From 4bc49e2185179fbbc96a06ff0a921021f746011a Mon Sep 17 00:00:00 2001 From: Rodion Goritskov Date: Sat, 22 Jun 2024 23:33:54 +0400 Subject: [PATCH] services: agate: Update options for compatibility with the current Agate version. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/web.scm ()[certs]: Add. [cert]: Remove. [key]: Remove. [hostname]: Change from string to list. [silent?]: Remove. [only-tls13?]: Add. [central-conf?]: Add. [ed25519?]: Add. [skip-port-check?]: Add. (agate-shepherd-service): Change handling of addr and hostname, add new options handling. * doc/guix.texi (Web Services): Update. Change-Id: Ifb4968d704627344913bb69f20636d710a4fe738 Signed-off-by: Ludovic Courtès --- doc/guix.texi | 51 +++++++++++++++++++++++++++----------------- gnu/services/web.scm | 50 ++++++++++++++++++++++++++----------------- 2 files changed, 63 insertions(+), 38 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 9ba96af459..41814042f5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32935,25 +32935,30 @@ This is the type of the agate service, whose value should be an (service agate-service-type (agate-configuration (content "/srv/gemini") - (cert "/srv/cert.pem") - (key "/srv/key.rsa"))) + (certs "/srv/gemini-certs"))) @end lisp The example above represents the minimal tweaking necessary to get Agate -up and running. Specifying the path to the certificate and key is +up and running. Specifying the path to the certificate and key directory is always necessary, as the Gemini protocol requires TLS by default. -To obtain a certificate and a key, you could, for example, use OpenSSL, -running a command similar to the following example: +If specified path is writable by Agate, and contains no valid key +and certificate, the Agate will try to generate them on the first start. +If specified directory is read-only - key and certificate should be pre-generated by user. + +To obtain a certificate and a key in a DER format, you could, for example, +use OpenSSL, running a commands similar to the following example: @example -openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \ - -days 3650 -nodes -subj "/CN=example.com" +openssl genpkey -out key.der -outform DER -algorithm RSA \ + -pkeyopt rsa_keygen_bits:4096 +openssl req -x509 -key key.der -outform DER -days 3650 -out cert.der \ + -subj "/CN=example.com" @end example Of course, you'll have to replace @i{example.com} with your own domain name, and then point the Agate configuration towards the path of the -generated key and certificate. +directory with the generated key and certificate using the @code{certs} option. @end defvar @@ -32967,30 +32972,38 @@ The package object of the Agate server. @item @code{content} (default: @file{"/srv/gemini"}) The directory from which Agate will serve files. -@item @code{cert} (default: @code{#f}) -The path to the TLS certificate PEM file to be used for encrypted -connections. Must be filled in with a value from the user. - -@item @code{key} (default: @code{#f}) -The path to the PKCS8 private key file to be used for encrypted -connections. Must be filled in with a value from the user. +@item @code{certs} (default: @file{"/srv/gemini-certs"}) +Root of the certificate directory. Must be filled in with a value from the user. @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")}) A list of the addresses to listen on. -@item @code{hostname} (default: @code{#f}) -The domain name of this Gemini server. Optional. +@item @code{hostnames} (default: @code{'()}) +Virtual hosts for the Gemini server. If multiple values are +specified, corresponding directory names should be present in the @code{content} +directory. Optional. @item @code{lang} (default: @code{#f}) RFC 4646 language code(s) for text/gemini documents. Optional. -@item @code{silent?} (default: @code{#f}) -Set to @code{#t} to disable logging output. +@item @code{only-tls13?} (default: @code{#f}) +Set to @code{#t} to disable support for TLSv1.2. @item @code{serve-secret?} (default: @code{#f}) Set to @code{#t} to serve secret files (files/directories starting with a dot). +@item @code{central-conf?} (default: @code{#f}) +Set to @code{#t} to look for the .meta configuration file in the @code{content} +root directory and will ignore @code{.meta} files in other directories + +@item @code{ed25519?} (default: @code{#f}) +Set to @code{#t} to generate keys using the Ed25519 signature algorithm +instead of the default ECDSA. + +@item @code{skip-port-check?} (default: @code{#f}) +Set to @code{#t} to skip URL port check even when a @code{hostname} is specified. + @item @code{log-ip?} (default: @code{#t}) Whether or not to output IP addresses when logging. diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 2d24b3c437..e8ddb1d987 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -302,13 +302,15 @@ (define-module (gnu services web) agate-configuration? agate-configuration-package agate-configuration-content - agate-configuration-cert - agate-configuration-key + agate-configuration-certs agate-configuration-addr agate-configuration-hostname agate-configuration-lang - agate-configuration-silent + agate-configuration-only-tls13 agate-configuration-serve-secret + agate-configuration-central-conf + agate-configuration-ed25519 + agate-configuration-skip-port-check agate-configuration-log-ip agate-configuration-user agate-configuration-group @@ -2184,20 +2186,24 @@ (define-record-type* (default agate)) (content agate-configuration-content (default "/srv/gemini")) - (cert agate-configuration-cert - (default #f)) - (key agate-configuration-key - (default #f)) + (certs agate-configuration-certs + (default "/srv/gemini-certs")) (addr agate-configuration-addr (default '("0.0.0.0:1965" "[::]:1965"))) (hostname agate-configuration-hostname - (default #f)) + (default '())) (lang agate-configuration-lang (default #f)) - (silent? agate-configuration-silent - (default #f)) + (only-tls13? agate-configuration-only-tls13 + (default #f)) (serve-secret? agate-configuration-serve-secret (default #f)) + (central-conf? agate-configuration-central-conf + (default #f)) + (ed25519? agate-configuration-ed25519 + (default #f)) + (skip-port-check? agate-configuration-skip-port-check + (default #f)) (log-ip? agate-configuration-log-ip (default #t)) (user agate-configuration-user @@ -2209,8 +2215,10 @@ (define-record-type* (define agate-shepherd-service (match-lambda - (($ package content cert key addr - hostname lang silent? serve-secret? + (($ package content certs addr + hostname lang only-tls13? + serve-secret? central-conf? + ed25519? skip-port-check? log-ip? user group log-file) (list (shepherd-service (provision '(agate)) @@ -2220,17 +2228,21 @@ (define agate-shepherd-service #~(make-forkexec-constructor (list #$agate "--content" #$content - "--cert" #$cert - "--key" #$key - "--addr" #$@addr + "--certs" #$certs + #$@(append-map + (lambda x (append '("--addr") x)) + addr) + #$@(append-map + (lambda x (append '("--hostname") x)) + hostname) #$@(if lang (list "--lang" lang) '()) - #$@(if hostname - (list "--hostname" hostname) - '()) - #$@(if silent? '("--silent") '()) #$@(if serve-secret? '("--serve-secret") '()) + #$@(if only-tls13? '("--only-tls13") '()) + #$@(if central-conf? '("--central-conf") '()) + #$@(if ed25519? '("--ed25519") '()) + #$@(if skip-port-check? '("--skip-port-check") '()) #$@(if log-ip? '("--log-ip") '())) #:user #$user #:group #$group #:log-file #$log-file)))