diff options
| author | Clément Lassieur <clement@lassieur.org> | 2018-02-11 10:53:10 +0100 |
|---|---|---|
| committer | Clément Lassieur <clement@lassieur.org> | 2018-02-22 21:43:54 +0100 |
| commit | fece75fe356ce9f99d1d13baaa5f195c510f187b (patch) | |
| tree | 175aa8d3787d7338b4747f12f6f0ba8edab02e35 /doc/guix.texi | |
| parent | e216c797f7432cbf21f991b1eff97821ace17140 (diff) | |
| download | guix-fece75fe356ce9f99d1d13baaa5f195c510f187b.tar guix-fece75fe356ce9f99d1d13baaa5f195c510f187b.tar.gz | |
services: certbot: Allow to set a deploy hook.
* doc/guix.texi (Certificate Services): Document it.
* gnu/services/certbot.scm (<certificate-configuration>, certbot-command): Add
it.
Diffstat (limited to 'doc/guix.texi')
| -rw-r--r-- | doc/guix.texi | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index e1802978b0..691164502b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15733,7 +15733,9 @@ signature. The certbot service automates this process: the initial key generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the -certificate to disk, and the automated periodic renewals. +certificate to disk, the automated periodic renewals, and the deployment +tasks associated with the renewal (e.g. reloading services, copying keys +with different permissions). Certbot is run twice a day, at a random minute within the hour. It won't do anything until your certificates are due for renewal or @@ -15750,13 +15752,20 @@ A service type for the @code{certbot} Let's Encrypt client. Its value must be a @code{certbot-configuration} record as in this example: @example +(define %nginx-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration - (domains '("example.net" "www.example.net"))) + (domains '("example.net" "www.example.net")) + (deploy-hook %nginx-deploy-hook)) (certificate-configuration (domains '("bar.example.net"))))))) @end example @@ -15826,6 +15835,15 @@ Its default is the first provided domain. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. +@item @code{deploy-hook} (default: @code{#f}) +Command to be run in a shell once for each successfully issued +certificate. For this command, the shell variable +@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for +example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will +contain a space-delimited list of renewed certificate domains (for +example, @samp{"example.com www.example.com"}. + @end table @end deftp |