GNU logs - #67497, boring messages

Message sent to mirai@HIDDEN, help-debbugs@HIDDEN:

Subject: bug#67497: [PATCH] Multiple deploy hooks in certbot service
Resent-From: Felix Lechner <felix.lechner@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: mirai@HIDDEN, help-debbugs@HIDDEN
Resent-Date: Mon, 27 Nov 2023 20:24:01 +0000
Resent-Message-ID: <handler.67497.B.170111659430820 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 67497 <at> debbugs.gnu.org
Cc: bruno victal <mirai@HIDDEN>
From: Felix Lechner <felix.lechner@HIDDEN>
Date: Mon, 27 Nov 2023 12:23:03 -0800
Message-ID: <87zfyzkkt4.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

X-Debbugs-CC: Bruno Victal <mirai@HIDDEN>

Hi,

The certbot program can accept multiple deploy hooks by repeating the
relevant option on the command line. This commit makes that capability
available to users.

Certificates are often used to secure multiple services. It is helpful
to have separate hooks for each service.

It makes the hooks easier to maintain. It's also easier that way to
re-use hooks for another certificate that may not serve to secure the
same combination of services.

Kind regards
Felix

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Felix Lechner <felix.lechner@HIDDEN>
Subject: bug#67497: Acknowledgement ([PATCH] Multiple deploy hooks in
 certbot service)
Message-ID: <handler.67497.B.170111659430820.ack <at> debbugs.gnu.org>
References: <87zfyzkkt4.fsf@HIDDEN>
X-Gnu-PR-Message: ack 67497
X-Gnu-PR-Package: debbugs.gnu.org
X-Gnu-PR-Keywords: patch
Reply-To: 67497 <at> debbugs.gnu.org
Date: Mon, 27 Nov 2023 20:24:01 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

As you requested using X-Debbugs-CC, your message was also forwarded to
  bruno victal <mirai@HIDDEN>
(after having been given a bug report number, if it did not have one).

Your message has been sent to the package maintainer(s):
 help-debbugs@HIDDEN

If you wish to submit further information on this problem, please
send it to 67497 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
67497: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D67497
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message received at control <at> debbugs.gnu.org:

Received: (at control) by debbugs.gnu.org; 27 Nov 2023 21:17:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 27 16:17:28 2023
Received: from localhost ([127.0.0.1]:44976 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1r7iyt-00011I-RY
	for submit <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:17:28 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:53126)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@HIDDEN>) id 1r7iyr-000119-LM
 for control <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:17:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=W8QNoxErPykkNEg
 Vl/2B1nfg2qG/Q6/NQiqs5ePyI7M=; h=date:cc:to:from;
 d=lease-up.com; b=qL
 F8Jc0J7ok6qQVSsNQselFg0IldeAX8XRnPSxbWl8spRR/tyvR+gSYGtP/K3JeoTPfPHwgm
 vDasfJIkrASWGiYXqQnVjQmTP1nUUBv5tFvp0z4iCswcOPAso3vpDn+au72L/ZzmXeRHjU
 HryjQnmwe/vCOZ9UNlnGddh3ewstA=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 0e2d422a
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO)
 for <control <at> debbugs.gnu.org>; Mon, 27 Nov 2023 21:17:17 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
To: control <at> debbugs.gnu.org
Date: Mon, 27 Nov 2023 13:17:17 -0800
Message-ID: <87wmu2lwv6.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 2.0 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  reassign 67497 guix-patches tags 67497 + patch thanks 
 Content analysis details:   (2.0 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 1.8 MISSING_SUBJECT        Missing Subject: header
 0.2 NO_SUBJECT             Extra score for no subject
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

reassign 67497 guix-patches
tags 67497 + patch
thanks

Message sent to guix-patches@HIDDEN:

Subject: [bug#67497] [PATCH 1/4] In documentation, rename %certbot-deploy-hook back to %nginx-deploy-hook..
References: <87zfyzkkt4.fsf@HIDDEN>
In-Reply-To: <87zfyzkkt4.fsf@HIDDEN>
Resent-From: Felix Lechner <felix.lechner@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 27 Nov 2023 21:22:02 +0000
Resent-Message-ID: <handler.67497.B67497.17011200944317 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 67497 <at> debbugs.gnu.org
Cc: Bruno Victal <mirai@HIDDEN>, Felix Lechner <felix.lechner@HIDDEN>
From: Felix Lechner <felix.lechner@HIDDEN>
Date: Mon, 27 Nov 2023 13:20:51 -0800
Message-ID: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Bruno Victal made that change in commit fec8e513, but a nearby patch will
offer the ability to specify a list of hooks. That makes it possible to name
deploy hooks after the services they restart.

