From patchwork Wed Apr 30 15:34:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Lechner X-Patchwork-Id: 42180 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D9C1227BC4A; Wed, 30 Apr 2025 16:36:31 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BA45727BC4B for ; Wed, 30 Apr 2025 16:36:30 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uA9Ti-0008Cx-Tg; Wed, 30 Apr 2025 11:36:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uA9Tg-0008BH-OB for guix-patches@gnu.org; Wed, 30 Apr 2025 11:36:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uA9Tg-00087M-BN; Wed, 30 Apr 2025 11:36:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=T/ydOBh+2WE3sGJi6KXRvp2OXzf9il9X0mB3LWZHDQU=; b=RcZjDwxF0m9mcE/wgCWx8SpQ9hBR2w/XHEPuoRF+rCZGR8g4+dZuAZsF7XA+4kEdIIYihH3raaDrAtqiPUSzOuXPt5AGzZEQPH9tvQ5WvEPShXmt5AaHySmDPNKaCVjmCwHDogRaqrKEZcxxox2c6YytYO3P8ICrYSM82QaH8CM6mZ9EuLlZL3waaCiV3sHE49KRCYRl6lQgJhQ+kKUSuOSq+lck6aAik2E/fRXqxgeVFLSnLCraz3hX9xhbTPA18rFYdWV1DLKGnjOJw+c3pY0Y4ZOCZDB3snBsx/X6cnHZDamhxmqGJtw5Dj3/Ef78fXF2BThIfDRP8qWyEEn/WA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uA9Tf-0002Uf-H3; Wed, 30 Apr 2025 11:36:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#67497] [PATCH v2 4/4] In certbot's client configuration, offer multiple deploy-hooks. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: gabriel@erlikon.ch, ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Wed, 30 Apr 2025 15:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67497 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch help To: 67497@debbugs.gnu.org Cc: Carlo Zancanaro , Bruno Victal , Felix Lechner , Maxim Cournoyer , Gabriel Wicki , Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Gabriel Wicki , Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 67497-submit@debbugs.gnu.org id=B67497.17460273209473 (code B ref 67497); Wed, 30 Apr 2025 15:36:03 +0000 Received: (at 67497) by debbugs.gnu.org; 30 Apr 2025 15:35:20 +0000 Received: from localhost ([127.0.0.1]:43927 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uA9Sv-0002SB-QX for submit@debbugs.gnu.org; Wed, 30 Apr 2025 11:35:20 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:35816) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uA9So-0002MM-44 for 67497@debbugs.gnu.org; Wed, 30 Apr 2025 11:35:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=mmSDw5Y+P4Pk4EI 7DmeWJP2ZMqkwEfK9lYxSUn0i/mA=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=YUKYHFmU4EuFvSSG8+kKjndfl4kEBv5ZDw3WzwdV XsChkNvO88FasWvefpBKPeZMkW9EyDU5xnewIIzqs5ud/JkFzWwYcg8Ht+2H69y36YzoS7 ZaxX4lpUpt2bkqA5CpUowiCca+lvHDK4oyofM7N6YGnX6Y5WAVP5exq+mclKE= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 5d8c886e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 30 Apr 2025 15:35:08 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 26a28ea1; Wed, 30 Apr 2025 15:35:07 +0000 (UTC) Date: Wed, 30 Apr 2025 08:34:39 -0700 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches X-Patchwork-Original-From: Felix Lechner via Guix-patches via From: Felix Lechner Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches The certbot program can accept multiple deploy hooks by repeating the relevant option on the command line. This commit makes that capability available to users. Certificates are often used to secure multiple services. It is helpful to have separate hooks for each service. It makes those hooks easier to maintain. It's also easier that way to re-use a hook for another certificate that may not serve to secure the same combination of services. Change-Id: I3a293daee47030d9bee7f366605aa63a14e98e38 --- doc/guix.texi | 11 ++++++----- gnu/services/certbot.scm | 18 ++++++++++++++++-- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 1b0fa4f2a3a..deb1f76d353 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -35378,7 +35378,7 @@ Certificate Services (list (certificate-configuration (domains '("example.net" "www.example.net")) - (deploy-hook %nginx-deploy-hook)) + (deploy-hooks '(%nginx-deploy-hook))) (certificate-configuration (domains '("bar.example.net"))))))) @end lisp @@ -35483,14 +35483,15 @@ Certificate Services additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output of the @code{auth-hook} script. -@item @code{deploy-hook} (default: @code{#f}) -Command to be run in a shell once for each successfully issued -certificate. For this command, the environment variable +@item @code{deploy-hooks} (default: @code{'()}) +Commands to be run in a shell once for each successfully issued +certificate. For these commands, the environment variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for -example, @samp{"example.com www.example.com"}. +example, @samp{"example.com www.example.com"}. Please note that the singular +field @code{deploy-hook} was replaced by this field in the plural. @item @code{start-self-signed?} (default: @code{#t}) Whether to generate an initial self-signed certificate during system diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 08a480ed3b1..7a67b9bd7cb 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -30,6 +30,7 @@ (define-module (gnu services certbot) #:use-module (gnu services web) #:use-module (gnu system shadow) #:use-module (gnu packages tls) + #:use-module (guix deprecation) #:use-module (guix i18n) #:use-module (guix records) #:use-module (guix gexp) @@ -63,8 +64,11 @@ (define-record-type* (default #f)) (cleanup-hook certificate-cleanup-hook (default #f)) + ;; TODO: remove singular deploy-hook; is deprecated (deploy-hook certificate-configuration-deploy-hook (default #f)) + (deploy-hooks certificate-configuration-deploy-hooks + (default '())) (start-self-signed? certificate-configuration-start-self-signed? (default #t))) @@ -140,7 +144,8 @@ (define certbot-command (match-lambda (($ custom-name domains challenge csr authentication-hook - cleanup-hook deploy-hook) + cleanup-hook + deploy-hook deploy-hooks) (let ((name (or custom-name (car domains)))) (append (list name @@ -168,7 +173,16 @@ (define certbot-command (list "--register-unsafely-without-email")) (if server (list "--server" server) '()) (if rsa-key-size (list "--rsa-key-size" rsa-key-size) '()) - (if deploy-hook (list "--deploy-hook" deploy-hook) '()))))) + + (if deploy-hook + (begin + (warn-about-deprecation 'deploy-hook #f + #:replacement 'deploy-hooks) + (list "--deploy-hook" deploy-hook)) + '()) + (append-map (lambda (hook) + (list "--deploy-hook" hook)) + deploy-hooks))))) certificates))) (program-file "certbot-command"