guix.texi

@deftypevr {@code{prosody-configuration} parameter} boolean allow-registration?
Disable account creation by default, for security.  See
@url{http://prosody.im/doc/creating_accounts}.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} maybe-ssl-configuration ssl
These are the SSL/TLS-related settings.  Most of them are disabled so to
use Prosody's defaults.  If you do not completely understand these options, do
not add them to your config, it is easy to lower the security of your server
using them.  See @url{http://prosody.im/doc/advanced_ssl_config}.

Available @code{ssl-configuration} fields are:

@deftypevr {@code{ssl-configuration} parameter} maybe-string protocol
This determines what handshake to use.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} file-name key
Path to your private key file, relative to @code{/etc/prosody}.
Defaults to @samp{"/etc/prosody/certs/key.pem"}.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} file-name certificate
Path to your certificate file, relative to @code{/etc/prosody}.
Defaults to @samp{"/etc/prosody/certs/cert.pem"}.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} file-name capath
Path to directory containing root certificates that you wish Prosody to
trust when verifying the certificates of remote servers.
Defaults to @samp{"/etc/ssl/certs"}.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-file-name cafile
Path to a file containing root certificates that you wish Prosody to trust.
Similar to @code{capath} but with all certificates concatenated together.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-string-list verify
A list of verification options (these mostly map to OpenSSL's
@code{set_verify()} flags).
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-string-list options
A list of general options relating to SSL/TLS.  These map to OpenSSL's
@code{set_options()}.  For a full list of options available in LuaSec, see the
LuaSec source.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-non-negative-integer depth
How long a chain of certificate authorities to check when looking for a
trusted root certificate.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-string ciphers
An OpenSSL cipher string.  This selects what ciphers Prosody will offer to
clients, and in what order.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-file-name dhparam
A path to a file containing parameters for Diffie-Hellman key exchange.  You
can create such a file with:
@code{openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048}
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-string curve
Curve for Elliptic curve Diffie-Hellman. Prosody's default is
@samp{"secp384r1"}.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-string-list verifyext
A list of "extra" verification options.
@end deftypevr

@deftypevr {@code{ssl-configuration} parameter} maybe-string password
Password for encrypted private keys.
@end deftypevr

@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} boolean c2s-require-encryption?
Whether to force all client-to-server connections to be encrypted or not.
See @url{http://prosody.im/doc/modules/mod_tls}.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} boolean s2s-require-encryption?
Whether to force all server-to-server connections to be encrypted or not.
See @url{http://prosody.im/doc/modules/mod_tls}.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} boolean s2s-secure-auth?
Whether to require encryption and certificate authentication.  This
provides ideal security, but requires servers you communicate with to support
encryption AND present valid, trusted certificates.  See
@url{http://prosody.im/doc/s2s#security}.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} string-list s2s-insecure-domains
Many servers don't support encryption or have invalid or self-signed
certificates.  You can list domains here that will not be required to
authenticate using certificates.  They will be authenticated using DNS.  See
@url{http://prosody.im/doc/s2s#security}.
Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} string-list s2s-secure-domains
Even if you leave @code{s2s-secure-auth?} disabled, you can still require
valid certificates for some domains by specifying a list here.  See
@url{http://prosody.im/doc/s2s#security}.
Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} string authentication
Select the authentication backend to use.  The default provider stores
passwords in plaintext and uses Prosody's configured data storage to store the
authentication data.  If you do not trust your server please see
@url{http://prosody.im/doc/modules/mod_auth_internal_hashed} for information
about using the hashed backend.  See also
@url{http://prosody.im/doc/authentication}
Defaults to @samp{"internal_plain"}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} maybe-string log
Set logging options.  Advanced logging configuration is not yet supported
by the GuixSD Prosody Service.  See @url{http://prosody.im/doc/logging}.
Defaults to @samp{"*syslog"}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} file-name pidfile
File to write pid in.  See @url{http://prosody.im/doc/modules/mod_posix}.
Defaults to @samp{"/var/run/prosody/prosody.pid"}.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} virtualhost-configuration-list virtualhosts
A host in Prosody is a domain on which user accounts can be created.  For
example if you want your users to have addresses like
@samp{"john.smith@@example.com"} then you need to add a host
@samp{"example.com"}.  All options in this list will apply only to this host.

Note: the name "virtual" host is used in configuration to avoid confusion with
the actual physical host that Prosody is installed on.  A single Prosody
instance can serve many domains, each one defined as a VirtualHost entry in
Prosody's configuration.  Conversely a server that hosts a single domain would
have just one VirtualHost entry.

See @url{http://prosody.im/doc/configure#virtual_host_settings}.

Available @code{virtualhost-configuration} fields are:

all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus:
@deftypevr {@code{virtualhost-configuration} parameter} string domain
Domain you wish Prosody to serve.
@end deftypevr

@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} int-component-configuration-list int-components
Components are extra services on a server which are available to clients,
usually on a subdomain of the main server (such as
@samp{"mycomponent.example.com"}).  Example components might be chatroom
servers, user directories, or gateways to other protocols.