Change-Id: I128f71f2e96159eef8821e21ea03ecf0c1c0a7f4
---
 doc/guix.texi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 767133cd0f..b0b1c05c73 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32032,8 +32032,8 @@ Certificate Services
 must be a @code{certbot-configuration} record as in this example:

 @lisp
-(define %certbot-deploy-hook
-  (program-file "certbot-deploy-hook.scm"
+(define %nginx-deploy-hook
+  (program-file "certbot-nginx-deploy-hook.scm"
     (with-imported-modules '((gnu services herd))
       #~(begin
           (use-modules (gnu services herd))
@@ -32046,7 +32046,7 @@ Certificate Services
            (list
             (certificate-configuration
              (domains '("example.net" "www.example.net"))
-             (deploy-hook %certbot-deploy-hook))
+             (deploy-hook %nginx-deploy-hook))
             (certificate-configuration
              (domains '("bar.example.net")))))))
 @end lisp

base-commit: 6e4914a037c8b332ab3f1149129c0bd1cea4640b
-- 
2.41.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH 2/4] In certbot documentation, call environment variables by their proper name.
Resent-From: Felix Lechner <felix.lechner@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 27 Nov 2023 21:22:02 +0000
Resent-Message-ID: <handler.67497.B67497.17011200984339 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 67497 <at> debbugs.gnu.org
Cc: Bruno Victal <mirai@HIDDEN>, Felix Lechner <felix.lechner@HIDDEN>
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.17011200984339
          (code B ref 67497); Mon, 27 Nov 2023 21:22:02 +0000
Received: (at 67497) by debbugs.gnu.org; 27 Nov 2023 21:21:38 +0000
Received: from localhost ([127.0.0.1]:44987 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1r7j2v-00017u-OS
	for submit <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:21:38 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:56770)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@HIDDEN>) id 1r7j2s-00017R-7n
 for 67497 <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:21:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=fvjhNjgOq6aLOZO
 RmF4VZEHyzgSdcD/CUrbIl3wI0/c=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=ZP2JzvE2snqTnN+SJnNRw/HPPR8hxX78Rj4dqEqg
 EcIZHcmWIrhiGtE25DAhr5TLcaHVwpa16irPvNysdpph5Lky1Jf/iBFWG0eqaRxQJQcZ9k
 q5fOIQezwjdfYphlSa905m+7EotHPsRfGu7zYezMWZWHA+GSliJj9bo6BGLW8=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 79edd8b4
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 27 Nov 2023 21:21:27 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id de854032;
 Mon, 27 Nov 2023 21:21:26 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
Date: Mon, 27 Nov 2023 13:20:52 -0800
Message-ID: <c31f51f5209e6dfe5df01e27698abccd38ddd2c4.1701120054.git.felix.lechner@HIDDEN>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
References: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Certbot's hooks can be written in any language. in fact, they can be any kind
of executable. Environment variables are widely used to communicate values
across that type of fork(2) boundary. In the context here, it is more accurate
to talk about environment variables.

Change-Id: If0b476c3367a3108d9365d718a74faa7d9fe7530
---
 doc/guix.texi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index b0b1c05c73..440a5f3efa 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32139,24 +32139,24 @@ Certificate Services
 
 @item @code{authentication-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge to be
-answered.  For this command, the shell variable @code{$CERTBOT_DOMAIN}
+answered.  For this command, the environment variable @code{$CERTBOT_DOMAIN}
 will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
 contains the validation string and @code{$CERTBOT_TOKEN} contains the
 file name of the resource requested when performing an HTTP-01 challenge.
 
 @item @code{cleanup-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge that
-have been answered by the @code{auth-hook}.  For this command, the shell
+have been answered by the @code{auth-hook}.  For this command, the environment
 variables available in the @code{auth-hook} script are still available, and
 additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
 of the @code{auth-hook} script.
 
 @item @code{deploy-hook} (default: @code{#f})
 Command to be run in a shell once for each successfully issued
-certificate.  For this command, the shell variable
+certificate.  For this command, the environment variable
 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
 example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
-certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
+certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.
 
-- 
2.41.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH 3/4] In certbot service, reduce code duplication.
Resent-From: Felix Lechner <felix.lechner@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 27 Nov 2023 21:22:03 +0000
Resent-Message-ID: <handler.67497.B67497.17011200984346 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 67497 <at> debbugs.gnu.org
Cc: Bruno Victal <mirai@HIDDEN>, Felix Lechner <felix.lechner@HIDDEN>
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.17011200984346
          (code B ref 67497); Mon, 27 Nov 2023 21:22:03 +0000
Received: (at 67497) by debbugs.gnu.org; 27 Nov 2023 21:21:38 +0000
Received: from localhost ([127.0.0.1]:44989 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1r7j2w-00017w-68
	for submit <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:21:38 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:56770)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@HIDDEN>) id 1r7j2u-00017R-UB
 for 67497 <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:21:37 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=He5BdxLzrXx8Tx1
 KMFb3ErmfgVyOv9pbVDeJ3mHo3fY=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=iaDHQSXKrxZmnbcU/jOx81gRwwINwcAuAdxrnmo2
 qq7EWOOCtD96F/FMVkvbiJSPk480Wm0NJ2nhWPBaDuqyn5w8qOoi4+06JfnRqXbj5p4MTd
 h67+ux7XgP5bYCY4C44syK749A/f6XH8WFJYR4vrVxYZ/RN679BybMHhjPs2g=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 295fbbd1
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 27 Nov 2023 21:21:29 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 0cae772a;
 Mon, 27 Nov 2023 21:21:28 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
Date: Mon, 27 Nov 2023 13:20:53 -0800
Message-ID: <ed0f8c6ad1ddb4ae435d5c5cf1c8d9f72a5e41ad.1701120054.git.felix.lechner@HIDDEN>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
References: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

The certbot command is can only be changed with a great deal of attention. The
program branches early and constructs two separate invocations. Changes would
generally have to be made in two places. Otherwise, a new bug might be
introduced.

