summaryrefslogtreecommitdiff
path: root/src/Propellor/Property/LetsEncrypt.hs
diff options
context:
space:
mode:
Diffstat (limited to 'src/Propellor/Property/LetsEncrypt.hs')
-rw-r--r--src/Propellor/Property/LetsEncrypt.hs55
1 files changed, 22 insertions, 33 deletions
diff --git a/src/Propellor/Property/LetsEncrypt.hs b/src/Propellor/Property/LetsEncrypt.hs
index 651cffd9..d5528c64 100644
--- a/src/Propellor/Property/LetsEncrypt.hs
+++ b/src/Propellor/Property/LetsEncrypt.hs
@@ -23,22 +23,29 @@ type WebRoot = FilePath
--
-- This should work with any web server, as long as letsencrypt can
-- write its temp files to the web root. The letsencrypt client does
--- not modify the web server's configuration in any way; instead the
--- `CertInstaller` is used once the client has successfully obtained the
--- certificate.
---
--- This also handles renewing the certificate, and the `CertInstaller` is
--- also run after renewal. For renewel to work well, propellor needs to be
--- run periodically (at least a couple times per month).
+-- not modify the web server's configuration in any way; this only obtains
+-- the certificate it does not make the web server use it.
--
--- See `Propellor.Property.Apache.httpsVirtualHost` for a property built using this.
-letsEncrypt :: AgreeTOS -> Domain -> WebRoot -> CertInstaller -> Property NoInfo
+-- This also handles renewing the certificate.
+-- For renewel to work well, propellor needs to be
+-- run periodically (at least a couple times per month).
+--
+-- This property returns `MadeChange` when the certificate is initially
+-- obtained, and when it's renewed. So, it can be combined with a property
+-- to make the webserver (or other server) use the certificate:
+--
+-- > letsEncrypt (AgreeTOS (Just "me@example.com")) "example.com" "/var/www"
+-- > `onChange` Apache.reload
+--
+-- See `Propellor.Property.Apache.httpsVirtualHost` for a more complete
+-- integration of apache with letsencrypt, that's built on top of this.
+letsEncrypt :: AgreeTOS -> Domain -> WebRoot -> Property NoInfo
letsEncrypt tos domain = letsEncrypt' tos domain []
-- | Like `letsEncrypt`, but the certificate can be obtained for multiple
-- domains.
-letsEncrypt' :: AgreeTOS -> Domain -> [Domain] -> WebRoot -> CertInstaller -> Property NoInfo
-letsEncrypt' (AgreeTOS memail) domain domains webroot certinstaller =
+letsEncrypt' :: AgreeTOS -> Domain -> [Domain] -> WebRoot -> Property NoInfo
+letsEncrypt' (AgreeTOS memail) domain domains webroot =
prop `requires` installed
where
prop = property desc $ do
@@ -48,9 +55,9 @@ letsEncrypt' (AgreeTOS memail) domain domains webroot certinstaller =
if ok
then do
endstats <- liftIO getstats
- if startstats == endstats
- then return NoChange
- else ensureProperty certsinstalled
+ if startstats /= endstats
+ then return MadeChange
+ else return NoChange
else do
liftIO $ hPutStr stderr transcript
return FailedChange
@@ -79,26 +86,8 @@ letsEncrypt' (AgreeTOS memail) domain domains webroot certinstaller =
statfile f = catchMaybeIO $ do
s <- getFileStatus f
return (fileID s, deviceID s, fileMode s, fileSize s, modificationTime s)
-
- certsinstalled = propertyList ("certs installed") $
- flip map alldomains $ \d -> certinstaller d
- (certFile d)
- (privKeyFile d)
- (chainFile d)
- (fullChainFile d)
-
--- | A property that installs a certificate, once letsencrypt obtains it.
---
--- For example, it could configure the web server to use the certificate
--- files, and restart the web server.
-type CertInstaller = Domain -> CertFile -> PrivKeyFile -> ChainFile -> FullChainFile -> Property NoInfo
-
--- | Locations of certificate files generated by lets encrypt.
-type CertFile = FilePath
-type PrivKeyFile = FilePath
-type ChainFile = FilePath
-type FullChainFile = FilePath
+-- | The cerificate files that letsencrypt will make available for a domain.
liveCertDir :: Domain -> FilePath
liveCertDir d = "/etc/letsencrypt/live" </> d