From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id cI6+H7b+H2ZLVgAAe85BDQ:P1 (envelope-from ) for ; Wed, 17 Apr 2024 18:54:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id cI6+H7b+H2ZLVgAAe85BDQ (envelope-from ) for ; Wed, 17 Apr 2024 18:54:14 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=HebKOpHS; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1713372854; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=BEp6lzYwIUN9fEN7z2KOrFa2OmT9C5vjXyd7Rkiah+s=; b=uNlWY/3BA95aUE/mdq4opTQPwcjbyl7tw6fgMLbFGvk6PPK/4EStxE/jd+DyEhHGUsDQRl hZP8KObjGTCOquPF3UAUy7/RRUnpMYkqseUmh80/29H2Y8xbMnaUESEZKosMlsFWeOr4QD Ta+/FCRKkVOOcANDtPiaHLKilYPeYHbDg4EM6yc7ZnN2kuWHoTQ/HMxeWJkhqF2qEnt9cw ByOrZEuXJXYOMTcm1VGRV1DwIwtxurlJS9ksI8ToYtuzgjlfVzphSco5wD4gHejVzIXl5v wy44w9zEmNCa0XV36IiJTMcAUqglex+HTOmpGGFNuAt8BT20tcgzx9aBWpiJgw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713372854; a=rsa-sha256; cv=none; b=tEnFKxjOwrVUBrK7JbH6BuVnxFUJXtdIYT1H6zj/JnVxyK3VE2zSpQi0l7ikz+WFTa3+ej y84axD/u55Y6ozTgKDVJBQ3e3dxPKb8W3dzX1hN/28D8fJO5/Etng1QPTzGacKFqJA+67y kNRFkUGcMi+bH61FsWuqDaIGY2rV8ACyupUNDQ9/rdWsZU6yijQJRNiAcegzitkktfILsD rIzaBEYu80y3JmO+3wp3t5jAcyqItWCYhC7xZ7P9fTto2Qt6jWqJcwathun6wCBdAnQc7W +aT6OBreLAzHBfT0eZ67qgkgBLwUij6OdW8Ll129+MSeBn8k1LLBhxhgk7HgDA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=HebKOpHS; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 22F05558DB for ; Wed, 17 Apr 2024 18:54:14 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rx8Xm-0002lS-7A; Wed, 17 Apr 2024 12:53:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rx8Xg-0002ju-LK for bug-guix@gnu.org; Wed, 17 Apr 2024 12:53:54 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rx8Xg-0003Cv-Af for bug-guix@gnu.org; Wed, 17 Apr 2024 12:53:52 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rx8Xt-0006kP-3z for bug-guix@gnu.org; Wed, 17 Apr 2024 12:54:05 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#70429: agate service broken References: <87h6g1q6oa.fsf@librehacker.com> In-Reply-To: <87h6g1q6oa.fsf@librehacker.com> Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 17 Apr 2024 16:54:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70429 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 70429@debbugs.gnu.org Received: via spool by 70429-submit@debbugs.gnu.org id=B70429.171337282925769 (code B ref 70429); Wed, 17 Apr 2024 16:54:04 +0000 Received: (at 70429) by debbugs.gnu.org; 17 Apr 2024 16:53:49 +0000 Received: from localhost ([127.0.0.1]:46920 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rx8Xb-0006hV-2k for submit@debbugs.gnu.org; Wed, 17 Apr 2024 12:53:48 -0400 Received: from mail-qk1-x729.google.com ([2607:f8b0:4864:20::729]:58695) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rx8XU-0006fp-S1 for 70429@debbugs.gnu.org; Wed, 17 Apr 2024 12:53:44 -0400 Received: by mail-qk1-x729.google.com with SMTP id af79cd13be357-78a26aaefc8so339068985a.1 for <70429@debbugs.gnu.org>; Wed, 17 Apr 2024 09:53:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713372802; x=1713977602; darn=debbugs.gnu.org; h=content-disposition:mime-version:mail-followup-to:message-id :subject:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=BEp6lzYwIUN9fEN7z2KOrFa2OmT9C5vjXyd7Rkiah+s=; b=HebKOpHSder/jvAptPr+SwqbaQ3w1Lw9WEkV02oOdssphrw/U9bKM2Jhdfy6BT4RNw htkAQVgSYai6kOU4s75BNa7cuufsGzmOi5/6C2OGnbNDM7Al8n2zyVskMAG6edudrZFT vsxphP6CQTd/kP7AHwXMngHZxCThPgh8YitgVV8zkzPPg1Vc3kGSntqI7ypyyN3lQC78 2lgGV/Fd8tXSFp+9idU7MCpjDpth4kcyaGLFulT8yTAeS42aeo+Dgdegjslq17v1iitF