diff mbox series

[bug#67497,4/4] In certbot's client configuration, offer multiple deploy-hooks.

Message ID 729de952f099681b99b1ffd4f3f5bed736cc6b43.1701120054.git.felix.lechner@lease-up.com
State New
Headers show
Series [bug#67497,1/4] In documentation, rename %certbot-deploy-hook back to %nginx-deploy-hook.. | expand

Commit Message

Felix Lechner Nov. 27, 2023, 9:20 p.m. UTC 
The certbot program can accept multiple deploy hooks by repeating the relevant
option on the command line. This commit makes that capability available to
users.

Certificates are often used to secure multiple services. It is helpful to have
separate hooks for each service. It makes those hooks easier to maintain. It's
also easier that way to re-use a hook for another certificate that may not
serve to secure the same combination of services.

Change-Id: I3a293daee47030d9bee7f366605aa63a14e98e38
---
 doc/guix.texi            | 11 ++++++-----
 gnu/services/certbot.scm | 20 +++++++++++++++++---
 2 files changed, 23 insertions(+), 8 deletions(-)
diff mbox series

Patch

diff --git a/doc/guix.texi b/doc/guix.texi
index 440a5f3efa..c5cbd0275d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32046,7 +32046,7 @@  Certificate Services
            (list
             (certificate-configuration
              (domains '("example.net" "www.example.net"))
-             (deploy-hook %nginx-deploy-hook))
+             (deploy-hooks '(%nginx-deploy-hook)))
             (certificate-configuration
              (domains '("bar.example.net")))))))
 @end lisp
@@ -32151,14 +32151,15 @@  Certificate Services
 additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
 of the @code{auth-hook} script.
 
-@item @code{deploy-hook} (default: @code{#f})
-Command to be run in a shell once for each successfully issued
-certificate.  For this command, the environment variable
+@item @code{deploy-hooks} (default: @code{'()})
+Commands to be run in a shell once for each successfully issued
+certificate.  For these commands, the environment variable
 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
 example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
 certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
-example, @samp{"example.com www.example.com"}.
+example, @samp{"example.com www.example.com"}. Please note that the singular
+field @code{deploy-hook} was replaced by this field in the plural.
 
 @end table
 @end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 8490a69a99..9d5305174b 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -30,6 +30,7 @@  (define-module (gnu services certbot)
   #:use-module (gnu services web)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages tls)
+  #:use-module (guix deprecation)
   #:use-module (guix i18n)
   #:use-module (guix records)
   #:use-module (guix gexp)
@@ -62,8 +63,11 @@  (define-record-type* <certificate-configuration>
                        (default #f))
   (cleanup-hook        certificate-cleanup-hook
                        (default #f))
+  ;; TODO: remove singular deploy-hook; is deprecated
   (deploy-hook         certificate-configuration-deploy-hook
-                       (default #f)))
+                       (default #f))
+  (deploy-hooks        certificate-configuration-deploy-hooks
+                       (default '())))
 
 (define-record-type* <certbot-configuration>
   certbot-configuration make-certbot-configuration
@@ -98,7 +102,8 @@  (define certbot-command
               (match-lambda
                 (($ <certificate-configuration> custom-name domains challenge
                                                 csr authentication-hook
-                                                cleanup-hook deploy-hook)
+                                                cleanup-hook
+                                                deploy-hook deploy-hooks)
                  (let ((name (or custom-name (car domains))))
                    (append
                     (list name
@@ -126,7 +131,16 @@  (define certbot-command
                         (list "--register-unsafely-without-email"))
                     (if server (list "--server" server) '())
                     (if rsa-key-size (list "--rsa-key-size" rsa-key-size) '())
-                    (if deploy-hook (list "--deploy-hook" deploy-hook) '())))))
+
+                    (if deploy-hook
+                        (begin
+                          (warn-about-deprecation 'deploy-hook #f
+                                                  #:replacement 'deploy-hooks)
+                          (list "--deploy-hook" deploy-hook))
+                        '())
+                    (append-map (lambda (hook)
+                                  (list "--deploy-hook" hook))
+                                deploy-hooks)))))
               certificates)))
        (program-file
         "certbot-command"