This commit places the conditional inquestion inside the list so that future
edits are more fool-proof.

Change-Id: I4a54f8b78ff4722688de7772d3c26a6191d6ff89
---
 gnu/services/certbot.scm | 58 +++++++++++++++++++---------------------
 1 file changed, 27 insertions(+), 31 deletions(-)

diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 0c45471659..8490a69a99 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -100,37 +100,33 @@ (define certbot-command
                                                 csr authentication-hook
                                                 cleanup-hook deploy-hook)
                  (let ((name (or custom-name (car domains))))
-                   (if challenge
-                     (append
-                      (list name certbot "certonly" "-n" "--agree-tos"
-                            "--manual"
-                            (string-append "--preferred-challenges=" challenge)
-                            "--cert-name" name
-                            "--manual-public-ip-logging-ok"
-                            "-d" (string-join domains ","))
-                      (if csr `("--csr" ,csr) '())
-                      (if email
-                          `("--email" ,email)
-                          '("--register-unsafely-without-email"))
-                      (if server `("--server" ,server) '())
-                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                      (if authentication-hook
-                          `("--manual-auth-hook" ,authentication-hook)
-                          '())
-                      (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
-                     (append
-                      (list name certbot "certonly" "-n" "--agree-tos"
-                            "--webroot" "-w" webroot
-                            "--cert-name" name
-                            "-d" (string-join domains ","))
-                      (if csr `("--csr" ,csr) '())
-                      (if email
-                          `("--email" ,email)
-                          '("--register-unsafely-without-email"))
-                      (if server `("--server" ,server) '())
-                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+                   (append
+                    (list name
+                          certbot
+                          "certonly"
+                          "-n"
+                          "--agree-tos")
+                    (if challenge
+                        (append
+                         (list "--manual"
+                               (string-append "--preferred-challenges=" challenge)
+                               "--manual-public-ip-logging-ok")
+                         (if authentication-hook
+                             (list "--manual-auth-hook" authentication-hook)
+                             '())
+                         (if cleanup-hook
+                             (list "--manual-cleanup-hook" cleanup-hook)
+                             '()))
+                        (list "--webroot" "-w" webroot))
+                    (list "--cert-name" name
+                          "-d" (string-join domains ","))
+                    (if csr (list "--csr" csr) '())
+                    (if email
+                        (list "--email" email)
+                        (list "--register-unsafely-without-email"))
+                    (if server (list "--server" server) '())
+                    (if rsa-key-size (list "--rsa-key-size" rsa-key-size) '())
+                    (if deploy-hook (list "--deploy-hook" deploy-hook) '())))))
               certificates)))
        (program-file
         "certbot-command"
-- 
2.41.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH 4/4] In certbot's client configuration, offer multiple deploy-hooks.
Resent-From: Felix Lechner <felix.lechner@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 27 Nov 2023 21:22:03 +0000
Resent-Message-ID: <handler.67497.B67497.17011201074365 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 67497 <at> debbugs.gnu.org
Cc: Bruno Victal <mirai@HIDDEN>, Felix Lechner <felix.lechner@HIDDEN>
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.17011201074365
          (code B ref 67497); Mon, 27 Nov 2023 21:22:03 +0000
Received: (at 67497) by debbugs.gnu.org; 27 Nov 2023 21:21:47 +0000
Received: from localhost ([127.0.0.1]:44992 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1r7j34-00018L-KC
	for submit <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:21:47 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:56770)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@HIDDEN>) id 1r7j2w-00017R-OI
 for 67497 <at> debbugs.gnu.org; Mon, 27 Nov 2023 16:21:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=BLbugcUu92iK3vE
 e1pNldPPel9aHTUmZ5cTIw35/KXg=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=GopeRi7SkYQWtakhR3nqqo2u5UL+Nj4cZQGfKXg0
 970lgWTA/8WbKDeN5wil1XGI+XarGzbAX9URhsi2Ltf+qpsY7tzB611L0W4MmNfwdeHzhh
 YvQtih7BfbGzllx17RfzK6p9DwqG6Jc+x+QGvSz/IopGdK39q52d7kUQnv2lU=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id e2bd5eed
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 27 Nov 2023 21:21:31 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 5602a01d;
 Mon, 27 Nov 2023 21:21:30 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
Date: Mon, 27 Nov 2023 13:20:54 -0800
Message-ID: <729de952f099681b99b1ffd4f3f5bed736cc6b43.1701120054.git.felix.lechner@HIDDEN>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
References: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

The certbot program can accept multiple deploy hooks by repeating the relevant
option on the command line. This commit makes that capability available to
users.

Certificates are often used to secure multiple services. It is helpful to have
separate hooks for each service. It makes those hooks easier to maintain. It's
also easier that way to re-use a hook for another certificate that may not
serve to secure the same combination of services.

