From patchwork Sat Mar 15 21:37:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40218 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B000627BBEA; Sat, 15 Mar 2025 21:39:14 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id F38CB27BBE2 for ; Sat, 15 Mar 2025 21:39:13 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ttZDn-0004vI-SO; Sat, 15 Mar 2025 17:39:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ttZDk-0004tk-B5 for guix-patches@gnu.org; Sat, 15 Mar 2025 17:39:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ttZDj-0002mV-S8 for guix-patches@gnu.org; Sat, 15 Mar 2025 17:39:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=CPnZxR/pohpAunTFKidIoJ7AjLUZeZDa/uHrJIQ6+gA=; b=N3i4MSsSNGzRrf/HxfoUc1mMP0zkc7hZbR5YobRsMQFroYXF2WxeY35fQnDNCnCfCxxX9dKiGobvS2QhqZQcafaxzdUBUquup8SIcHHw3RaKDr3ApnLwOSfZL4vTExvau2eHkBI3OzS8f3ESpDA1yE62XU+KSd55Rgob1Z3M38kN3FNTd8lPjVCD5Pish+cqAsrbjVwIpB4TOmjXdF4uCA7s7X1GnqsXU8k4AMvBYkYaX9yIezG2618bXE/twA8u8/gFT8rrIjkxUxNA9JckbfhR50orQMyo060xrhJoTYMhMj7PNrwPsMxorgx9SFHZzWBQBrUT8iNO7l0SztWmRw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ttZDj-0004V7-GN for guix-patches@gnu.org; Sat, 15 Mar 2025 17:39:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77041] [PATCH 06/16] services: certbot: Turn into a Shepherd timer. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 15 Mar 2025 21:39:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77041 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77041@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77041-submit@debbugs.gnu.org id=B77041.174207471917101 (code B ref 77041); Sat, 15 Mar 2025 21:39:03 +0000 Received: (at 77041) by debbugs.gnu.org; 15 Mar 2025 21:38:39 +0000 Received: from localhost ([127.0.0.1]:43853 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ttZDK-0004Rk-RO for submit@debbugs.gnu.org; Sat, 15 Mar 2025 17:38:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55764) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ttZCp-0004N1-2r for 77041@debbugs.gnu.org; Sat, 15 Mar 2025 17:38:07 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ttZCi-0002hA-Lj; Sat, 15 Mar 2025 17:38:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=CPnZxR/pohpAunTFKidIoJ7AjLUZeZDa/uHrJIQ6+gA=; b=r/HdSTKbPowD796gtBE7 hQJksK/Ig0gRiVeuY1XLauNkOuFSDzIkcVQOFl3Tu+XX+gGdpX8bEDlVIlBUgxoWuHQcdpJITacIL kpZGCiYd+1PEii+z+vFwJfiB8ukjtUZLScd6EpvK3KVrRzmfED9nvU5SWGx+HKFWXLSXbn9YIzsZA ZOrKdTkaRbq9jZ5ImC9yFYTuvHKnDVyUxanXxIswmKrZO8DHr8pO4TskohVb1UlFRN62IqDC0xz2m vTPD+0RVCLBwHQfMdIyzYBFdUwj5hXKH7LfaLbmQVWecy9m7FuY8DP9C65lErDYAh+uTVzF4bXtB5 Zzs5++mV+ShQlg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sat, 15 Mar 2025 22:37:12 +0100 Message-ID: <52a1dd45cb6686b3d13f8b143a0d8bcbf2b6aaab.1742073920.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/certbot.scm (certbot-renewal-jobs): Rename to… (certbot-renewal-shepherd-services): … this. Return a list of Shepherd services, including ‘renew-certbot-certificates’, formally defined… (certbot-renewal-one-shot): … here. Remove. (certbot-service-type): Adjust accordingly. Change-Id: I25ad9fc1277f4f6f948ab5fce7c6626f22591d10 --- gnu/services/certbot.scm | 93 +++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 43 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index b276c49e0f..d6c7d175ff 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -27,7 +27,6 @@ (define-module (gnu services certbot) #:use-module (gnu services) #:use-module (gnu services base) #:use-module (gnu services shepherd) - #:use-module (gnu services mcron) #:use-module (gnu services web) #:use-module (gnu system shadow) #:use-module (gnu packages tls) @@ -220,46 +219,56 @@ (define certbot-command '#$commands) (exit script-code)))))))) -(define (certbot-renewal-jobs config) - (list - ;; Attempt to renew the certificates twice