guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#26685: certbot service

From: Andy Wingo
Subject: bug#26685: certbot service
Date: Fri, 28 Apr 2017 14:47:41 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) 
On Fri 28 Apr 2017 11:24, Clément Lassieur <address@hidden> writes:

> Hi Andy,
>
> Thanks for working on this!

Thanks for the review :-)

>> +;;; GNU Guix --- Functional package management for GNU
>> +;;; Copyright © 2016 ng0 <address@hidden>
>> +;;; Copyright © 2016 Sou Bunnbu <address@hidden>
>
> Or maybe you didn't work on this?..

I did but also parts of it came from:

  https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/bayfront.scm

I should fix the attribution I guess!

>> +(define certbot-renewal-jobs
>> +  (match-lambda
>> +    (($ <certbot-configuration> package webroot hosts default-location)
>> +     (match hosts
>> +       ;; Avoid pinging certbot if we have no hosts.
>> +       (() '())
>> +       (_
>> +        (list
>> +         ;; Attempt to renew the certificates twice a week.
>> +         #~(job (lambda (now)
>> +                  (next-day-from (next-hour-from now '(3))
>> +                                 '(2 5)))
>
> This is not twice a week, but twice a month at days 2 and 5, because
> 'next-day-from' will look after the next day (in month) that has number
> 2 and 5.  'next-hour-from' is not taken into account because next day
> from any hour still runs at 0 o'clock.
>
> But anyway I think it should be twice a day, and at a random minute
> within the hour, as advised by certbot:
>
> from https://certbot.eff.org/all-instructions/
>
> if you're setting up a cron or systemd job, we recommend running it
> twice per day (it won't do anything until your certificates are due for
> renewal or revoked, but running it regularly would give your site a
> chance of staying online in case a Let's Encrypt-initiated revocation
> happened for some reason). Please select a random minute within the hour
> for your renewal tasks.
>
> What do you think of:
>
>     '(next-minute-from (next-hour '(0 12)) (list (random 60)))
>
> instead?  Schedules can be debbuged with '--schedule=count' option.

Sounds fine to me!

> Also I think some services have to be reloaded/restarted after their
> certificates are upgraded.  That could be done via a mcron post-hook,
> but I'm not sure how to pass the list of services that have to be
> restarted.  WDYT?

Good question.  I don't even know how to know when running certbot
results in a rotation and when it leaves things as-is.  It's a great
question though!  BTW if you are interested in using/hacking on this, I
think we could just get it into master and patch it from there.  WDYT?

Andy
reply via email to
[Prev in Thread] Current Thread [Next in Thread]