From patchwork Mon Nov 27 21:20:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Lechner X-Patchwork-Id: 56875 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D3F0727BBEC; Mon, 27 Nov 2023 21:22:11 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 842A227BBE2 for ; Mon, 27 Nov 2023 21:22:10 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r7j3H-0000zh-SG; Mon, 27 Nov 2023 16:21:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r7j3F-0000yf-Kb for guix-patches@gnu.org; Mon, 27 Nov 2023 16:21:57 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r7j3F-0005nN-CZ for guix-patches@gnu.org; Mon, 27 Nov 2023 16:21:57 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1r7j3L-00019B-RD for guix-patches@gnu.org; Mon, 27 Nov 2023 16:22:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#67497] [PATCH 4/4] In certbot's client configuration, offer multiple deploy-hooks. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 27 Nov 2023 21:22:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67497 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 67497@debbugs.gnu.org Cc: Bruno Victal , Felix Lechner Received: via spool by 67497-submit@debbugs.gnu.org id=B67497.17011201074365 (code B ref 67497); Mon, 27 Nov 2023 21:22:03 +0000 Received: (at 67497) by debbugs.gnu.org; 27 Nov 2023 21:21:47 +0000 Received: from localhost ([127.0.0.1]:44992 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r7j34-00018L-KC for submit@debbugs.gnu.org; Mon, 27 Nov 2023 16:21:47 -0500 Received: from sail-ipv4.us-core.com ([208.82.101.137]:56770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r7j2w-00017R-OI for 67497@debbugs.gnu.org; Mon, 27 Nov 2023 16:21:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=BLbugcUu92iK3vE e1pNldPPel9aHTUmZ5cTIw35/KXg=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=GopeRi7SkYQWtakhR3nqqo2u5UL+Nj4cZQGfKXg0 970lgWTA/8WbKDeN5wil1XGI+XarGzbAX9URhsi2Ltf+qpsY7tzB611L0W4MmNfwdeHzhh YvQtih7BfbGzllx17RfzK6p9DwqG6Jc+x+QGvSz/IopGdK39q52d7kUQnv2lU= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id e2bd5eed (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Mon, 27 Nov 2023 21:21:31 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 5602a01d; Mon, 27 Nov 2023 21:21:30 +0000 (UTC) Date: Mon, 27 Nov 2023 13:20:54 -0800 Message-ID: <729de952f099681b99b1ffd4f3f5bed736cc6b43.1701120054.git.felix.lechner@lease-up.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches X-Patchwork-Original-From: Felix Lechner via Guix-patches via From: Felix Lechner Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches The certbot program can accept multiple deploy hooks by repeating the relevant option on the command line. This commit makes that capability available to users. Certificates are often used to secure multiple services. It is helpful to have separate hooks for each service. It makes those hooks easier to maintain. It's also easier that way to re-use a hook for another certificate that may not serve to secure the same combination of services. Change-Id: I3a293daee47030d9bee7f366605aa63a14e98e38 --- doc/guix.texi | 11 ++++++----- gnu/services/certbot.scm | 20 +++++++++++++++++--- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 440a5f3efa..c5cbd0275d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32046,7 +32046,7 @@ Certificate Services (list (certificate-configuration (domains '("example.net" "www.example.net")) - (deploy-hook %nginx-deploy-hook)) + (deploy-hooks '(%nginx-deploy-hook))) (certificate-configuration (domains '("bar.example.net"))))))) @end lisp @@ -32151,14 +32151,15 @@ Certificate Services additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output of the @code{auth-hook} script. -@item @code{deploy-hook} (default: @code{#f}) -Command to be run in a shell once for each successfully issued -certificate. For this command, the environment variable +@item @code{deploy-hooks} (default: @code{'()}) +Commands to be run in a shell once for each successfully issued +certificate. For these commands, the environment variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for -example, @samp{"example.com www.example.com"}. +example, @samp{"example.com www.example.com"}. Please note that the singular +field @code{deploy-hook} was replaced by this field in the plural. @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 8490a69a99..9d5305174b 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -30,6 +30,7 @@ (define-module (gnu services certbot) #:use-module (gnu services web) #:use-module (gnu system shadow) #:use-module (gnu packages tls) + #:use-module (guix deprecation) #:use-module (guix i18n) #:use-module (guix records) #:use-module (guix gexp) @@ -62,8 +63,11 @@ (define-record-type* (default #f)) (cleanup-hook certificate-cleanup-hook (default #f)) + ;; TODO: remove singular deploy-hook; is deprecated (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (deploy-hooks certificate-configuration-deploy-hooks + (default '()))) (define-record-type* certbot-configuration make-certbot-configuration @@ -98,7 +102,8 @@ (define certbot-command (match-lambda (($ custom-name domains challenge csr authentication-hook - cleanup-hook deploy-hook) + cleanup-hook + deploy-hook deploy-hooks) (let ((name (or custom-name (car domains)))) (append (list name @@ -126,7 +131,16 @@ (define certbot-command (list "--register-unsafely-without-email")) (if server (list "--server" server) '()) (if rsa-key-size (list "--rsa-key-size" rsa-key-size) '()) - (if deploy-hook (list "--deploy-hook" deploy-hook) '()))))) + + (if deploy-hook + (begin + (warn-about-deprecation 'deploy-hook #f + #:replacement 'deploy-hooks) + (list "--deploy-hook" deploy-hook)) + '()) + (append-map (lambda (hook) + (list "--deploy-hook" hook)) + deploy-hooks))))) certificates))) (program-file "certbot-command"