[bug#71722] [PATCH 0/2] services: Update agate-service-type to match actual agate options

[bug#71722] [PATCH 0/2] services: Update agate-service-type to match actual agate options

[Rodion Goritskov]

Hello!

This patches makes agate-service-type work again - because current version of agate present
in Guix has some options (and their logic) changed, making service-type not working.

I have checked this changes on VM and they seems to be working fine.

Rodion Goritskov (2):
  services: agate: Update options for compatibility with the current
    Agate version.
  services: agate-service-type: Update documentation.

 doc/guix.texi        | 51 +++++++++++++++++++++++++++-----------------
 gnu/services/web.scm | 50 ++++++++++++++++++++++++++-----------------
 2 files changed, 63 insertions(+), 38 deletions(-)


base-commit: 1e336025957583fd978df49a24c6a1bb358c618d
-- 
2.45.1

[bug#71722] [PATCH 1/2] services: agate: Update options for compatibility with the current Agate version.

[Rodion Goritskov]

* gnu/services/web.scm (<agate-configuration>)[certs]: Add.
* gnu/services/web.scm (<agate-configuration>)[cert]: Remove.
* gnu/services/web.scm (<agate-configuration>)[key]: Remove.
* gnu/services/web.scm (<agate-configuration>)[hostname]: Change from string
to list.
* gnu/services/web.scm (<agate-configuration>)[silent?]: Remove.
* gnu/services/web.scm (<agate-configuration>)[only-tls13?]: Add.
* gnu/services/web.scm (<agate-configuration>)[central-conf?]: Add.
* gnu/services/web.scm (<agate-configuration>)[ed25519?]: Add.
* gnu/services/web.scm (<agate-configuration>)[skip-port-check?]: Add.
* gnu/services/web.scm (agate-shepherd-service): Change handling of addr and
hostname, add new options handling.

Change-Id: Ibc83a7254d1e425604d4aa0b95cbaa74fc9c72eb
---
 gnu/services/web.scm | 50 +++++++++++++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 406117c457..1ee1fff9ed 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -302,13 +302,15 @@ (define-module (gnu services web)
             agate-configuration?
             agate-configuration-package
             agate-configuration-content
-            agate-configuration-cert
-            agate-configuration-key
+            agate-configuration-certs
             agate-configuration-addr
             agate-configuration-hostname
             agate-configuration-lang
-            agate-configuration-silent
+            agate-configuration-only-tls13
             agate-configuration-serve-secret
+            agate-configuration-central-conf
+            agate-configuration-ed25519
+            agate-configuration-skip-port-check
             agate-configuration-log-ip
             agate-configuration-user
             agate-configuration-group
@@ -2177,20 +2179,24 @@ (define-record-type* <agate-configuration>
             (default agate))
   (content  agate-configuration-content
             (default "/srv/gemini"))
-  (cert     agate-configuration-cert
-            (default #f))
-  (key      agate-configuration-key
-            (default #f))
+  (certs     agate-configuration-certs
+             (default "/srv/gemini-certs"))
   (addr     agate-configuration-addr
             (default '("0.0.0.0:1965" "[::]:1965")))
   (hostname agate-configuration-hostname
-            (default #f))
+            (default '()))
   (lang     agate-configuration-lang
             (default #f))
-  (silent?  agate-configuration-silent
-            (default #f))
+  (only-tls13? agate-configuration-only-tls13
+               (default #f))
   (serve-secret? agate-configuration-serve-secret
                  (default #f))
+  (central-conf? agate-configuration-central-conf
+                 (default #f))
+  (ed25519? agate-configuration-ed25519
+            (default #f))
+  (skip-port-check? agate-configuration-skip-port-check
+                    (default #f))
   (log-ip?  agate-configuration-log-ip
             (default #t))
   (user     agate-configuration-user
@@ -2202,8 +2208,10 @@ (define-record-type* <agate-configuration>
 
 (define agate-shepherd-service
   (match-lambda
-    (($ <agate-configuration> package content cert key addr
-                              hostname lang silent? serve-secret?
+    (($ <agate-configuration> package content certs addr
+                              hostname lang only-tls13?
+                              serve-secret? central-conf?
+                              ed25519? skip-port-check?
                               log-ip? user group log-file)
      (list (shepherd-service
             (provision '(agate))
@@ -2213,17 +2221,21 @@ (define agate-shepherd-service
                      #~(make-forkexec-constructor
                         (list #$agate
                               "--content" #$content
-                              "--cert" #$cert
-                              "--key" #$key
-                              "--addr" #$@addr
+                              "--certs" #$certs
+                              #$@(append-map
+                                  (lambda x (append '("--addr") x))
+                                  addr)
+                              #$@(append-map
+                                  (lambda x (append '("--hostname") x))
+                                  hostname)
                               #$@(if lang
                                      (list "--lang" lang)
                                      '())
-                              #$@(if hostname
-                                     (list "--hostname" hostname)
-                                     '())
-                              #$@(if silent? '("--silent") '())
                               #$@(if serve-secret? '("--serve-secret") '())
+                              #$@(if only-tls13? '("--only-tls13") '())
+                              #$@(if central-conf? '("--central-conf") '())
+                              #$@(if ed25519? '("--ed25519") '())
+                              #$@(if skip-port-check? '("--skip-port-check") '())
                               #$@(if log-ip? '("--log-ip") '()))
                         #:user #$user #:group #$group
                         #:log-file #$log-file)))
-- 
2.45.1

[bug#71722] [PATCH 2/2] services: agate-service-type: Update documentation.

