Message ID | 20210314131543.9310-3-pierre.langlois@gmx.com |
---|---|
State | New |
Headers | show |
Series | services: certbot: Add dry-run? option and a couple of other minor fixes. | expand |
Context | Check | Description |
---|---|---|
cbaines/submitting builds | success | |
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
Hi all, Friendly ping on this series :-). Thanks, Pierre Pierre Langlois writes: > * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field. > (certbot-command): Use it to pass --dry-run to certbot. > * doc/guix.texi (Certificate Services): Document dry-run? option. > --- > doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++ > gnu/services/certbot.scm | 10 +++++++--- > 2 files changed, 42 insertions(+), 3 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index ec449b1772..322c717941 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will > contain a space-delimited list of renewed certificate domains (for > example, @samp{"example.com www.example.com"}. > > +@item @code{dry-run?} (default: @code{#f}) > +Communitcate with the ACME server but do not update certificates nor note-to-self, typo here: Communicate > +trigger @code{deploy-hook}. This is useful as a temporary setting to > +test the challenge procedure, especially the @code{authentication-hook} > +and @code{cleanup-hook} while working on them. It's also a good idea to > +use Let's Encrypt's staging server at > +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while > +testing, which allows for higher rate limits, but with which > +@code{certbot} will helpfully refuse to update certificates and > +recommend the @code{dry-run?} option. For example: > + > +@lisp > +(define %authentication-hook > + (program-file "authentication-hook" > + #~(let ((domain (getenv "CERTBOT_DOMAIN")) > + (token (getenv "CERTBOT_TOKEN"))) > + (format #t "Hey, can you authenticate ~a with ~a for me?" > + domain token)))) > + > +(define %cleanup-hook > + (program-file "authentication-hook" > + #~(display "Bye") > + > +(service certbot-service-type > + (certbot-configuration > + (server "https://acme-staging-v02.api.letsencrypt.org/directory") > + (certificates > + (list > + (certificate-configuration > + (dry-run? #t) > + (authentication-hook %authentication-hook) > + (cleanup-hook %cleanup-hook) > + (domains '("example.net" "www.example.net"))))))) > +@end lisp > + > @end table > @end deftp > > diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm > index 1cea68fc2a..15274cf0ed 100644 > --- a/gnu/services/certbot.scm > +++ b/gnu/services/certbot.scm > @@ -61,6 +61,8 @@ > (cleanup-hook certificate-cleanup-hook > (default #f)) > (deploy-hook certificate-configuration-deploy-hook > + (default #f)) > + (dry-run? certbot-configuration-dry-run? > (default #f))) > > (define-record-type* <certbot-configuration> > @@ -96,7 +98,7 @@ > (match-lambda > (($ <certificate-configuration> custom-name domains challenge > authentication-hook cleanup-hook > - deploy-hook) > + deploy-hook dry-run?) > (let ((name (or custom-name (car domains)))) > (if challenge > (append > @@ -114,7 +116,8 @@ > `("--manual-auth-hook" ,authentication-hook) > '()) > (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) > - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) > + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) > + (if dry-run? '("--dry-run"))) > (append > (list name certbot "certonly" "-n" "--agree-tos" > "--webroot" "-w" webroot > @@ -125,7 +128,8 @@ > '("--register-unsafely-without-email")) > (if server `("--server" ,server) '()) > (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) > - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) > + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) > + (if dry-run? '("--dry-run") '())))))) > certificates))) > (program-file > "certbot-command"
On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote: > Hi all, > > Friendly ping on this series :-). Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This means no changes to the manual or other translatable parts of Guix until then.
Hi Leo, Leo Famulari writes: > On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote: >> Hi all, >> >> Friendly ping on this series :-). > > Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This > means no changes to the manual or other translatable parts of Guix until > then. Aaah I see, thanks for the info! Pierre
diff --git a/doc/guix.texi b/doc/guix.texi index ec449b1772..322c717941 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{dry-run?} (default: @code{#f}) +Communitcate with the ACME server but do not update certificates nor +trigger @code{deploy-hook}. This is useful as a temporary setting to +test the challenge procedure, especially the @code{authentication-hook} +and @code{cleanup-hook} while working on them. It's also a good idea to +use Let's Encrypt's staging server at +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while +testing, which allows for higher rate limits, but with which +@code{certbot} will helpfully refuse to update certificates and +recommend the @code{dry-run?} option. For example: + +@lisp +(define %authentication-hook + (program-file "authentication-hook" + #~(let ((domain (getenv "CERTBOT_DOMAIN")) + (token (getenv "CERTBOT_TOKEN"))) + (format #t "Hey, can you authenticate ~a with ~a for me?" + domain token)))) + +(define %cleanup-hook + (program-file "authentication-hook" + #~(display "Bye") + +(service certbot-service-type + (certbot-configuration + (server "https://acme-staging-v02.api.letsencrypt.org/directory") + (certificates + (list + (certificate-configuration + (dry-run? #t) + (authentication-hook %authentication-hook) + (cleanup-hook %cleanup-hook) + (domains '("example.net" "www.example.net"))))))) +@end lisp + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 1cea68fc2a..15274cf0ed 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -61,6 +61,8 @@ (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook + (default #f)) + (dry-run? certbot-configuration-dry-run? (default #f))) (define-record-type* <certbot-configuration> @@ -96,7 +98,7 @@ (match-lambda (($ <certificate-configuration> custom-name domains challenge authentication-hook cleanup-hook - deploy-hook) + deploy-hook dry-run?) (let ((name (or custom-name (car domains)))) (if challenge (append @@ -114,7 +116,8 @@ `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) + (if dry-run? '("--dry-run"))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -125,7 +128,8 @@ '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) + (if dry-run? '("--dry-run") '())))))) certificates))) (program-file "certbot-command"