summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--yellowsquid/services/certbot.scm215
1 files changed, 215 insertions, 0 deletions
diff --git a/yellowsquid/services/certbot.scm b/yellowsquid/services/certbot.scm
new file mode 100644
index 0000000..e2d7c46
--- /dev/null
+++ b/yellowsquid/services/certbot.scm
@@ -0,0 +1,215 @@
+;;; Derived from:
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Nikita <nikita@n0.is>
+;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>
+;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
+;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (yellowsquid services certbot)
+ #:use-module (gnu services)
+ #:use-module (gnu services base)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu services mcron)
+ #:use-module (gnu services web)
+ #:use-module (gnu system shadow)
+ #:use-module (gnu packages tls)
+ #:use-module (guix i18n)
+ #:use-module (guix records)
+ #:use-module (guix gexp)
+ #:use-module (srfi srfi-1)
+ #:use-module (ice-9 match)
+ #:export (certbot-service-type
+ certbot-configuration
+ certbot-configuration?
+ certificate-configuration))
+
+;;; Commentary:
+;;;
+;;; Automatically obtaining TLS certificates from Let's Encrypt.
+;;;
+;;; Code:
+
+
+(define-record-type* <certificate-configuration>
+ certificate-configuration make-certificate-configuration
+ certificate-configuration?
+ (name certificate-configuration-name
+ (default #f))
+ (domains certificate-configuration-domains
+ (default '()))
+ (challenge certificate-configuration-challenge
+ (default #f))
+ (csr certificate-configuration-csr
+ (default #f))
+ (reuse-key? certificate-configuration-reuse-key?
+ (default #f))
+ (authentication-hook certificate-authentication-hook
+ (default #f))
+ (cleanup-hook certificate-cleanup-hook
+ (default #f))
+ (deploy-hook certificate-configuration-deploy-hook
+ (default #f)))
+
+(define-record-type* <certbot-configuration>
+ certbot-configuration make-certbot-configuration
+ certbot-configuration?
+ (package certbot-configuration-package
+ (default certbot))
+ (webroot certbot-configuration-webroot
+ (default "/var/www"))
+ (certificates certbot-configuration-certificates
+ (default '()))
+ (email certbot-configuration-email
+ (default #f))
+ (server certbot-configuration-server
+ (default #f))
+ (rsa-key-size certbot-configuration-rsa-key-size
+ (default #f))
+ (default-location certbot-configuration-default-location
+ (default
+ (nginx-location-configuration
+ (uri "/")
+ (body
+ (list "return 301 https://$host$request_uri;"))))))
+
+(define certbot-command
+ (match-lambda
+ (($ <certbot-configuration> package webroot certificates email
+ server rsa-key-size default-location)
+ (let* ((certbot (file-append package "/bin/certbot"))
+ (rsa-key-size (and rsa-key-size (number->string rsa-key-size)))
+ (commands
+ (map
+ (match-lambda
+ (($ <certificate-configuration> custom-name domains challenge
+ csr reuse-key?
+ authentication-hook
+ cleanup-hook deploy-hook)
+ (let ((name (or custom-name (car domains))))
+ (if challenge
+ (append
+ (list name certbot "certonly" "-n" "--agree-tos"
+ "--manual"
+ (string-append "--preferred-challenges=" challenge)
+ "--cert-name" name
+ "--manual-public-ip-logging-ok"
+ "-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
+ (if email
+ `("--email" ,email)
+ '("--register-unsafely-without-email"))
+ (if server `("--server" ,server) '())
+ (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if reuse-key? '("--reuse-key") '("--no-reuse-key"))
+ (if authentication-hook
+ `("--manual-auth-hook" ,authentication-hook)
+ '())
+ (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+ (append
+ (list name certbot "certonly" "-n" "--agree-tos"
+ "--webroot" "-w" webroot
+ "--cert-name" name
+ "-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
+ (if email
+ `("--email" ,email)
+ '("--register-unsafely-without-email"))
+ (if server `("--server" ,server) '())
+ (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if reuse-key? '("--reuse-key") '("--no-reuse-key"))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+ certificates)))
+ (program-file
+ "certbot-command"
+ #~(begin
+ (use-modules (ice-9 match))
+ (let ((code 0))
+ (for-each
+ (match-lambda
+ ((name . command)
+ (begin
+ (format #t "Acquiring or renewing certificate: ~a~%" name)
+ (set! code (or (apply system* command) code)))))
+ '#$commands) code)))))))
+
+(define (certbot-renewal-jobs config)
+ (list
+ ;; Attempt to renew the certificates twice per day, at a random minute
+ ;; within the hour. See https://certbot.eff.org/all-instructions/.
+ #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
+ #$(certbot-command config))))
+
+(define (certbot-activation config)
+ (let* ((certbot-directory "/var/lib/certbot")
+ (script (in-vicinity certbot-directory "renew-certificates"))
+ (message (format #f (G_ "~a may need to be run~%") script)))
+ (match config
+ (($ <certbot-configuration> package webroot certificates email
+ server rsa-key-size default-location)
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p #$webroot)
+ (mkdir-p #$certbot-directory)
+ (copy-file #$(certbot-command config) #$script)
+ (display #$message)))))))
+
+(define certbot-nginx-server-configurations
+ (match-lambda
+ (($ <certbot-configuration> package webroot certificates email
+ server rsa-key-size default-location)
+ (list
+ (nginx-server-configuration
+ (listen '("80" "[::]:80"))
+ (ssl-certificate #f)
+ (ssl-certificate-key #f)
+ (server-name
+ (apply append (map certificate-configuration-domains certificates)))
+ (locations
+ (filter identity
+ (list
+ (nginx-location-configuration
+ (uri "/.well-known")
+ (body (list (list "root " webroot ";"))))
+ default-location))))))))
+
+(define certbot-service-type
+ (service-type (name 'certbot)
+ (extensions
+ (list (service-extension nginx-service-type
+ certbot-nginx-server-configurations)
+ (service-extension activation-service-type
+ certbot-activation)
+ (service-extension mcron-service-type
+ certbot-renewal-jobs)))
+ (compose concatenate)
+ (extend (lambda (config additional-certificates)
+ (certbot-configuration
+ (inherit config)
+ (certificates
+ (append
+ (certbot-configuration-certificates config)
+ additional-certificates)))))
+ (description
+ "Automatically renew @url{https://letsencrypt.org, Let's
+Encrypt} HTTPS certificates by adjusting the nginx web server configuration
+and periodically invoking @command{certbot}.")))
generated by cgit v1.2.3 (git 2.49.0) at 2025-04-30 11:41:24 +0000