Change-Id: I3a293daee47030d9bee7f366605aa63a14e98e38
---
 doc/guix.texi            | 11 ++++++-----
 gnu/services/certbot.scm | 20 +++++++++++++++++---
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 440a5f3efa..c5cbd0275d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32046,7 +32046,7 @@ Certificate Services
            (list
             (certificate-configuration
              (domains '("example.net" "www.example.net"))
-             (deploy-hook %nginx-deploy-hook))
+             (deploy-hooks '(%nginx-deploy-hook)))
             (certificate-configuration
              (domains '("bar.example.net")))))))
 @end lisp
@@ -32151,14 +32151,15 @@ Certificate Services
 additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
 of the @code{auth-hook} script.
 
-@item @code{deploy-hook} (default: @code{#f})
-Command to be run in a shell once for each successfully issued
-certificate.  For this command, the environment variable
+@item @code{deploy-hooks} (default: @code{'()})
+Commands to be run in a shell once for each successfully issued
+certificate.  For these commands, the environment variable
 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
 example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
 certificates and keys; the environment variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
-example, @samp{"example.com www.example.com"}.
+example, @samp{"example.com www.example.com"}. Please note that the singular
+field @code{deploy-hook} was replaced by this field in the plural.
 
 @end table
 @end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 8490a69a99..9d5305174b 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -30,6 +30,7 @@ (define-module (gnu services certbot)
   #:use-module (gnu services web)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages tls)
+  #:use-module (guix deprecation)
   #:use-module (guix i18n)
   #:use-module (guix records)
   #:use-module (guix gexp)
@@ -62,8 +63,11 @@ (define-record-type* <certificate-configuration>
                        (default #f))
   (cleanup-hook        certificate-cleanup-hook
                        (default #f))
+  ;; TODO: remove singular deploy-hook; is deprecated
   (deploy-hook         certificate-configuration-deploy-hook
-                       (default #f)))
+                       (default #f))
+  (deploy-hooks        certificate-configuration-deploy-hooks
+                       (default '())))
 
 (define-record-type* <certbot-configuration>
   certbot-configuration make-certbot-configuration
@@ -98,7 +102,8 @@ (define certbot-command
               (match-lambda
                 (($ <certificate-configuration> custom-name domains challenge
                                                 csr authentication-hook
-                                                cleanup-hook deploy-hook)
+                                                cleanup-hook
+                                                deploy-hook deploy-hooks)
                  (let ((name (or custom-name (car domains))))
                    (append
                     (list name
@@ -126,7 +131,16 @@ (define certbot-command
                         (list "--register-unsafely-without-email"))
                     (if server (list "--server" server) '())
                     (if rsa-key-size (list "--rsa-key-size" rsa-key-size) '())
-                    (if deploy-hook (list "--deploy-hook" deploy-hook) '())))))
+
+                    (if deploy-hook
+                        (begin
+                          (warn-about-deprecation 'deploy-hook #f
+                                                  #:replacement 'deploy-hooks)
+                          (list "--deploy-hook" deploy-hook))
+                        '())
+                    (append-map (lambda (hook)
+                                  (list "--deploy-hook" hook))
+                                deploy-hooks)))))
               certificates)))
        (program-file
         "certbot-command"
-- 
2.41.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH] Multiple deploy hooks in certbot service
Resent-From: Arun Isaac <arunisaac@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 28 Nov 2023 00:25:02 +0000
Resent-Message-ID: <handler.67497.B67497.170113108020306 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Felix Lechner <felix.lechner@HIDDEN>, 67497 <at> debbugs.gnu.org
Cc: bruno victal <mirai@HIDDEN>
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.170113108020306
          (code B ref 67497); Tue, 28 Nov 2023 00:25:02 +0000
Received: (at 67497) by debbugs.gnu.org; 28 Nov 2023 00:24:40 +0000
Received: from localhost ([127.0.0.1]:45078 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1r7lu4-0005HS-2Y
	for submit <at> debbugs.gnu.org; Mon, 27 Nov 2023 19:24:40 -0500
Received: from mugam.systemreboot.net ([139.59.75.54]:49562)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <arunisaac@HIDDEN>) id 1r7lu0-0005HE-Ed
 for 67497 <at> debbugs.gnu.org; Mon, 27 Nov 2023 19:24:38 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=9SWU4h3bgcoOGjWeb0YtASpTjZ7YI63861+aBPx9r68=; b=Gg8KD8KtAXhpDT7+IDhgbA3hDP
 7EEQ/6UEXgasBKPxRM5qdqew/+c2NLJ47IrR+rSlh3fDNhJNAjc9n4vN8sMJUZAjuPqTHSkGB0oQE
 v1tSM/QVKghTwyqa24IBtAADDNiOloYYnD5qY4iyTMAhc4VCPFl2I5VAu1VCsToriyGsKK1MB+lRV
 kGyTOPvCII0mtLf0fFV680jlKhk0j7tYbvUfjl60UT+MPDx2C8h9/B7dykhmOlh3AWVUuTMk/yxhl
 giQSPT2/QUr1JTYXG5rl2l5fNL1nfbaBpwo07NnEZudABcwvRqxNbhlpjfL3ATtD1LT2Ktc5d8Gzn
 jKCMKakg==;
Received: from [192.168.2.1] (port=43926 helo=localhost)
 by systemreboot.net with esmtpsa (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96)
 (envelope-from <arunisaac@HIDDEN>) id 1r7ltn-0007cj-0d;
 Tue, 28 Nov 2023 00:24:23 +0000
From: Arun Isaac <arunisaac@HIDDEN>
In-Reply-To: <87zfyzkkt4.fsf@HIDDEN>
References: <87zfyzkkt4.fsf@HIDDEN>
Date: Tue, 28 Nov 2023 00:24:19 +0000
Message-ID: <874jh6bu8c.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


Hi Felix,

> Certificates are often used to secure multiple services. It is helpful
> to have separate hooks for each service.

