gnu: certbot: Add support for manual plugin.

* gnu/services/certbot.scm (certificate-configuration): Add challenge,
auth-hook and cleanup-hook fields.
(certbot-command): Use them.
* doc/guix.texi (Certificate Services): Document them.
This commit is contained in:
Julien Lepiller 2019-04-19 22:28:30 +02:00
parent c3634df2a4
commit b68aff1f05
No known key found for this signature in database
GPG Key ID: 43111F4520086A0C
2 changed files with 51 additions and 9 deletions

View File

@ -19425,6 +19425,26 @@ Its default is the first provided domain.
The first domain provided will be the subject CN of the certificate, and
all domains will be Subject Alternative Names on the certificate.
@item @code{challenge} (default: @code{#f})
The challenge type that has to be run by certbot. If @code{#f} is specified,
default to the HTTP challenge. If a value is specified, defaults to the
manual plugin (see @code{authentication-hook}, @code{cleanup-hook} and
the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}).
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
contains the validation string and @code{$CERTBOT_TOKEN} contains the
file name of the resource requested when performing an HTTP-01 challenge.
@item @code{cleanup-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge that
have been answered by the @code{auth-hook}. For this command, the shell
variables available in the @code{auth-hook} script are still available, and
additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
of the @code{auth-hook} script.
@item @code{deploy-hook} (default: @code{#f})
Command to be run in a shell once for each successfully issued
certificate. For this command, the shell variable

View File

@ -2,6 +2,7 @@
;;; Copyright © 2016 ng0 <ng0@n0.is>
;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>
;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This file is part of GNU Guix.
;;;
@ -50,6 +51,12 @@
(default #f))
(domains certificate-configuration-domains
(default '()))
(challenge certificate-configuration-challenge
(default #f))
(authentication-hook certificate-authentication-hook
(default #f))
(cleanup-hook certificate-cleanup-hook
(default #f))
(deploy-hook certificate-configuration-deploy-hook
(default #f)))
@ -81,17 +88,32 @@
(commands
(map
(match-lambda
(($ <certificate-configuration> custom-name domains
(($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
deploy-hook)
(let ((name (or custom-name (car domains))))
(append
(list name certbot "certonly" "-n" "--agree-tos"
"-m" email
"--webroot" "-w" webroot
"--cert-name" name
"-d" (string-join domains ","))
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
(if challenge
(append
(list name certbot "certonly" "-n" "--agree-tos"
"-m" email
"--manual"
(string-append "--preferred-challenges=" challenge)
"--cert-name" name
"-d" (string-join domains ","))
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(if authentication-hook
`("--manual-auth-hook" ,authentication-hook)
'())
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
(if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
(append
(list name certbot "certonly" "-n" "--agree-tos"
"-m" email
"--webroot" "-w" webroot
"--cert-name" name
"-d" (string-join domains ","))
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
certificates)))
(program-file
"certbot-command"