Commit | Line | Data |
---|---|---|
1115f140 | 1 | ;;; GNU Guix --- Functional package management for GNU |
3c986a7d | 2 | ;;; Copyright © 2016 Nikita <nikita@n0.is> |
1115f140 | 3 | ;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org> |
70cd2239 | 4 | ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> |
b68aff1f | 5 | ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu> |
f6713b55 JH |
6 | ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us> |
7 | ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> | |
1bf1226a | 8 | ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name> |
1115f140 AW |
9 | ;;; |
10 | ;;; This file is part of GNU Guix. | |
11 | ;;; | |
12 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
13 | ;;; under the terms of the GNU General Public License as published by | |
14 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
15 | ;;; your option) any later version. | |
16 | ;;; | |
17 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
18 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
19 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
20 | ;;; GNU General Public License for more details. | |
21 | ;;; | |
22 | ;;; You should have received a copy of the GNU General Public License | |
23 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
24 | ||
25 | (define-module (gnu services certbot) | |
26 | #:use-module (gnu services) | |
27 | #:use-module (gnu services base) | |
28 | #:use-module (gnu services shepherd) | |
29 | #:use-module (gnu services mcron) | |
30 | #:use-module (gnu services web) | |
31 | #:use-module (gnu system shadow) | |
32 | #:use-module (gnu packages tls) | |
f7266296 | 33 | #:use-module (guix i18n) |
1115f140 AW |
34 | #:use-module (guix records) |
35 | #:use-module (guix gexp) | |
36 | #:use-module (srfi srfi-1) | |
37 | #:use-module (ice-9 match) | |
38 | #:export (certbot-service-type | |
39 | certbot-configuration | |
c3215d2f CL |
40 | certbot-configuration? |
41 | certificate-configuration)) | |
1115f140 AW |
42 | |
43 | ;;; Commentary: | |
44 | ;;; | |
45 | ;;; Automatically obtaining TLS certificates from Let's Encrypt. | |
46 | ;;; | |
47 | ;;; Code: | |
48 | ||
49 | \f | |
c3215d2f CL |
50 | (define-record-type* <certificate-configuration> |
51 | certificate-configuration make-certificate-configuration | |
52 | certificate-configuration? | |
53 | (name certificate-configuration-name | |
54 | (default #f)) | |
55 | (domains certificate-configuration-domains | |
fece75fe | 56 | (default '())) |
b68aff1f JL |
57 | (challenge certificate-configuration-challenge |
58 | (default #f)) | |
1bf1226a RG |
59 | (csr certificate-configuration-csr |
60 | (default #f)) | |
b68aff1f JL |
61 | (authentication-hook certificate-authentication-hook |
62 | (default #f)) | |
63 | (cleanup-hook certificate-cleanup-hook | |
64 | (default #f)) | |
fece75fe CL |
65 | (deploy-hook certificate-configuration-deploy-hook |
66 | (default #f))) | |
c3215d2f | 67 | |
1115f140 AW |
68 | (define-record-type* <certbot-configuration> |
69 | certbot-configuration make-certbot-configuration | |
70 | certbot-configuration? | |
71 | (package certbot-configuration-package | |
72 | (default certbot)) | |
73 | (webroot certbot-configuration-webroot | |
74 | (default "/var/www")) | |
c3215d2f | 75 | (certificates certbot-configuration-certificates |
1115f140 | 76 | (default '())) |
11a962e6 TL |
77 | (email certbot-configuration-email |
78 | (default #f)) | |
f6713b55 JH |
79 | (server certbot-configuration-server |
80 | (default #f)) | |
a2cb2bbc CL |
81 | (rsa-key-size certbot-configuration-rsa-key-size |
82 | (default #f)) | |
1115f140 AW |
83 | (default-location certbot-configuration-default-location |
84 | (default | |
85 | (nginx-location-configuration | |
86 | (uri "/") | |
87 | (body | |
88 | (list "return 301 https://$host$request_uri;")))))) | |
89 | ||
c1dfcfdf | 90 | (define certbot-command |
1115f140 | 91 | (match-lambda |
c3215d2f | 92 | (($ <certbot-configuration> package webroot certificates email |
f6713b55 | 93 | server rsa-key-size default-location) |
c1dfcfdf | 94 | (let* ((certbot (file-append package "/bin/certbot")) |
a2cb2bbc | 95 | (rsa-key-size (and rsa-key-size (number->string rsa-key-size))) |
c1dfcfdf CL |
96 | (commands |
97 | (map | |
c3215d2f | 98 | (match-lambda |
b68aff1f | 99 | (($ <certificate-configuration> custom-name domains challenge |
1bf1226a RG |
100 | csr authentication-hook |
101 | cleanup-hook deploy-hook) | |
e216c797 | 102 | (let ((name (or custom-name (car domains)))) |
b68aff1f JL |
103 | (if challenge |
104 | (append | |
105 | (list name certbot "certonly" "-n" "--agree-tos" | |
