentication-hook %authentication-hook) + (cleanup-hook %cleanup-hook) + (domains '("example.net" "www.example.net"))))))) +@end lisp + @item @code{start-self-signed?} (default: @code{#t}) Whether to generate an initial self-signed certificate during system activation. This option is particularly useful to allow @code{nginx} to diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 2c7979a4be..7a7c2a9e00 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -66,6 +66,8 @@ (default #f)) (deploy-hook certificate-configuration-deploy-hook (default #f)) + (dry-run? certbot-configuration-dry-run? + (default #f)) (start-self-signed? certificate-configuration-start-self-signed? (default #t))) @@ -141,40 +143,44 @@ deploy." (match-lambda (($ <certificate-configuration> custom-name domains challenge csr authentication-hook - cleanup-hook deploy-hook) - (let ((name (or custom-name (car domains)))) - (if challenge - (append - (list name certbot "certonly" "-n" "--agree-tos" - "--manual" - (string-append "--preferred-challenges=" challenge) - "--cert-name" name - "-d" (string-join domains ",")) - (if csr `("--csr" ,csr) '()) - (if email - `("--email" ,email) - '("--register-unsafely-without-email")) - (if server `("--server" ,server) '()) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if authentication-hook - `("--manual-auth-hook" ,authentication-hook) - '()) - (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))) - (append - (list name certbot "certonly" "-n" "--agree-tos" - "--webroot" "-w" webroot - "--cert-name" name - "-d" (string-join domains ",")) - (if csr `("--csr" ,csr) '()) - (if email - `("--email" ,email) - '("--register-unsafely-without-email")) - (if server `("--server" ,server) '()) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (list "--deploy-hook" - (certbot-deploy-hook name deploy-hook))))))) + cleanup-hook deploy-hook + dry-run?) + (append + (let ((name (or custom-name (car domains)))) + (if challenge + (append + (list name certbot "certonly" "-n" "--agree-tos" + "--manual" + (string-append "--preferred-challenges=" challenge) + "--cert-name" name + "-d" (string-join domains ",")) + (if csr `("--csr" ,csr) '()) + (if email + `("--email" ,email) + '("--register-unsafely-without-email")) + (if server `("--server" ,server) '()) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (if authentication-hook + `("--manual-auth-hook" ,authentication-hook) + '()) + (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))) + (append + (list name certbot "certonly" "-n" "--agree-tos" + "--webroot" "-w" webroot + "--cert-name" name + "-d" (string-join domains ",")) + (if csr `("--csr" ,csr) '()) + (if email + `("--email" ,email) + '("--register-unsafely-without-email")) + (if server `("--server" ,server) '()) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))))) + ;; Common options. + (if dry-run? '("--dry-run") '())))) certificates))) (program-file "certbot-command" |