1 files changed, 17 insertions, 14 deletions

diff --git a/sync/vps.scm b/sync/vps.scm
index 6486776..8ca21cb 100644
--- a/sync/vps.scm
+++ b/sync/vps.scm
@@ -1,5 +1,6 @@
 (use-modules (gnu)
-             (ice-9 textual-ports))
+             (ice-9 textual-ports)
+             (guix gexp))
 (use-service-modules networking ssh mcron admin mail web certbot)
 (use-package-modules ssh backup)
 
@@ -22,6 +23,9 @@ root ALL=(ALL) ALL
 (define mail-domain
   (string-append "mail." tld))
 
+(define certbot-alias
+  "certbot")
+
 (define letsencrypt-prefix
   "/etc/letsencrypt/live/")
 
@@ -52,13 +56,6 @@ pki " mail-domain " key  \"" (tls-priv-for mail-domain) "\""))
                (string-append prefix "." tld))
              tls-prefixes)))
 
-;; FIXME: restart the service over killing the process
-(define %nginx-deploy-hook
-  (program-file
-   "nginx-deploy-hook"
-   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
-       (kill pid SIGHUP))))
-
 (operating-system
   (locale "fr_FR.UTF-8")
   (timezone "America/Sao_Paulo")
@@ -94,9 +91,10 @@ pki " mail-domain " key  \"" (tls-priv-for mail-domain) "\""))
                    (opensmtpd-configuration
                     (config-file opensmtpd-config)))
           (service mail-aliases-service-type
-                   '(("postmaster" "root")
+                   `(("postmaster" "root")
                      ("webmaster" "root")
-                     ("abuse" "root")))
+                     ("abuse" "root")
+                     (,certbot-alias "root")))
           (service nginx-service-type
                    (nginx-configuration
                     (server-blocks
@@ -110,13 +108,18 @@ pki " mail-domain " key  \"" (tls-priv-for mail-domain) "\""))
                        (ssl-certificate-key (tls-priv-for tld)))))))
           (service certbot-service-type
                    (certbot-configuration
-                    (email (string-append "certbot@" tld))
+                    (email (string-append certbot-alias "@" tld))
                     (certificates
                      (list
                       (certificate-configuration
-                       (domains tls-domains)
-                       ;; FIXME: call /var/lib/certbot/renew-certificates on deploy-hook
-                       (deploy-hook %nginx-deploy-hook)))))))
+                       (domains tls-domains))))))
+          (simple-service 'automatic-certbot-renewal
+                          activation-service-type
+                          (with-imported-modules '((gnu services herd))
+                            #~(begin
+                                (use-modules (gnu services herd))
+                                (execl "/var/lib/certbot/renew-certificates")
+                                (restart-service 'nginx)))))
     %base-services))
   (bootloader
    (bootloader-configuration