system-configuration

system-configuration/modules/config/certbot.scm

certbot.scm

;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

;;
;; Certbot configuration tools
;;

(define-module (config certbot)
  #:use-module (gnu services)
  #:use-module (gnu services certbot)
  #:use-module (guix gexp)
  #:export (certbot-service))

(define %nginx-deploy-hook
  (program-file
   "nginx-deploy-hook"
   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))
           (cert-dir (getenv "RENEWED_LINEAGE")))
       (let ((privkey (string-append cert-dir "/privkey.pem")))
         ;; certbot private keys are world-readable by default, and smptd complains
         ;; about that, refusing to start :/
         (chmod privkey #o6000))
       (kill pid SIGHUP))))

(define AT "@")

(define (certbot-service domains-list)
  (service certbot-service-type
    (certbot-configuration
      (email (string-append "certs" AT "lepiller.eu"))
      (webroot "/srv/http/certbot")
      (rsa-key-size 4096)
      (certificates
        (map
          (lambda (domains)
            (certificate-configuration
              (domains domains)
              (deploy-hook %nginx-deploy-hook)))
          domains-list)))))


1	;;; Tyreunom's system administration and configuration tools.
2	;;;
3	;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
4	;;;
5	;;; This program is free software: you can redistribute it and/or modify
6	;;; it under the terms of the GNU General Public License as published by
7	;;; the Free Software Foundation, either version 3 of the License, or
8	;;; (at your option) any later version.
9	;;;
10	;;; This program is distributed in the hope that it will be useful,
11	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	;;; GNU General Public License for more details.
14	;;;
15	;;; You should have received a copy of the GNU General Public License
16	;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	;;
19	;; Certbot configuration tools
20	;;
21
22	(define-module (config certbot)
23	#:use-module (gnu services)
24	#:use-module (gnu services certbot)
25	#:use-module (guix gexp)
26	#:export (certbot-service))
27
28	(define %nginx-deploy-hook
29	(program-file
30	"nginx-deploy-hook"
31	#~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))
32	(cert-dir (getenv "RENEWED_LINEAGE")))
33	(let ((privkey (string-append cert-dir "/privkey.pem")))
34	;; certbot private keys are world-readable by default, and smptd complains
35	;; about that, refusing to start :/
36	(chmod privkey #o6000))
37	(kill pid SIGHUP))))
38
39	(define AT "@")
40
41	(define (certbot-service domains-list)
42	(service certbot-service-type
43	(certbot-configuration
44	(email (string-append "certs" AT "lepiller.eu"))
45	(webroot "/srv/http/certbot")
46	(rsa-key-size 4096)
47	(certificates
48	(map
49	(lambda (domains)
50	(certificate-configuration
51	(domains domains)
52	(deploy-hook %nginx-deploy-hook)))
53	domains-list)))))
54