services: agate: Update options for compatibility with the current Agate version.

* gnu/services/web.scm (<agate-configuration>)[certs]: Add.
[cert]: Remove.
[key]: Remove.
[hostname]: Change from string to list.
[silent?]: Remove.
[only-tls13?]: Add.
[central-conf?]: Add.
[ed25519?]: Add.
[skip-port-check?]: Add.
(agate-shepherd-service): Change handling of addr and hostname, add new
options handling.
* doc/guix.texi (Web Services): Update.

Change-Id: Ifb4968d704627344913bb69f20636d710a4fe738
Signed-off-by: Ludovic Courtès <ludo@gnu.org>

1 files changed, 32 insertions, 19 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index 9ba96af459..41814042f5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32935,25 +32935,30 @@ This is the type of the agate service, whose value should be an
 (service agate-service-type
 	 (agate-configuration
 	   (content "/srv/gemini")
-	   (cert "/srv/cert.pem")
-	   (key "/srv/key.rsa")))
+	   (certs "/srv/gemini-certs")))
 @end lisp
 
 The example above represents the minimal tweaking necessary to get Agate
-up and running.  Specifying the path to the certificate and key is
+up and running.  Specifying the path to the certificate and key directory is
 always necessary, as the Gemini protocol requires TLS by default.
 
-To obtain a certificate and a key, you could, for example, use OpenSSL,
-running a command similar to the following example:
+If specified path is writable by Agate, and contains no valid key
+and certificate, the Agate will try to generate them on the first start.
+If specified directory is read-only - key and certificate should be pre-generated by user.
+
+To obtain a certificate and a key in a DER format, you could, for example,
+use OpenSSL, running a commands similar to the following example:
 
 @example
-openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \
-    -days 3650 -nodes -subj "/CN=example.com"
+openssl genpkey -out key.der -outform DER -algorithm RSA \
+    -pkeyopt rsa_keygen_bits:4096
+openssl req -x509 -key key.der -outform DER -days 3650 -out cert.der \
+    -subj "/CN=example.com"
 @end example
 
 Of course, you'll have to replace @i{example.com} with your own domain
 name, and then point the Agate configuration towards the path of the
-generated key and certificate.
+directory with the generated key and certificate using the @code{certs} option.
 
 @end defvar
 
@@ -32967,30 +32972,38 @@ The package object of the Agate server.
 @item @code{content} (default: @file{"/srv/gemini"})
 The directory from which Agate will serve files.
 
-@item @code{cert} (default: @code{#f})
-The path to the TLS certificate PEM file to be used for encrypted
-connections.  Must be filled in with a value from the user.
-
-@item @code{key} (default: @code{#f})
-The path to the PKCS8 private key file to be used for encrypted
-connections.  Must be filled in with a value from the user.
+@item @code{certs} (default: @file{"/srv/gemini-certs"})
+Root of the certificate directory. Must be filled in with a value from the user.
 
 @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")})
 A list of the addresses to listen on.
 
-@item @code{hostname} (default: @code{#f})
-The domain name of this Gemini server.  Optional.
+@item @code{hostnames} (default: @code{'()})
+Virtual hosts for the Gemini server. If multiple values are
+specified, corresponding directory names should be present in the @code{content}
+directory. Optional.
 
 @item @code{lang} (default: @code{#f})
 RFC 4646 language code(s) for text/gemini documents.  Optional.
 
-@item @code{silent?} (default: @code{#f})
-Set to @code{#t} to disable logging output.
+@item @code{only-tls13?} (default: @code{#f})
+Set to @code{#t} to disable support for TLSv1.2.
 
 @item @code{serve-secret?} (default: @code{#f})
 Set to @code{#t} to serve secret files (files/directories starting with
 a dot).
 
+@item @code{central-conf?} (default: @code{#f})
+Set to @code{#t} to look for the .meta configuration file in the @code{content}
+root directory and will ignore @code{.meta} files in other directories
+
+@item @code{ed25519?} (default: @code{#f})
+Set to @code{#t} to generate keys using the Ed25519 signature algorithm
+instead of the default ECDSA.
+
+@item @code{skip-port-check?} (default: @code{#f})
+Set to @code{#t} to skip URL port check even when a @code{hostname} is specified.
+
 @item @code{log-ip?} (default: @code{#t})
 Whether or not to output IP addresses when logging.