It's already possible to write the deploy-hook as a G-expression
constructed script (using program-file) that invokes multiple hooks in
succession. Something like:

(program-file "deploy-hook"
  (with-imported-modules '((guix build utils))
    #~(begin
        (use-modules (guix build utils))

        (invoke "/some/hook")
        (invoke "/some/other/hook"))))

Here /some/hook and /some/other/hook can themselves be recursively
constructed using program-file. So, do we really need a service that
explicitly accepts multiple deploy hooks?

Regards,
Arun

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH] Multiple deploy hooks in certbot service
Resent-From: Bruno Victal <mirai@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 16 Dec 2023 20:51:02 +0000
Resent-Message-ID: <handler.67497.B67497.170275983211631 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Arun Isaac <arunisaac@HIDDEN>, Felix Lechner <felix.lechner@HIDDEN>
Cc: 67497 <at> debbugs.gnu.org
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.170275983211631
          (code B ref 67497); Sat, 16 Dec 2023 20:51:02 +0000
Received: (at 67497) by debbugs.gnu.org; 16 Dec 2023 20:50:32 +0000
Received: from localhost ([127.0.0.1]:56160 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rEbcG-00031S-4d
	for submit <at> debbugs.gnu.org; Sat, 16 Dec 2023 15:50:32 -0500
Received: from smtpmciv1.myservices.hosting ([185.26.107.237]:51632)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@HIDDEN>) id 1rEbc9-00031D-TA
 for 67497 <at> debbugs.gnu.org; Sat, 16 Dec 2023 15:50:30 -0500
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpmciv1.myservices.hosting (Postfix) with ESMTP id DC38520DD5;
 Sat, 16 Dec 2023 21:50:22 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 2A42780095;
 Sat, 16 Dec 2023 21:50:19 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id 2U0fwhI8ZYwP; Sat, 16 Dec 2023 21:50:18 +0100 (CET)
Received: from [192.168.1.116] (unknown [10.192.1.83])
 (Authenticated sender: lumen@HIDDEN)
 by mail1.netim.hosting (Postfix) with ESMTPSA id 88AD880067;
 Sat, 16 Dec 2023 21:50:18 +0100 (CET)
Message-ID: <a224335a-b8f0-46cd-ba90-8bc51d698376@HIDDEN>
Date: Sat, 16 Dec 2023 20:50:16 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
References: <87zfyzkkt4.fsf@HIDDEN> <874jh6bu8c.fsf@HIDDEN>
From: Bruno Victal <mirai@HIDDEN>
In-Reply-To: <874jh6bu8c.fsf@HIDDEN>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------pxfr190QYyQd4FQ2hWfEPAXI"
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------pxfr190QYyQd4FQ2hWfEPAXI
Content-Type: multipart/mixed; boundary="------------OUIg0jZ6YGGc1qxwQ5EDzy8W";
 protected-headers="v1"
From: Bruno Victal <mirai@HIDDEN>
To: Arun Isaac <arunisaac@HIDDEN>,
 Felix Lechner <felix.lechner@HIDDEN>
Cc: 67497 <at> debbugs.gnu.org
Message-ID: <a224335a-b8f0-46cd-ba90-8bc51d698376@HIDDEN>
Subject: Re: bug#67497: [PATCH] Multiple deploy hooks in certbot service
References: <87zfyzkkt4.fsf@HIDDEN> <874jh6bu8c.fsf@HIDDEN>
In-Reply-To: <874jh6bu8c.fsf@HIDDEN>

--------------OUIg0jZ6YGGc1qxwQ5EDzy8W
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Felix and Arun,

On 2023-11-28 00:24, Arun Isaac wrote:
> It's already possible to write the deploy-hook as a G-expression
> constructed script (using program-file) that invokes multiple hooks in
> succession. Something like:
>=20
> (program-file "deploy-hook"
>   (with-imported-modules '((guix build utils))
>     #~(begin
>         (use-modules (guix build utils))
>=20
>         (invoke "/some/hook")
>         (invoke "/some/other/hook"))))

Indeed, and for the record mine looks like this:

--8<---------------cut here---------------start------------->8---
(program-file "certbot-hook.scm"
  ;; source-module-closure not used here because at the time of writing
  ;; (gnu services herd) only uses Guile modules.
  (with-imported-modules '((gnu services herd))
    #~(begin
        (use-modules (gnu services herd))
        (with-shepherd-action 'nginx ('reload) result result)
        (restart-service 'dovecot)
        (restart-service 'smtpd))))
--8<---------------cut here---------------end--------------->8---

(that is, a single hook is responsible for various other shepherd
services)

> Here /some/hook and /some/other/hook can themselves be recursively
> constructed using program-file. So, do we really need a service that
> explicitly accepts multiple deploy hooks?

As Arun pointed out, I don't think multiple deploy hooks would be
adding value here.

