diff options
Diffstat (limited to 'src/Propellor/Property/LetsEncrypt.hs')
| -rw-r--r-- | src/Propellor/Property/LetsEncrypt.hs | 55 |
1 files changed, 22 insertions, 33 deletions
diff --git a/src/Propellor/Property/LetsEncrypt.hs b/src/Propellor/Property/LetsEncrypt.hs index 651cffd9..d5528c64 100644 --- a/src/Propellor/Property/LetsEncrypt.hs +++ b/src/Propellor/Property/LetsEncrypt.hs @@ -23,22 +23,29 @@ type WebRoot = FilePath -- -- This should work with any web server, as long as letsencrypt can -- write its temp files to the web root. The letsencrypt client does --- not modify the web server's configuration in any way; instead the --- `CertInstaller` is used once the client has successfully obtained the --- certificate. --- --- This also handles renewing the certificate, and the `CertInstaller` is --- also run after renewal. For renewel to work well, propellor needs to be --- run periodically (at least a couple times per month). +-- not modify the web server's configuration in any way; this only obtains +-- the certificate it does not make the web server use it. -- --- See `Propellor.Property.Apache.httpsVirtualHost` for a property built using this. -letsEncrypt :: AgreeTOS -> Domain -> WebRoot -> CertInstaller -> Property NoInfo +-- This also handles renewing the certificate. +-- For renewel to work well, propellor needs to be +-- run periodically (at least a couple times per month). +-- +-- This property returns `MadeChange` when the certificate is initially +-- obtained, and when it's renewed. So, it can be combined with a property +-- to make the webserver (or other server) use the certificate: +-- +-- > letsEncrypt (AgreeTOS (Just "me@example.com")) "example.com" "/var/www" +-- > `onChange` Apache.reload +-- +-- See `Propellor.Property.Apache.httpsVirtualHost` for a more complete +-- integration of apache with letsencrypt, that's built on top of this. +letsEncrypt :: AgreeTOS -> Domain -> WebRoot -> Property NoInfo letsEncrypt tos domain = letsEncrypt' tos domain [] -- | Like `letsEncrypt`, but the certificate can be obtained for multiple -- domains. -letsEncrypt' :: AgreeTOS -> Domain -> [Domain] -> WebRoot -> CertInstaller -> Property NoInfo -letsEncrypt' (AgreeTOS memail) domain domains webroot certinstaller = +letsEncrypt' :: AgreeTOS -> Domain -> [Domain] -> WebRoot -> Property NoInfo +letsEncrypt' (AgreeTOS memail) domain domains webroot = prop `requires` installed where prop = property desc $ do @@ -48,9 +55,9 @@ letsEncrypt' (AgreeTOS memail) domain domains webroot certinstaller = if ok then do endstats <- liftIO getstats - if startstats == endstats - then return NoChange - else ensureProperty certsinstalled + if startstats /= endstats + then return MadeChange + else return NoChange else do liftIO $ hPutStr stderr transcript return FailedChange @@ -79,26 +86,8 @@ letsEncrypt' (AgreeTOS memail) domain domains webroot certinstaller = statfile f = catchMaybeIO $ do s <- getFileStatus f return (fileID s, deviceID s, fileMode s, fileSize s, modificationTime s) - - certsinstalled = propertyList ("certs installed") $ - flip map alldomains $ \d -> certinstaller d - (certFile d) - (privKeyFile d) - (chainFile d) - (fullChainFile d) - --- | A property that installs a certificate, once letsencrypt obtains it. --- --- For example, it could configure the web server to use the certificate --- files, and restart the web server. -type CertInstaller = Domain -> CertFile -> PrivKeyFile -> ChainFile -> FullChainFile -> Property NoInfo - --- | Locations of certificate files generated by lets encrypt. -type CertFile = FilePath -type PrivKeyFile = FilePath -type ChainFile = FilePath -type FullChainFile = FilePath +-- | The cerificate files that letsencrypt will make available for a domain. liveCertDir :: Domain -> FilePath liveCertDir d = "/etc/letsencrypt/live" </> d |