diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2021-06-23 17:05:51 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-06-25 16:10:35 -0700 |
commit | 4b6dc7906d48cd609367a83b051310f4967d5098 (patch) | |
tree | d64e66e5c2c0d3440b0bb1a5de665f6007fd0b74 /src/property/lets-encrypt.lisp | |
parent | c45e0395c8573b81800b5a4a50ef73d760e28d2c (diff) | |
download | consfigurator-4b6dc7906d48cd609367a83b051310f4967d5098.tar.gz |
add LETS-ENCRYPT:CERTIFICATE-OBTAINED
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Diffstat (limited to 'src/property/lets-encrypt.lisp')
-rw-r--r-- | src/property/lets-encrypt.lisp | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/src/property/lets-encrypt.lisp b/src/property/lets-encrypt.lisp new file mode 100644 index 0000000..6db56e7 --- /dev/null +++ b/src/property/lets-encrypt.lisp @@ -0,0 +1,69 @@ +;;; Consfigurator -- Lisp declarative configuration management system + +;;; Copyright (C) 2021 Sean Whitton <spwhitton@spwhitton.name> + +;;; This file is free software; you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3, or (at your option) +;;; any later version. + +;;; This file is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. + +;;; You should have received a copy of the GNU General Public License +;;; along with this program. If not, see <http://www.gnu.org/licenses/>. + +(in-package :consfigurator.property.lets-encrypt) +(named-readtables:in-readtable :consfigurator) + +(defproplist installed :posix () + (:desc "Let's Encrypt client installed") + (os:etypecase + (debianlike (apt:installed "certbot")))) + +(defclass agree-tos () + ((email-address :initarg :email-address)) + (:documentation + "Object representing your agreement with the Let's Encrypt Subscriber +Agreement; you will need to pass this to properties which will invoke the +Let's Encrypt client. Supply an e-mail address so that Let's Encrypt can +contact you for things like certificate expiry, planned outage notifications +etc.")) + +;; Based on Propellor's LetsEncrypt.letsEncrypt' property. +(defprop %obtained :posix (agree-tos htdocs domains) + (:apply + (check-type agree-tos agree-tos) + (let ((dir (ensure-directory-pathname + (merge-pathnames (car domains) #P"/etc/letsencrypt/live/")))) + (with-change-if-changes-file ((merge-pathnames "fullchain.pem" dir)) + (with-change-if-changes-file ((merge-pathnames "chain.pem" dir)) + (with-change-if-changes-file ((merge-pathnames "privkey.pem" dir)) + (with-change-if-changes-file ((merge-pathnames "cert.pem" dir)) + (mrun "letsencrypt" "certonly" "--agree-tos" + (if (slot-boundp agree-tos 'email-address) + (strcat "--email=" (slot-value agree-tos 'email-address)) + "--register-unsafely-without-email") + "--webroot" "--webroot-path" htdocs + "--text" "--noninteractive" "--keep-until-expiring" + ;; Always request expansion in case DOMAINS has changed. + "--expand" + (loop for domain in domains + collect (strcat "--domain=" domain)))))))))) + +(defproplist certificate-obtained :posix (agree-tos htdocs &rest domains) + "Obtains, and renews as necessary, an SSL certificate for DOMAINS. +The first element of DOMAINS is the Common Name of the certificate. Use of +this property implies agreement with the Let's Encrypt Subscriber Agreement; +AGREE-TOS is an instance of LETS-ENCRYPT:AGREE-TOS. HTDOCS is the web root +for DOMAINS, which must be writeable, and publically available over plain +HTTP. + +This property does nothing to ensure that your web server will actually use +the obtained certificate. Typically you'll want to combine this property with +web server-specific properties in a DEFPROPLIST/DEFPROPSPEC." + (:desc (format nil "Let's Encrypt for ~{~A~^, ~}" domains)) + (installed) + (%obtained agree-tos htdocs domains)) |