What would be interesting though is adding service-extensions support
for certbot-service-type. Roughly speaking, two plausible ways to
achieve this would be:

* Single deploy-hook and ungexp-splicing, i.e.:

--8<---------------cut here---------------start------------->8---
;; service-extension-hooks: list of program-files
#$@(map (lambda (extension-hook)
          #~(invoke #$extension-hook))
        service-extension-hooks)
--8<---------------cut here---------------end--------------->8---

* Multiple --deploy-hook =E2=80=A6 behind the scenes (the deploy-hook
field in <certificate-configuration> still accepts only a single hook)

Important note, such service-extensions must account for the fact that
they are actually extensions to <certificate-configuration> objects,
i.e. they have to account for which domain(s) is the (deploy/
cleanup/authentication)-hook for.

--=20
Furthermore, I consider that nonfree software must be eradicated.

Cheers,
Bruno.

--------------OUIg0jZ6YGGc1qxwQ5EDzy8W--

--------------pxfr190QYyQd4FQ2hWfEPAXI
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTAPCseV0HOaN0YFheobOGDL+spVQUCZX4NigAKCRCobOGDL+sp
VecqAP0YQWXsd5Egk/UBaNWqfO0cHBbrUDIRCNPJCx/5JTcdsAEA82oxJvMavBw+
3CZhxwacoy8+ImYFWJ195K5RmNO3yAM=
=ZTEy
-----END PGP SIGNATURE-----

--------------pxfr190QYyQd4FQ2hWfEPAXI--

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH 2/4] In certbot documentation, call environment variables by their proper name.
Resent-From: Bruno Victal <mirai@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 16 Dec 2023 20:59:01 +0000
Resent-Message-ID: <handler.67497.B67497.170276032612749 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Felix Lechner <felix.lechner@HIDDEN>
Cc: 67497 <at> debbugs.gnu.org
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.170276032612749
          (code B ref 67497); Sat, 16 Dec 2023 20:59:01 +0000
Received: (at 67497) by debbugs.gnu.org; 16 Dec 2023 20:58:46 +0000
Received: from localhost ([127.0.0.1]:56172 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rEbkD-0003JY-Rk
	for submit <at> debbugs.gnu.org; Sat, 16 Dec 2023 15:58:46 -0500
Received: from smtpm3.myservices.hosting ([185.26.105.234]:36792)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@HIDDEN>) id 1rEbkA-0003JO-Nu
 for 67497 <at> debbugs.gnu.org; Sat, 16 Dec 2023 15:58:44 -0500
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpm3.myservices.hosting (Postfix) with ESMTP id 52961210AE;
 Sat, 16 Dec 2023 21:58:39 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 9F2E680095;
 Sat, 16 Dec 2023 21:58:39 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id jzqLbTRfECKO; Sat, 16 Dec 2023 21:58:39 +0100 (CET)
Received: from [192.168.1.116] (unknown [10.192.1.83])
 (Authenticated sender: lumen@HIDDEN)
 by mail1.netim.hosting (Postfix) with ESMTPSA id 2973280067;
 Sat, 16 Dec 2023 21:58:39 +0100 (CET)
Message-ID: <0b64f8bb-755d-4c09-af51-871392de8262@HIDDEN>
Date: Sat, 16 Dec 2023 20:58:37 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
References: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
 <c31f51f5209e6dfe5df01e27698abccd38ddd2c4.1701120054.git.felix.lechner@HIDDEN>
From: Bruno Victal <mirai@HIDDEN>
In-Reply-To: <c31f51f5209e6dfe5df01e27698abccd38ddd2c4.1701120054.git.felix.lechner@HIDDEN>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------s80WGHVnW0hdWx0P99uCBDzY"
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------s80WGHVnW0hdWx0P99uCBDzY
Content-Type: multipart/mixed; boundary="------------SGGSRoTD2D05xj1fs0Dkl8Eu";
 protected-headers="v1"
From: Bruno Victal <mirai@HIDDEN>
To: Felix Lechner <felix.lechner@HIDDEN>
Cc: 67497 <at> debbugs.gnu.org
Message-ID: <0b64f8bb-755d-4c09-af51-871392de8262@HIDDEN>
Subject: Re: [PATCH 2/4] In certbot documentation, call environment variables
 by their proper name.
References: <e9fdc8d35f8d57913a3a5861db7a1073d47ce729.1701120054.git.felix.lechner@HIDDEN>
 <c31f51f5209e6dfe5df01e27698abccd38ddd2c4.1701120054.git.felix.lechner@HIDDEN>
In-Reply-To: <c31f51f5209e6dfe5df01e27698abccd38ddd2c4.1701120054.git.felix.lechner@HIDDEN>

--------------SGGSRoTD2D05xj1fs0Dkl8Eu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 2023-11-27 21:20, Felix Lechner wrote:
> Certbot's hooks can be written in any language. in fact, they can be an=
y kind
> of executable. Environment variables are widely used to communicate val=
ues
> across that type of fork(2) boundary. In the context here, it is more a=
ccurate
> to talk about environment variables.
>=20
> Change-Id: If0b476c3367a3108d9365d718a74faa7d9fe7530
> ---
>  doc/guix.texi | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>=20
> diff --git a/doc/guix.texi b/doc/guix.texi
> index b0b1c05c73..440a5f3efa 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -32139,24 +32139,24 @@ Certificate Services
> =20
>  @item @code{authentication-hook} (default: @code{#f})
>  Command to be run in a shell once for each certificate challenge to be=

