HCoop / jackhill / guix / guix.git / blame
| Commit | Line | Data |
|---|---|---|
| 1115f140 AW |
1 | ;;; GNU Guix --- Functional package management for GNU |
| 2 | ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is> | |
| 3 | ;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org> | |
| 70cd2239 | 4 | ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> |
| 1115f140 AW |
5 | ;;; |
| 6 | ;;; This file is part of GNU Guix. | |
| 7 | ;;; | |
| 8 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
| 9 | ;;; under the terms of the GNU General Public License as published by | |
| 10 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
| 11 | ;;; your option) any later version. | |
| 12 | ;;; | |
| 13 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
| 14 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 15 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 16 | ;;; GNU General Public License for more details. | |
| 17 | ;;; | |
| 18 | ;;; You should have received a copy of the GNU General Public License | |
| 19 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
| 20 | ||
| 21 | (define-module (gnu services certbot) | |
| 22 | #:use-module (gnu services) | |
| 23 | #:use-module (gnu services base) | |
| 24 | #:use-module (gnu services shepherd) | |
| 25 | #:use-module (gnu services mcron) | |
| 26 | #:use-module (gnu services web) | |
| 27 | #:use-module (gnu system shadow) | |
| 28 | #:use-module (gnu packages tls) | |
| 29 | #:use-module (guix records) | |
| 30 | #:use-module (guix gexp) | |
| 31 | #:use-module (srfi srfi-1) | |
| 32 | #:use-module (ice-9 match) | |
| 33 | #:export (certbot-service-type | |
| 34 | certbot-configuration | |
| 35 | certbot-configuration?)) | |
| 36 | ||
| 37 | ;;; Commentary: | |
| 38 | ;;; | |
| 39 | ;;; Automatically obtaining TLS certificates from Let's Encrypt. | |
| 40 | ;;; | |
| 41 | ;;; Code: | |
| 42 | ||
| 43 | \f | |
| 44 | (define-record-type* <certbot-configuration> | |
| 45 | certbot-configuration make-certbot-configuration | |
| 46 | certbot-configuration? | |
| 47 | (package certbot-configuration-package | |
| 48 | (default certbot)) | |
| 49 | (webroot certbot-configuration-webroot | |
| 50 | (default "/var/www")) | |
| 966fd7b7 | 51 | (domains certbot-configuration-domains |
| 1115f140 AW |
52 | (default '())) |
| 53 | (default-location certbot-configuration-default-location | |
| 54 | (default | |
| 55 | (nginx-location-configuration | |
| 56 | (uri "/") | |
| 57 | (body | |
| 58 | (list "return 301 https://$host$request_uri;")))))) | |
| 59 | ||
| 60 | (define certbot-renewal-jobs | |
| 61 | (match-lambda | |
| 966fd7b7 CL |
62 | (($ <certbot-configuration> package webroot domains default-location) |
| 63 | (match domains | |
| 64 | ;; Avoid pinging certbot if we have no domains. | |
| 1115f140 AW |
65 | (() '()) |
| 66 | (_ | |
| 67 | (list | |
| 7ab04c17 CL |
68 | ;; Attempt to renew the certificates twice per day, at a random |
| 69 | ;; minute within the hour. See | |
| 70 | ;; https://certbot.eff.org/all-instructions/. | |
| 71 | #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) | |
| 1115f140 AW |
72 | (string-append #$package "/bin/certbot renew" |
| 73 | (string-concatenate | |
| 966fd7b7 CL |
74 | (map (lambda (domain) |
| 75 | (string-append " -d " domain)) | |
| 76 | '#$domains)))))))))) | |
| 1115f140 AW |
77 | |
| 78 | (define certbot-activation | |
| 79 | (match-lambda | |
| 966fd7b7 | 80 | (($ <certbot-configuration> package webroot domains default-location) |
| 1115f140 AW |
81 | (with-imported-modules '((guix build utils)) |
| 82 | #~(begin | |
| 30151863 CL |
83 | (use-modules (guix build utils)) |
| 84 | (mkdir-p #$webroot) | |
| 1115f140 | 85 | (for-each |
| 966fd7b7 CL |
86 | (lambda (domain) |
| 87 | (unless (file-exists? | |
| 88 | (in-vicinity "/etc/letsencrypt/live" domain)) | |
| 1115f140 AW |
89 | (unless (zero? (system* |
| 90 | (string-append #$certbot "/bin/certbot") | |
| 91 | "certonly" "--webroot" "-w" #$webroot | |
| 966fd7b7 CL |
92 | "-d" domain)) |
| 93 | (error "failed to acquire cert for domain" domain)))) | |
| 94 | '#$domains)))))) | |
| 1115f140 AW |
95 | |
| 96 | (define certbot-nginx-server-configurations | |
| 97 | (match-lambda | |
| 966fd7b7 | 98 | (($ <certbot-configuration> package webroot domains default-location) |
| 1115f140 | 99 | (map |
| 966fd7b7 | 100 | (lambda (domain) |
| 1115f140 | 101 | (nginx-server-configuration |
| 70cd2239 | 102 | (listen '("80" "[::]:80")) |
| 1115f140 AW |
103 | (ssl-certificate #f) |
| 104 | (ssl-certificate-key #f) | |
| 966fd7b7 | 105 | (server-name (list domain)) |
| 1115f140 AW |
106 | (locations |
| 107 | (filter identity | |
| 108 | (list | |
| 109 | (nginx-location-configuration | |
| 110 | (uri "/.well-known") | |
| 111 | (body (list (list "root " webroot ";")))) | |
| 112 | default-location))))) | |
| 966fd7b7 | 113 | domains)))) |
| 1115f140 AW |
114 | |
| 115 | (define certbot-service-type | |
| 116 | (service-type (name 'certbot) | |
| 117 | (extensions | |
| 118 | (list (service-extension nginx-service-type | |
| 119 | certbot-nginx-server-configurations) | |
| 120 | (service-extension activation-service-type | |
| 121 | certbot-activation) | |
| 122 | (service-extension mcron-service-type | |
| 123 | certbot-renewal-jobs))) | |
| 124 | (compose concatenate) | |
| 966fd7b7 | 125 | (extend (lambda (config additional-domains) |
| 1115f140 AW |
126 | (certbot-configuration |
| 127 | (inherit config) | |
| 966fd7b7 CL |
128 | (domains (append |
| 129 | (certbot-configuration-domains config) | |
| 130 | additional-domains))))) | |
| 3af03e59 LC |
131 | (default-value (certbot-configuration)) |
| 132 | (description | |
| 133 | "Automatically renew @url{https://letsencrypt.org, Let's | |
| 134 | Encrypt} HTTPS certificates by adjusting the nginx web server configuration | |
| 135 | and periodically invoking @command{certbot}."))) |