[Rodion Goritskov]

* doc/guix.texi: Document (agate-service-type) updated options.

Change-Id: Ifb4968d704627344913bb69f20636d710a4fe738
---
 doc/guix.texi | 51 ++++++++++++++++++++++++++++++++-------------------
 1 file changed, 32 insertions(+), 19 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 0102fd0fad..c75de94486 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32734,25 +32734,30 @@ Web Services
 (service agate-service-type
 	 (agate-configuration
 	   (content "/srv/gemini")
-	   (cert "/srv/cert.pem")
-	   (key "/srv/key.rsa")))
+	   (certs "/srv/gemini-certs")))
 @end lisp
 
 The example above represents the minimal tweaking necessary to get Agate
-up and running.  Specifying the path to the certificate and key is
+up and running.  Specifying the path to the certificate and key directory is
 always necessary, as the Gemini protocol requires TLS by default.
 
-To obtain a certificate and a key, you could, for example, use OpenSSL,
-running a command similar to the following example:
+If specified path is writable by Agate, and contains no valid key
+and certificate, the Agate will try to generate them on the first start.
+If specified directory is read-only - key and certificate should be pre-generated by user.
+
+To obtain a certificate and a key in a DER format, you could, for example,
+use OpenSSL, running a commands similar to the following example:
 
 @example
-openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \
-    -days 3650 -nodes -subj "/CN=example.com"
+openssl genpkey -out key.der -outform DER -algorithm RSA \
+    -pkeyopt rsa_keygen_bits:4096
+openssl req -x509 -key key.der -outform DER -days 3650 -out cert.der \
+    -subj "/CN=example.com"
 @end example
 
 Of course, you'll have to replace @i{example.com} with your own domain
 name, and then point the Agate configuration towards the path of the
-generated key and certificate.
+directory with the generated key and certificate using the @code{certs} option.
 
 @end defvar
 
@@ -32766,30 +32771,38 @@ Web Services
 @item @code{content} (default: @file{"/srv/gemini"})
 The directory from which Agate will serve files.
 
-@item @code{cert} (default: @code{#f})
-The path to the TLS certificate PEM file to be used for encrypted
-connections.  Must be filled in with a value from the user.
-
-@item @code{key} (default: @code{#f})
-The path to the PKCS8 private key file to be used for encrypted
-connections.  Must be filled in with a value from the user.
+@item @code{certs} (default: @file{"/srv/gemini-certs"})
+Root of the certificate directory. Must be filled in with a value from the user.
 
 @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")})
 A list of the addresses to listen on.
 
-@item @code{hostname} (default: @code{#f})
-The domain name of this Gemini server.  Optional.
+@item @code{hostnames} (default: @code{'()})
+Virtual hosts for the Gemini server. If multiple values are
+specified, corresponding directory names should be present in the @code{content}
+directory. Optional.
 
 @item @code{lang} (default: @code{#f})
 RFC 4646 language code(s) for text/gemini documents.  Optional.
 
-@item @code{silent?} (default: @code{#f})
-Set to @code{#t} to disable logging output.
+@item @code{only-tls13?} (default: @code{#f})
+Set to @code{#t} to disable support for TLSv1.2.
 
 @item @code{serve-secret?} (default: @code{#f})
 Set to @code{#t} to serve secret files (files/directories starting with
 a dot).
 
+@item @code{central-conf?} (default: @code{#f})
+Set to @code{#t} to look for the .meta configuration file in the @code{content}
+root directory and will ignore @code{.meta} files in other directories
+
+@item @code{ed25519?} (default: @code{#f})
+Set to @code{#t} to generate keys using the Ed25519 signature algorithm
+instead of the default ECDSA.
+
+@item @code{skip-port-check?} (default: @code{#f})
+Set to @code{#t} to skip URL port check even when a @code{hostname} is specified.
+
 @item @code{log-ip?} (default: @code{#t})
 Whether or not to output IP addresses when logging.
 
-- 
2.45.1

[bug#71722] [PATCH 0/2] services: Update agate-service-type to match actual agate options

[Ludovic Courtès]

Hi Rodion,

Rodion Goritskov <rodion.goritskov@gmail.com> skribis:

> This patches makes agate-service-type work again - because current version of agate present
> in Guix has some options (and their logic) changed, making service-type not working.
>
> I have checked this changes on VM and they seems to be working fine.
>
> Rodion Goritskov (2):
>   services: agate: Update options for compatibility with the current
>     Agate version.
>   services: agate-service-type: Update documentation.

I squashed the two patches (so that the doc is always consistent with
the code) and applied them.

A few things come to mind:

  1. Could you come up with a system test under gnu/tests/*.scm?  That
     would allow us to detect breakage early on next time.

  2. Though a deprecation policy has yet to be written, the idea is that
     we should avoid breaking changes in user configuration as happens
     when changing/removing fields in the config record.

  3. The convention in Guix is to avoid abbreviations (“certificates”
     rather than “certs”, etc.).  I realize those were already there
     though, so I thought I’d rather not ask you for extra work.

Thanks,
Ludo’.