> -answered.  For this command, the shell variable @code{$CERTBOT_DOMAIN}=

> +answered.  For this command, the environment variable @code{$CERTBOT_D=
OMAIN}

[=E2=80=A6]

>  will contain the domain being authenticated, @code{$CERTBOT_VALIDATION=
}

[=E2=80=A6]

>  contains the validation string and @code{$CERTBOT_TOKEN} contains the

[=E2=80=A6]

>  variables available in the @code{auth-hook} script are still available=
, and
>  additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard out=
put

[=E2=80=A6]

>  @code{$RENEWED_LINEAGE} will point to the config live subdirectory (fo=
r
>  example, @samp{"/etc/letsencrypt/live/example.com"}) containing the ne=
w
> -certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will=

> +certificates and keys; the environment variable @code{$RENEWED_DOMAINS=
} will
>  contain a space-delimited list of renewed certificate domains (for
>  example, @samp{"example.com www.example.com"}.

The correct Texinfo @-command should be @env{CERTBOT_DOMAIN}, =E2=80=A6.

Could you amend and send a v2 that addresses these issues as well?
Other than that, it LGTM.

--=20
Furthermore, I consider that nonfree software must be eradicated.

Cheers,
Bruno.

--------------SGGSRoTD2D05xj1fs0Dkl8Eu--

--------------s80WGHVnW0hdWx0P99uCBDzY
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTAPCseV0HOaN0YFheobOGDL+spVQUCZX4PfgAKCRCobOGDL+sp
VVTiAQCatAiQllltzz9arRgpE1fDw64cmwzFTsI5tPDfVTPRxgEAn5nq/vOg3/VU
wpqrUC22QaneB6QJZepQ1HP/N9hKAQQ=
=irh9
-----END PGP SIGNATURE-----

--------------s80WGHVnW0hdWx0P99uCBDzY--

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH] Multiple deploy hooks in certbot service
Resent-From: Felix Lechner <felix.lechner@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 17 Dec 2023 17:47:01 +0000
Resent-Message-ID: <handler.67497.B67497.170283519817143 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Bruno Victal <mirai@HIDDEN>, Arun Isaac <arunisaac@HIDDEN>
Cc: 67497 <at> debbugs.gnu.org
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.170283519817143
          (code B ref 67497); Sun, 17 Dec 2023 17:47:01 +0000
Received: (at 67497) by debbugs.gnu.org; 17 Dec 2023 17:46:38 +0000
Received: from localhost ([127.0.0.1]:58997 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rEvDp-0004SQ-Gw
	for submit <at> debbugs.gnu.org; Sun, 17 Dec 2023 12:46:37 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:41410)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@HIDDEN>) id 1rEvDn-0004SJ-V6
 for 67497 <at> debbugs.gnu.org; Sun, 17 Dec 2023 12:46:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=YYt31buC56lwLvr
 zqn9LxOpyvA6g1RRuchLOgeu14KU=;
 h=date:references:in-reply-to:subject:
 cc:to:from; d=lease-up.com; b=FxhnV/t3Mv9AkQyA2+JhehqwxAW6QCDQAkbl/+D9
 +D/9aRSyygVeoiJG2TLFEBvprlTn0yUvvPoVBVHEeDqOkIuVOB/1dZp7XWZ9aAGaufEQRa
 9budARgqi3X2anJ8JjfWYVQQNnSNvxrIZGW1cMBbISZSc6q2YceDHbhyrOYH4=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 0d66f2f2
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Sun, 17 Dec 2023 17:46:33 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
In-Reply-To: <a224335a-b8f0-46cd-ba90-8bc51d698376@HIDDEN>
References: <87zfyzkkt4.fsf@HIDDEN> <874jh6bu8c.fsf@HIDDEN>
 <a224335a-b8f0-46cd-ba90-8bc51d698376@HIDDEN>
Date: Sun, 17 Dec 2023 09:46:32 -0800
Message-ID: <875y0wrabr.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Thank you both for reviewing this patch! I have to respond to several
reviews and will start with this one, because it weighed the heaviest on
me.

On Sat, Dec 16 2023, Bruno Victal wrote:

> As Arun pointed out, I don't think multiple deploy hooks would be
> adding value here.

Your blanket opposition to this patch is incomprehensible to me from
several angles:

1. A meaningful name for a hook near the certificate declaration is more
administrator-friendly. Someone who manages several certificates, like
my twenty-one certificates [1], can see right away which services are
being restarted.

2. Arun's solution requires an extra procedure and makes the
configuration file longer without without conveying extra meaning.

3. Anyone parsing the code has to look up the definition of the hook in
order to see what it does---and probably also the definition for
'invoke', which is not standard Guile, in the Guix manual. In my view,
your code is not easy to read.

4. The bundling into one script brings no economy, because different
services generally share no code for their reloading. That was already
recognized by Certbot's upstream when the feature for multiple hooks was
added. After all, the concerns can also be combined, as you prefer, in
Certbot's own hooks, but that was apparently unpopular.

5. As a more serious downside, in your cases changing the combined hook
might inadventently reload a certificate for a service does not use
it. A grep is required to check where the cmombined hook is being
used. An extra step is required, and the propensity for errors rises.