lkdzDhbf8IydR3mMo5oBJIuGYw36O4ZfdFx5t/8m4psBRTyPvVAvsSQVtqkDqxuCpZpX A4Ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713372802; x=1713977602; h=content-disposition:mime-version:mail-followup-to:message-id :subject:to:from:date:sender:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=BEp6lzYwIUN9fEN7z2KOrFa2OmT9C5vjXyd7Rkiah+s=; b=hAcEt3Sd5u78EMQbLh6oRfLpsnwV/Dc16C4MQEYCXMZ3SvaOpTtUdVrXcFylbD0D3V E+yPWQ+zVlGcWyH7mcYt6+i0JO0td+0IQhECaxO3qKRKOqy9/C96UQ2Q7SsrCEEndmd0 IIK0ukPq9uybqUbEDQs5x2fWKy7Vgle0qO1GsN4a12jdWDR8LmBSOh6Lu8aYSZ1h1r3G s19FJRlZHrF33VFVhShhjJSEvzudcb9irRMuQ49ZV2yeB21UgggLVApemeVh6rKPC+ou vaJlxuFlResYTwaIFMCnNjh4hgMO5VSFc1alw8u9KKt3YTIHjSd6HZHpu3HnOx6jB4Gf swKA== X-Gm-Message-State: AOJu0YyGOfwMdOCQeEm7v/SHVEMXB37wBahkoA1naNsKcaAvcFhjdOfb QTUQ6YS9h/w4dR140cqPuSwhrvXZYntu2F5rGLLR6t3M6KXZDkTskhwA/A== X-Google-Smtp-Source: AGHT+IHRgC7kt3u8lhFiTiAQfCyaGLG9N4JSHRjx1KshozqLrHKymxo/gh9GRUy+2T0toZmYS7lffw== X-Received: by 2002:a05:620a:4494:b0:78d:767f:248 with SMTP id x20-20020a05620a449400b0078d767f0248mr21297930qkp.2.1713372801775; Wed, 17 Apr 2024 09:53:21 -0700 (PDT) Received: from localhost (ool-ad039216.dyn.optonline.net. [173.3.146.22]) by smtp.gmail.com with ESMTPSA id a2-20020a05620a02e200b0078d5eab4789sm8534390qko.91.2024.04.17.09.53.21 for <70429@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 09:53:21 -0700 (PDT) Date: Wed, 17 Apr 2024 19:53:19 +0300 From: Efraim Flashner Message-ID: Mail-Followup-To: Efraim Flashner , 70429@debbugs.gnu.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3Uys25oPKEYK1W4v" Content-Disposition: inline X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -6.98 X-Spam-Score: -6.98 X-Migadu-Queue-Id: 22F05558DB X-Migadu-Scanner: mx13.migadu.com X-TUID: igcos4ewJ60v --3Uys25oPKEYK1W4v Content-Type: multipart/mixed; boundary="KkWXwVZ7cGQ9duFK" Content-Disposition: inline --KkWXwVZ7cGQ9duFK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Here's a potential patch. I'm not sure about how to deprecate fields --=20 Efraim Flashner =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --KkWXwVZ7cGQ9duFK Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="newer-agate-service.diff" Content-Transfer-Encoding: quoted-printable diff --git a/doc/guix.texi b/doc/guix.texi index f4f21c4744..852b2eb706 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32510,10 +32510,9 @@ Web Services =20 @lisp (service agate-service-type - (agate-configuration - (content "/srv/gemini") - (cert "/srv/cert.pem") - (key "/srv/key.rsa"))) + (agate-configuration + (content "/srv/gemini") + (certs "/srv/gemini-certs"))) @end lisp =20 The example above represents the minimal tweaking necessary to get Agate @@ -32544,13 +32543,10 @@ Web Services @item @code{content} (default: @file{"/srv/gemini"}) The directory from which Agate will serve files. =20 -@item @code{cert} (default: @code{#f}) -The path to the TLS certificate PEM file to be used for encrypted -connections. Must be filled in with a value from the user. - -@item @code{key} (default: @code{#f}) -The path to the PKCS8 private key file to be used for encrypted -connections. Must be filled in with a value from the user. +@item @code{certs} (default: @code{#f}) +The path to the directory containing the TLS certificate PEM and the PKCS8 +private key file to be used for encrypted connections. Must be filled in +with a value from the user. =20 @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")}) A list of the addresses to listen on. @@ -32561,8 +32557,9 @@ Web Services @item @code{lang} (default: @code{#f}) RFC 4646 language code(s) for text/gemini documents. Optional. =20 -@item @code{silent?