per day, at a random minute - ;; within the hour. See https://eff-certbot.readthedocs.io/. - #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) - #$(certbot-command config)))) +(define (certbot-renewal-shepherd-services config) + (list (shepherd-service + (provision '(certbot-certificate-renewal)) + (requirement '(user-processes nginx)) + (modules '((shepherd service timer))) + (start #~(make-timer-constructor + ;; Attempt to renew the certificates twice per day. See + ;; https://eff-certbot.readthedocs.io/. + (calendar-event #:minutes '(22) #:hours '(0 12)) + (command '(#$(certbot-command config))) + #:wait-for-termination? #t)) + (stop #~(make-timer-destructor)) + (documentation "Periodically run the 'certbot' command to renew X.509 +certificates.") + (actions + (list shepherd-trigger-action + (shepherd-configuration-action (certbot-command config))))) -(define (certbot-renewal-one-shot config) - (list - ;; Renew certificates when the system first starts. This is a one-shot - ;; service, because the mcron configuration will take care of running this - ;; periodically. This is most useful the very first time the system starts, - ;; to overwrite our self-signed certificates as soon as possible without - ;; user intervention. - (shepherd-service - (provision '(renew-certbot-certificates)) - (requirement '(nginx)) - (one-shot? #t) - (start #~(lambda _ - ;; This needs the network, but there's no reliable way to know - ;; if the network is up other than trying. If we fail due to a - ;; connection error we retry a number of times in the hope that - ;; the network comes up soon. - (let loop ((attempt 0)) - (let ((code (status:exit-val - (system* #$(certbot-command config))))) - (cond - ((and (= code 2) ; Exit code 2 means connection error - (< attempt 12)) ; Arbitrarily chosen max attempts - (sleep 10) ; Arbitrarily chosen retry delay - (loop (1+ attempt))) - ((zero? code) - ;; Success! - #t) - (else - ;; Failure. - #f)))))) - (auto-start? #t) - (documentation "Call certbot to renew certificates.") - (actions (list (shepherd-configuration-action (certbot-command config))))))) + ;; Renew certificates when the system first starts. This is a one-shot + ;; service, because the timer above takes care of running this + ;; periodically. This is most useful the very first time the system + ;; starts, to overwrite our self-signed certificates as soon as + ;; possible without user intervention. + (shepherd-service + (provision '(renew-certbot-certificates)) + (requirement '(user-processes nginx)) + (one-shot? #t) + (start #~(lambda _ + ;; This needs the network, but there's no reliable way to know + ;; if the network is up other than trying. If we fail due to a + ;; connection error we retry a number of times in the hope that + ;; the network comes up soon. + (let loop ((attempt 0)) + (let ((code (status:exit-val + (system* #$(certbot-command config))))) + (cond + ((and (= code 2) ; Exit code 2 means connection error + (< attempt 12)) ; Arbitrarily chosen max attempts + (sleep 10) ; Arbitrarily chosen retry delay + (loop (1+ attempt))) + ((zero? code) + ;; Success! + #t) + (else + ;; Failure. + #f)))))) + (auto-start? #t) + (documentation "Run 'certbot' to renew certificates at boot time.") + (actions + (list (shepherd-configuration-action (certbot-command config))))))) (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (match-lambda @@ -354,10 +363,8 @@ (define certbot-service-type (compose list certbot-configuration-package)) (service-extension activation-service-type certbot-activation) - (service-extension mcron-service-type - certbot-renewal-jobs) (service-extension shepherd-root-service-type - certbot-renewal-one-shot))) + certbot-renewal-shepherd-services))) (compose concatenate) (extend (lambda (config additional-certificates) (certbot-configuration