6. In your preferred setups, the most elegant way to provide different
hooks is probably '%certbot-hook-1' and 'certbot-hook-2'. Those scripts
will then share code---likely to restart a HTTP server---for no good
reason!

7. User-friendliness is regarded as a worthwhile goal at another, more
popular Linux distribution. [2]

8. Most significantly, your use case isn't affected by this patch! The
use of combined hooks, which you prefer, is still possible should this
patch be accepted.

In summary, I do not understand what motivated you to object to this
patch, but I recognize that the opinions of reasonable people can
differ.

As a side note, I have contributed upstream, but not to the feature we
are discussing here. [3]

> What would be interesting though is adding service-extensions support
> for certbot-service-type. Roughly speaking, two plausible ways to
> achieve this would be:
>
> * Single deploy-hook and ungexp-splicing, i.e.:
>
> [...]
>
> * Multiple --deploy-hook =E2=80=A6 behind the scenes (the deploy-hook
> field in <certificate-configuration> still accepts only a single hook)

While I very much respect Bruno's opinion and guidance on Guix services
(and genuinely appreciated this review) I do not understand what those
sentences mean.

I guess it's shame on me.

I can, however, say that I likewise fail to see an advantage in more
complexity when my patch does nearly the same thing in three lines.

Thank you!

Kind regards
Felix

[1] https://codeberg.org/lechner/system-config/src/commit/b566b08a982a12f89=
6cd6e6666f7849dbac0ce2e/host/wallace-server/operating-system.scm#L1097-L1193
[2] point 4, https://www.debian.org/social_contract.html
[3] https://github.com/certbot/certbot/blob/master/AUTHORS.md

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#67497] [PATCH] Multiple deploy hooks in certbot service
Resent-From: Arun Isaac <arunisaac@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 19 Dec 2023 06:31:02 +0000
Resent-Message-ID: <handler.67497.B67497.17029674164281 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 67497
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Felix Lechner <felix.lechner@HIDDEN>, Bruno Victal <mirai@HIDDEN>
Cc: 67497 <at> debbugs.gnu.org
Received: via spool by 67497-submit <at> debbugs.gnu.org id=B67497.17029674164281
          (code B ref 67497); Tue, 19 Dec 2023 06:31:02 +0000
Received: (at 67497) by debbugs.gnu.org; 19 Dec 2023 06:30:16 +0000
Received: from localhost ([127.0.0.1]:34158 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rFTcO-00016S-EA
	for submit <at> debbugs.gnu.org; Tue, 19 Dec 2023 01:30:16 -0500
Received: from mugam.systemreboot.net ([139.59.75.54]:56696)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <arunisaac@HIDDEN>) id 1rFTcL-00014w-Fj
 for 67497 <at> debbugs.gnu.org; Tue, 19 Dec 2023 01:30:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=+eiEw4ePthIXK22a1CtflzxvpmRwM2trRNE0qKvpjJc=; b=BtG5nSE6Raz/bpARYmrNBHAgD8
 nphsxQrfJTaVdtWia2TBycta9V89UufYO3dNLgoMD5TylYPB8a1VQquCcZ58/DKITmaFrIPQPXOL+
 1RhOz34hCWv7fyiey8PySsF7hNoPMCBD1PbRrJ0eFK/LwpKofE6MLXRYD4D1fftW+XFw8/fU8nMKa
 h8TJuEvxQwYM8LEAilg3Rv4LHBWmeDULchoc2+ntxvv//AF7xpqCWCE9h+Cu6G7QdmWCtOGSol2DV
 Rxg60WoqouTQOD3Kru5isoCLMG7fAwxZqAwzXV4zdR9EGNel/IugmJmxRYgRKls7tF/Jiuz89eq3p
 n6SHiMZg==;
Received: from [192.168.2.1] (port=45110 helo=localhost)
 by systemreboot.net with esmtpsa (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.1)
 (envelope-from <arunisaac@HIDDEN>) id 1rFTbk-0001qn-0V;
 Tue, 19 Dec 2023 06:29:36 +0000
From: Arun Isaac <arunisaac@HIDDEN>
In-Reply-To: <875y0wrabr.fsf@HIDDEN>
References: <87zfyzkkt4.fsf@HIDDEN> <874jh6bu8c.fsf@HIDDEN>
 <a224335a-b8f0-46cd-ba90-8bc51d698376@HIDDEN>
 <875y0wrabr.fsf@HIDDEN>
Date: Tue, 19 Dec 2023 06:29:55 +0000
Message-ID: <8734vyu2l8.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


Hi Felix,

You make good points. Having multiple deploy hooks is probably in the
spirit of the certbot project and makes for more declarative
configuration. However, I still feel that combining multiple deploy
hooks into one is better /composition/, more schemy and less complexity
for the Guix certbot service. But, if others feel that multiple deploy
hooks make sense, I am very happy to accept that.

> Your blanket opposition to this patch is incomprehensible to me from
> several angles:

And, I am not in blanket opposition to this patch. :-) I was just
contributing my two cents to the discussion. I suggested the alternative
of combining hooks just in case you had not already thought of it. I am
not invested in the certbot service. I don't even use it myself.

Regards,
Arun

Last modified: Sat, 20 Jan 2024 12:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.