b68aff1f JL |
106 | "--manual" |
107 | (string-append "--preferred-challenges=" challenge) | |
108 | "--cert-name" name | |
ec36339d | 109 | "--manual-public-ip-logging-ok" |
b68aff1f | 110 | "-d" (string-join domains ",")) |
1bf1226a | 111 | (if csr `("--csr" ,csr) '()) |
11a962e6 TL |
112 | (if email |
113 | `("--email" ,email) | |
114 | '("--register-unsafely-without-email")) | |
f6713b55 | 115 | (if server `("--server" ,server) '()) |
b68aff1f JL |
116 | (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) |
117 | (if authentication-hook | |
118 | `("--manual-auth-hook" ,authentication-hook) | |
119 | '()) | |
120 | (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) | |
121 | (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) | |
122 | (append | |
123 | (list name certbot "certonly" "-n" "--agree-tos" | |
b68aff1f JL |
124 | "--webroot" "-w" webroot |
125 | "--cert-name" name | |
126 | "-d" (string-join domains ",")) | |
1bf1226a | 127 | (if csr `("--csr" ,csr) '()) |
11a962e6 TL |
128 | (if email |
129 | `("--email" ,email) | |
130 | '("--register-unsafely-without-email")) | |
f6713b55 | 131 | (if server `("--server" ,server) '()) |
b68aff1f JL |
132 | (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) |
133 | (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) | |
c3215d2f | 134 | certificates))) |
c1dfcfdf CL |
135 | (program-file |
136 | "certbot-command" | |
e216c797 CL |
137 | #~(begin |
138 | (use-modules (ice-9 match)) | |
139 | (let ((code 0)) | |
140 | (for-each | |
141 | (match-lambda | |
142 | ((name . command) | |
143 | (begin | |
144 | (format #t "Acquiring or renewing certificate: ~a~%" name) | |
145 | (set! code (or (apply system* command) code))))) | |
146 | '#$commands) code))))))) | |
1115f140 | 147 | |
c1dfcfdf CL |
148 | (define (certbot-renewal-jobs config) |
149 | (list | |
150 | ;; Attempt to renew the certificates twice per day, at a random minute | |
151 | ;; within the hour. See https://certbot.eff.org/all-instructions/. | |
152 | #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) | |
153 | #$(certbot-command config)))) | |
154 | ||
155 | (define (certbot-activation config) | |
f7266296 | 156 | (let* ((certbot-directory "/var/lib/certbot") |
1bf18818 | 157 | (certbot-cert-directory "/etc/letsencrypt/live") |
f7266296 CL |
158 | (script (in-vicinity certbot-directory "renew-certificates")) |
159 | (message (format #f (G_ "~a may need to be run~%") script))) | |
160 | (match config | |
161 | (($ <certbot-configuration> package webroot certificates email | |
f6713b55 | 162 | server rsa-key-size default-location) |
f7266296 CL |
163 | (with-imported-modules '((guix build utils)) |
164 | #~(begin | |
165 | (use-modules (guix build utils)) | |
166 | (mkdir-p #$webroot) | |
167 | (mkdir-p #$certbot-directory) | |
1bf18818 | 168 | (mkdir-p #$certbot-cert-directory) |
f7266296 CL |
169 | (copy-file #$(certbot-command config) #$script) |
170 | (display #$message))))))) | |
1115f140 AW |
171 | |
172 | (define certbot-nginx-server-configurations | |
173 | (match-lambda | |
c3215d2f | 174 | (($ <certbot-configuration> package webroot certificates email |
f6713b55 | 175 | server rsa-key-size default-location) |
c3215d2f CL |
176 | (list |
177 | (nginx-server-configuration | |
178 | (listen '("80" "[::]:80")) | |
179 | (ssl-certificate #f) | |
180 | (ssl-certificate-key #f) | |
181 | (server-name | |
182 | (apply append (map certificate-configuration-domains certificates))) | |
183 | (locations | |
184 | (filter identity | |
185 | (list | |
186 | (nginx-location-configuration | |
187 | (uri "/.well-known") | |
188 | (body (list (list "root " webroot ";")))) | |
189 | default-location)))))))) | |
1115f140 AW |
190 | |
191 | (define certbot-service-type | |
192 | (service-type (name 'certbot) | |
193 | (extensions | |
194 | (list (service-extension nginx-service-type | |
195 | certbot-nginx-server-configurations) | |
196 | (service-extension activation-service-type | |
197 | certbot-activation) | |
198 | (service-extension mcron-service-type | |
199 | certbot-renewal-jobs))) | |
200 | (compose concatenate) | |
c3215d2f | 201 | (extend (lambda (config additional-certificates) |
1115f140 AW |
202 | (certbot-configuration |
203 | (inherit config) | |
c3215d2f CL |
204 | (certificates |
205 | (append | |
206 | (certbot-configuration-certificates config) | |
207 | additional-certificates))))) | |
3af03e59 LC |
208 | (description |
209 | "Automatically renew @url{https://letsencrypt.org, Let's | |
210 | Encrypt} HTTPS certificates by adjusting the nginx web server configuration | |
211 | and periodically invoking @command{certbot}."))) |