From 4bc49e2185179fbbc96a06ff0a921021f746011a Mon Sep 17 00:00:00 2001 From: Rodion Goritskov Date: Sat, 22 Jun 2024 23:33:54 +0400 Subject: services: agate: Update options for compatibility with the current Agate version. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/web.scm ()[certs]: Add. [cert]: Remove. [key]: Remove. [hostname]: Change from string to list. [silent?]: Remove. [only-tls13?]: Add. [central-conf?]: Add. [ed25519?]: Add. [skip-port-check?]: Add. (agate-shepherd-service): Change handling of addr and hostname, add new options handling. * doc/guix.texi (Web Services): Update. Change-Id: Ifb4968d704627344913bb69f20636d710a4fe738 Signed-off-by: Ludovic Courtès --- doc/guix.texi | 51 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 19 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 9ba96af459..41814042f5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32935,25 +32935,30 @@ This is the type of the agate service, whose value should be an (service agate-service-type (agate-configuration (content "/srv/gemini") - (cert "/srv/cert.pem") - (key "/srv/key.rsa"))) + (certs "/srv/gemini-certs"))) @end lisp The example above represents the minimal tweaking necessary to get Agate -up and running. Specifying the path to the certificate and key is +up and running. Specifying the path to the certificate and key directory is always necessary, as the Gemini protocol requires TLS by default. -To obtain a certificate and a key, you could, for example, use OpenSSL, -running a command similar to the following example: +If specified path is writable by Agate, and contains no valid key +and certificate, the Agate will try to generate them on the first start. +If specified directory is read-only - key and certificate should be pre-generated by user. + +To obtain a certificate and a key in a DER format, you could, for example, +use OpenSSL, running a commands similar to the following example: @example -openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \ - -days 3650 -nodes -subj "/CN=example.com" +openssl genpkey -out key.der -outform DER -algorithm RSA \ + -pkeyopt rsa_keygen_bits:4096 +openssl req -x509 -key key.der -outform DER -days 3650 -out cert.der \ + -subj "/CN=example.com" @end example Of course, you'll have to replace @i{example.com} with your own domain name, and then point the Agate configuration towards the path of the -generated key and certificate. +directory with the generated key and certificate using the @code{certs} option. @end defvar @@ -32967,30 +32972,38 @@ The package object of the Agate server. @item @code{content} (default: @file{"/srv/gemini"}) The directory from which Agate will serve files. -@item @code{cert} (default: @code{#f}) -The path to the TLS certificate PEM file to be used for encrypted -connections. Must be filled in with a value from the user. - -@item @code{key} (default: @code{#f}) -The path to the PKCS8 private key file to be used for encrypted -connections. Must be filled in with a value from the user. +@item @code{certs} (default: @file{"/srv/gemini-certs"}) +Root of the certificate directory. Must be filled in with a value from the user. @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")}) A list of the addresses to listen on. -@item @code{hostname} (default: @code{#f}) -The domain name of this Gemini server. Optional. +@item @code{hostnames} (default: @code{'()}) +Virtual hosts for the Gemini server. If multiple values are +specified, corresponding directory names should be present in the @code{content} +directory. Optional. @item @code{lang} (default: @code{#f}) RFC 4646 language code(s) for text/gemini documents. Optional. -@item @code{silent?} (default: @code{#f}) -Set to @code{#t} to disable logging output. +@item @code{only-tls13?} (default: @code{#f}) +Set to @code{#t} to disable support for TLSv1.2. @item @code{serve-secret?} (default: @code{#f}) Set to @code{#t} to serve secret files (files/directories starting with a dot). +@item @code{central-conf?} (default: @code{#f}) +Set to @code{#t} to look for the .meta configuration file in the @code{content} +root directory and will ignore @code{.meta} files in other directories + +@item @code{ed25519?} (default: @code{#f}) +Set to @code{#t} to generate keys using the Ed25519 signature algorithm +instead of the default ECDSA. + +@item @code{skip-port-check?} (default: @code{#f}) +Set to @code{#t} to skip URL port check even when a @code{hostname} is specified. + @item @code{log-ip?} (default: @code{#t}) Whether or not to output IP addresses when logging. -- cgit v1.2.3