HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
services: syslogd: Do not fsync at each line.
[jackhill/guix/guix.git] / gnu / services / certbot.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2016 Nikita <nikita@n0.is>
3 ;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>
4 ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
5 ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
6 ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
7 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
8 ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
9 ;;;
10 ;;; This file is part of GNU Guix.
11 ;;;
12 ;;; GNU Guix is free software; you can redistribute it and/or modify it
13 ;;; under the terms of the GNU General Public License as published by
14 ;;; the Free Software Foundation; either version 3 of the License, or (at
15 ;;; your option) any later version.
16 ;;;
17 ;;; GNU Guix is distributed in the hope that it will be useful, but
18 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
19 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ;;; GNU General Public License for more details.
21 ;;;
22 ;;; You should have received a copy of the GNU General Public License
23 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
24
25 (define-module (gnu services certbot)
26 #:use-module (gnu services)
27 #:use-module (gnu services base)
28 #:use-module (gnu services shepherd)
29 #:use-module (gnu services mcron)
30 #:use-module (gnu services web)
31 #:use-module (gnu system shadow)
32 #:use-module (gnu packages tls)
33 #:use-module (guix i18n)
34 #:use-module (guix records)
35 #:use-module (guix gexp)
36 #:use-module (srfi srfi-1)
37 #:use-module (ice-9 match)
38 #:export (certbot-service-type
39 certbot-configuration
40 certbot-configuration?
41 certificate-configuration))
42
43 ;;; Commentary:
44 ;;;
45 ;;; Automatically obtaining TLS certificates from Let's Encrypt.
46 ;;;
47 ;;; Code:
48
49 \f
50 (define-record-type* <certificate-configuration>
51 certificate-configuration make-certificate-configuration
52 certificate-configuration?
53 (name certificate-configuration-name
54 (default #f))
55 (domains certificate-configuration-domains
56 (default '()))
57 (challenge certificate-configuration-challenge
58 (default #f))
59 (csr certificate-configuration-csr
60 (default #f))
61 (authentication-hook certificate-authentication-hook
62 (default #f))
63 (cleanup-hook certificate-cleanup-hook
64 (default #f))
65 (deploy-hook certificate-configuration-deploy-hook
66 (default #f)))
67
68 (define-record-type* <certbot-configuration>
69 certbot-configuration make-certbot-configuration
70 certbot-configuration?
71 (package certbot-configuration-package
72 (default certbot))
73 (webroot certbot-configuration-webroot
74 (default "/var/www"))
75 (certificates certbot-configuration-certificates
76 (default '()))
77 (email certbot-configuration-email
78 (default #f))
79 (server certbot-configuration-server
80 (default #f))
81 (rsa-key-size certbot-configuration-rsa-key-size
82 (default #f))
83 (default-location certbot-configuration-default-location
84 (default
85 (nginx-location-configuration
86 (uri "/")
87 (body
88 (list "return 301 https://$host$request_uri;"))))))
89
90 (define certbot-command
91 (match-lambda
92 (($ <certbot-configuration> package webroot certificates email
93 server rsa-key-size default-location)
94 (let* ((certbot (file-append package "/bin/certbot"))
95 (rsa-key-size (and rsa-key-size (number->string rsa-key-size)))
96 (commands
97 (map
98 (match-lambda
99 (($ <certificate-configuration> custom-name domains challenge
100 csr authentication-hook
101 cleanup-hook deploy-hook)
102 (let ((name (or custom-name (car domains))))
103 (if challenge
104 (append
105 (list name certbot "certonly" "-n" "--agree-tos"
106 "--manual"
107 (string-append "--preferred-challenges=" challenge)
108 "--cert-name" name
109 "--manual-public-ip-logging-ok"
110 "-d" (string-join domains ","))
111 (if csr `("--csr" ,csr) '())
112 (if email
113 `("--email" ,email)
114 '("--register-unsafely-without-email"))
115 (if server `("--server" ,server) '())
116 (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
117 (if authentication-hook
118 `("--manual-auth-hook" ,authentication-hook)
119 '())
120 (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
121 (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
122 (append
123 (list name certbot "certonly" "-n" "--agree-tos"
124 "--webroot" "-w" webroot
125 "--cert-name" name
126 "-d" (string-join domains ","))
127 (if csr `("--csr" ,csr) '())
128 (if email
129 `("--email" ,email)
130 '("--register-unsafely-without-email"))
131 (if server `("--server" ,server) '())
132 (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
133 (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
134 certificates)))
135 (program-file
136 "certbot-command"
137 #~(begin
138 (use-modules (ice-9 match))
139 (let ((code 0))
140 (for-each
141 (match-lambda
142 ((name . command)
143 (begin
144 (format #t "Acquiring or renewing certificate: ~a~%" name)
145 (set! code (or (apply system* command) code)))))
146 '#$commands) code)))))))
147
148 (define (certbot-renewal-jobs config)
149 (list
150 ;; Attempt to renew the certificates twice per day, at a random minute
151 ;; within the hour. See https://certbot.eff.org/all-instructions/.
152 #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
153 #$(certbot-command config))))
154
155 (define (certbot-activation config)
156 (let* ((certbot-directory "/var/lib/certbot")
157 (script (in-vicinity certbot-directory "renew-certificates"))
158 (message (format #f (G_ "~a may need to be run~%") script)))
159 (match config
160 (($ <certbot-configuration> package webroot certificates email
161 server rsa-key-size default-location)
162 (with-imported-modules '((guix build utils))
163 #~(begin
164 (use-modules (guix build utils))
165 (mkdir-p #$webroot)
166 (mkdir-p #$certbot-directory)
167 (copy-file #$(certbot-command config) #$script)
168 (display #$message)))))))
169
170 (define certbot-nginx-server-configurations
171 (match-lambda
172 (($ <certbot-configuration> package webroot certificates email
173 server rsa-key-size default-location)
174 (list
175 (nginx-server-configuration
176 (listen '("80" "[::]:80"))
177 (ssl-certificate #f)
178 (ssl-certificate-key #f)
179 (server-name
180 (apply append (map certificate-configuration-domains certificates)))
181 (locations
182 (filter identity
183 (list
184 (nginx-location-configuration
185 (uri "/.well-known")
186 (body (list (list "root " webroot ";"))))
187 default-location))))))))
188
189 (define certbot-service-type
190 (service-type (name 'certbot)
191 (extensions
192 (list (service-extension nginx-service-type
193 certbot-nginx-server-configurations)
194 (service-extension activation-service-type
195 certbot-activation)
196 (service-extension mcron-service-type
197 certbot-renewal-jobs)))
198 (compose concatenate)
199 (extend (lambda (config additional-certificates)
200 (certbot-configuration
201 (inherit config)
202 (certificates
203 (append
204 (certbot-configuration-certificates config)
205 additional-certificates)))))
206 (description
207 "Automatically renew @url{https://letsencrypt.org, Let's
208 Encrypt} HTTPS certificates by adjusting the nginx web server configuration
209 and periodically invoking @command{certbot}.")))
jackhill's copy of GNU Guix: https://guix.gnu.org/