@@ -32734,25 +32734,30 @@ Web Services
(service agate-service-type
(agate-configuration
(content "/srv/gemini")
- (cert "/srv/cert.pem")
- (key "/srv/key.rsa")))
+ (certs "/srv/gemini-certs")))
@end lisp
The example above represents the minimal tweaking necessary to get Agate
-up and running. Specifying the path to the certificate and key is
+up and running. Specifying the path to the certificate and key directory is
always necessary, as the Gemini protocol requires TLS by default.
-To obtain a certificate and a key, you could, for example, use OpenSSL,
-running a command similar to the following example:
+If specified path is writable by Agate, and contains no valid key
+and certificate, the Agate will try to generate them on the first start.
+If specified directory is read-only - key and certificate should be pre-generated by user.
+
+To obtain a certificate and a key in a DER format, you could, for example,
+use OpenSSL, running a commands similar to the following example:
@example
-openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \
- -days 3650 -nodes -subj "/CN=example.com"
+openssl genpkey -out key.der -outform DER -algorithm RSA \
+ -pkeyopt rsa_keygen_bits:4096
+openssl req -x509 -key key.der -outform DER -days 3650 -out cert.der \
+ -subj "/CN=example.com"
@end example
Of course, you'll have to replace @i{example.com} with your own domain
name, and then point the Agate configuration towards the path of the
-generated key and certificate.
+directory with the generated key and certificate using the @code{certs} option.
@end defvar
@@ -32766,30 +32771,38 @@ Web Services
@item @code{content} (default: @file{"/srv/gemini"})
The directory from which Agate will serve files.
-@item @code{cert} (default: @code{#f})
-The path to the TLS certificate PEM file to be used for encrypted
-connections. Must be filled in with a value from the user.
-
-@item @code{key} (default: @code{#f})
-The path to the PKCS8 private key file to be used for encrypted
-connections. Must be filled in with a value from the user.
+@item @code{certs} (default: @file{"/srv/gemini-certs"})
+Root of the certificate directory. Must be filled in with a value from the user.
@item @code{addr} (default: @code{'("0.0.0.0:1965" "[::]:1965")})
A list of the addresses to listen on.
-@item @code{hostname} (default: @code{#f})
-The domain name of this Gemini server. Optional.
+@item @code{hostnames} (default: @code{'()})
+Virtual hosts for the Gemini server. If multiple values are
+specified, corresponding directory names should be present in the @code{content}
+directory. Optional.
@item @code{lang} (default: @code{#f})
RFC 4646 language code(s) for text/gemini documents. Optional.
-@item @code{silent?} (default: @code{#f})
-Set to @code{#t} to disable logging output.
+@item @code{only-tls13?} (default: @code{#f})
+Set to @code{#t} to disable support for TLSv1.2.
@item @code{serve-secret?} (default: @code{#f})
Set to @code{#t} to serve secret files (files/directories starting with
a dot).
+@item @code{central-conf?} (default: @code{#f})
+Set to @code{#t} to look for the .meta configuration file in the @code{content}
+root directory and will ignore @code{.meta} files in other directories
+
+@item @code{ed25519?} (default: @code{#f})
+Set to @code{#t} to generate keys using the Ed25519 signature algorithm
+instead of the default ECDSA.
+
+@item @code{skip-port-check?} (default: @code{#f})
+Set to @code{#t} to skip URL port check even when a @code{hostname} is specified.
+
@item @code{log-ip?} (default: @code{#t})
Whether or not to output IP addresses when logging.