On 2019-02-22 14:49, Julien Lepiller wrote: > Hi, > > I use certificates from let's encrypt for my website and mail servers, > and found that there was an issue with certificates generated by the > certbot service in Guix: the generated private keys are world-readable > (in a directory that cannot be accessed by anyone but root, so it's OK I > guess). OpenSMTPD is not happy with that though, so I have to chmod the > files every time. I came up with a variant of the deploy-hook that's > presented in the manual, and I'd like to update the example with it. > Here it is: > > ;; Find running nginx and reload its configuration (for certificates) > (define %my-deploy-hook > (program-file > "my-deploy-hook" > #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read)) > (cert-dir (getenv "RENEWED_LINEAGE")) > (privkey (string-append cert-dir "/privkey.pem"))) > ;; certbot private keys are world-readable by default, and smtpd > complains > ;; about that, refusing to start otherwise > (chmod privkey #o600) > (kill pid SIGHUP)))) > > What do you think? >
LGTM. -- Cheers Swedebugia
signature.asc
Description: OpenPGP digital signature
