diff --git a/doc/guix.texi b/doc/guix.texi index f4f21c4744..852b2eb706 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32510,10 +32510,9 @@ Web Services @lisp (service agate-service-type - (agate-configuration - (content "/srv/gemini") - (cert "/srv/cert.pem") - (key "/srv/key.rsa"))) + (agate-configuration + (content "/srv/gemini") + (certs "/srv/gemini-certs"))) @end lisp The example above represents the minimal tweaking necessary to get Agate @@ -32544,13 +32543,10 @@ Web Services @item @code{content} (default: @file{"/srv/gemini"}) The directory from which Agate will serve files. -@item @code{cert} (default: @code{#f}) -The path to the TLS certificate PEM file to be used for encrypted -connections. Must be filled in with a value from the user. - -@item @code{key} (default: @code{#f}) -The path to the PKCS8 private key file to be used for encrypted -connections. Must be filled in with a value from the user. +@item @code{certs} (default: @code{#f}) +The path to the directory containing the TLS certificate PEM and the PKCS8 +private key file to be used for encrypted connections. Must be filled in +with a value from the user. @item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")}) A list of the addresses to listen on. @@ -32561,8 +32557,9 @@ Web Services @item @code{lang} (default: @code{#f}) RFC 4646 language code(s) for text/gemini documents. Optional. -@item @code{silent?} (default: @code{#f}) -Set to @code{#t} to disable logging output. +@item @code{only-tls13?} (default: @code{#f}) +Set to @code{#t} to allow only connections over TLS v1.3. By default TLS +v1.2 is also allowed. @item @code{serve-secret?} (default: @code{#f}) Set to @code{#t} to serve secret files (files/directories starting with diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 406117c457..57750e120b 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -302,12 +302,14 @@ (define-module (gnu services web) agate-configuration? agate-configuration-package agate-configuration-content - agate-configuration-cert - agate-configuration-key + agate-configuration-cert ; deprecated + agate-configuration-key ; deprecated + agate-configuration-certs agate-configuration-addr agate-configuration-hostname agate-configuration-lang - agate-configuration-silent + agate-configuration-silent ; deprecated + agate-configuration-only-tls13 agate-configuration-serve-secret agate-configuration-log-ip agate-configuration-user @@ -2181,6 +2183,8 @@ (define-record-type* (default #f)) (key agate-configuration-key (default #f)) + (certs agate-configuration-certs + (default #f)) (addr agate-configuration-addr (default '("0.0.0.0:1965" "[::]:1965"))) (hostname agate-configuration-hostname @@ -2189,6 +2193,8 @@ (define-record-type* (default #f)) (silent? agate-configuration-silent (default #f)) + (only-tls13? agate-configuration-only-tls13 + (default #f)) (serve-secret? agate-configuration-serve-secret (default #f)) (log-ip? agate-configuration-log-ip @@ -2202,8 +2208,8 @@ (define-record-type* (define agate-shepherd-service (match-lambda - (($ package content cert key addr - hostname lang silent? serve-secret? + (($ package content cert key certs addr + hostname lang only-tls13? serve-secret? log-ip? user group log-file) (list (shepherd-service (provision '(agate)) @@ -2213,8 +2219,13 @@ (define agate-shepherd-service #~(make-forkexec-constructor (list #$agate "--content" #$content - "--cert" #$cert - "--key" #$key + #$@(if certs + (list "--certs" certs) + (if (and cert key + (equal? (dirname cert) + (dirname key))) + (list "--certs" (dirname cert)) + '())) "--addr" #$@addr #$@(if lang (list "--lang" lang) @@ -2222,7 +2233,7 @@ (define agate-shepherd-service #$@(if hostname (list "--hostname" hostname) '()) - #$@(if silent? '("--silent") '()) + #$@(if only-tls13? '("--only-tls13") '()) #$@(if serve-secret? '("--serve-secret") '()) #$@(if log-ip? '("--log-ip") '())) #:user #$user #:group #$group