} (default: @code{#f}) -Set to @code{#t} to disable logging output. +@item @code{only-tls13?} (default: @code{#f}) +Set to @code{#t} to allow only connections over TLS v1.3. By default TLS +v1.2 is also allowed. =20 @item @code{serve-secret?} (default: @code{#f}) Set to @code{#t} to serve secret files (files/directories starting with diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 406117c457..57750e120b 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -302,12 +302,14 @@ (define-module (gnu services web) agate-configuration? agate-configuration-package agate-configuration-content - agate-configuration-cert - agate-configuration-key + agate-configuration-cert ; deprecated + agate-configuration-key ; deprecated + agate-configuration-certs agate-configuration-addr agate-configuration-hostname agate-configuration-lang - agate-configuration-silent + agate-configuration-silent ; deprecated + agate-configuration-only-tls13 agate-configuration-serve-secret agate-configuration-log-ip agate-configuration-user @@ -2181,6 +2183,8 @@ (define-record-type* (default #f)) (key agate-configuration-key (default #f)) + (certs agate-configuration-certs + (default #f)) (addr agate-configuration-addr (default '("0.0.0.0:1965" "[::]:1965"))) (hostname agate-configuration-hostname @@ -2189,6 +2193,8 @@ (define-record-type* (default #f)) (silent? agate-configuration-silent (default #f)) + (only-tls13? agate-configuration-only-tls13 + (default #f)) (serve-secret? agate-configuration-serve-secret (default #f)) (log-ip? agate-configuration-log-ip @@ -2202,8 +2208,8 @@ (define-record-type* =20 (define agate-shepherd-service (match-lambda - (($ package content cert key addr - hostname lang silent? serve-secret? + (($ package content cert key certs addr + hostname lang only-tls13? serve-secret? log-ip? user group log-file) (list (shepherd-service (provision '(agate)) @@ -2213,8 +2219,13 @@ (define agate-shepherd-service #~(make-forkexec-constructor (list #$agate "--content" #$content - "--cert" #$cert - "--key" #$key + #$@(if certs + (list "--certs" certs) + (if (and cert key + (equal? (dirname cert) + (dirname key))) + (list "--certs" (dirname cert)) + '())) "--addr" #$@addr #$@(if lang (list "--lang" lang) @@ -2222,7 +2233,7 @@ (define agate-shepherd-service #$@(if hostname (list "--hostname" hostname) '()) - #$@(if silent? '("--silent") '()) + #$@(if only-tls13? '("--only-tls13") '()) #$@(if serve-secret? '("--serve-secret") '()) #$@(if log-ip? '("--log-ip") '())) #:user #$user #:group #$group --KkWXwVZ7cGQ9duFK-- --3Uys25oPKEYK1W4v Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmYf/nYACgkQQarn3Mo9 g1EO8BAAwPc9oe+nVkzlJhGCn5sbSJzKeM1R+JEwtBcMzzpbY8+r5S2NFxWoXQqD SEq2RpgkQAwQHyYzinkj7W4gesmWZktmsWRyCrckHHrLgMhmmG+Qvy0NsxQdZ+BS uMiKbNCuBu/+ZEt+hOhhqWakhL0Z3Rxw8Flu0rX4Mzl7ZRD4xbwvk0Q4085r6oyl dIU+zOr4/XSfcr8jE+kAlI3MccEQcMXKMO8p72Ru7JVUp0mTeuVIJyGf9heqZblZ ypbNty/2R/e4tb0EV+Hk4Bw4ipo3e+AmPAkUqh7AvyA3GmvKaRDNM9Wm5RVrsXSb zSXIvi0YQTMTJKYVZY2vVPrx2c9+EnBYkFEHjQ23N3VLHWeL9jWgEuNh2wW00zg2 Px8sAjKBqgo4cLnXPiQcHyG8Twqh9FUs85DjihSsPIKEka2btiLhQeXkFte3hmeg NAmdg/Qu/o9Ea1uBzGV16EDvv4hkTnZmK+cXT0CCODadxop/KAhjFtSzOGd9Uh/a 3W3yAOJWD5PmBrosNjuPtxTW3t+kQD9CKbKv3QhZEkXMpnnex7FuWKXZ1I/kXMgC wJSY4tpu/VtY9gYZd16X6gcHtPqq4LFJp9A2IALhLsDgomJV4K0rveR7YnNNbdw9 iPljocU/kXm+uL8J6Ga8nRh+5k1iXfs9SZliRGfJjkIph+AScPk= =PhF8 -----END PGP SIGNATURE----- --3Uys25oPKEYK1W4v--