Internal components are implemented with Prosody-specific plugins.  To add an
internal component, you simply fill the hostname field, and the plugin you wish
to use for the component.

See @url{http://prosody.im/doc/components}.
Defaults to @samp{()}.

Available @code{int-component-configuration} fields are:

all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus:
@deftypevr {@code{int-component-configuration} parameter} string hostname
Hostname of the component.
@end deftypevr

@deftypevr {@code{int-component-configuration} parameter} string plugin
Plugin you wish to use for the component.
@end deftypevr

@deftypevr {@code{int-component-configuration} parameter} maybe-mod-muc-configuration mod-muc
Multi-user chat (MUC) is Prosody's module for allowing you to create
hosted chatrooms/conferences for XMPP users.

General information on setting up and using multi-user chatrooms can be found
in the "Chatrooms" documentation (@url{http://prosody.im/doc/chatrooms}),
which you should read if you are new to XMPP chatrooms.

See also @url{http://prosody.im/doc/modules/mod_muc}.

Available @code{mod-muc-configuration} fields are:

@deftypevr {@code{mod-muc-configuration} parameter} string name
The name to return in service discovery responses.
Defaults to @samp{"Prosody Chatrooms"}.
@end deftypevr

@deftypevr {@code{mod-muc-configuration} parameter} string-or-boolean restrict-room-creation
If @samp{#t}, this will only allow admins to create new chatrooms.
Otherwise anyone can create a room.  The value @samp{"local"} restricts room
creation to users on the service's parent domain.  E.g. @samp{user@@example.com}
can create rooms on @samp{rooms.example.com}.  The value @samp{"admin"}
restricts to service administrators only.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{mod-muc-configuration} parameter} non-negative-integer max-history-messages
Maximum number of history messages that will be sent to the member that has
just joined the room.
Defaults to @samp{20}.
@end deftypevr

@end deftypevr

@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} ext-component-configuration-list ext-components
External components use XEP-0114, which most standalone components
support.  To add an external component, you simply fill the hostname field.  See
@url{http://prosody.im/doc/components}.
Defaults to @samp{()}.

Available @code{ext-component-configuration} fields are:

all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus:
@deftypevr {@code{ext-component-configuration} parameter} string component-secret
Password which the component will use to log in.
@end deftypevr

@deftypevr {@code{ext-component-configuration} parameter} string hostname
Hostname of the component.
@end deftypevr

@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} non-negative-integer-list component-ports
Port(s) Prosody listens on for component connections.
@end deftypevr

@deftypevr {@code{prosody-configuration} parameter} string component-interface
Interface Prosody listens on for component connections.
Defaults to @samp{"127.0.0.1"}.
@end deftypevr

It could be that you just want to get a @code{prosody.cfg.lua}
up and running.  In that case, you can pass an
@code{opaque-prosody-configuration} record as the value of
@code{prosody-service-type}.  As its name indicates, an opaque configuration
does not have easy reflective capabilities.
Available @code{opaque-prosody-configuration} fields are:

@deftypevr {@code{opaque-prosody-configuration} parameter} package prosody
The prosody package.
@end deftypevr

@deftypevr {@code{opaque-prosody-configuration} parameter} string prosody.cfg.lua
The contents of the @code{prosody.cfg.lua} to use.
@end deftypevr

For example, if your @code{prosody.cfg.lua} is just the empty
string, you could instantiate a prosody service like this:

@example
(service prosody-service-type
         (opaque-prosody-configuration
          (prosody.cfg.lua "")))
@end example

@node Kerberos Services
@subsubsection Kerberos Services
@cindex Kerberos

The @code{(gnu services kerberos)} module provides services relating to
the authentication protocol @dfn{Kerberos}.

@subsubheading Krb5 Service

Programs using a Kerberos client library normally
expect a configuration file in @file{/etc/krb5.conf}.
This service generates such a file from a definition provided in the
operating system declaration.
It does not cause any daemon to be started.

No ``keytab'' files are provided by this service---you must explicitly create them.
This service is known to work with the MIT client library, @code{mit-krb5}.
Other implementations have not been tested.

@defvr {Scheme Variable} krb5-service-type
A service type for Kerberos 5 clients.
@end defvr

@noindent
Here is an example of its use:
@lisp
(service krb5-service-type
         (krb5-configuration
          (default-realm "EXAMPLE.COM")
          (allow-weak-crypto? #t)
          (realms (list
                   (krb5-realm
                    (name "EXAMPLE.COM")
                    (admin-server "groucho.example.com")
                    (kdc "karl.example.com"))
                   (krb5-realm
                    (name "ARGRX.EDU")
                    (admin-server "kerb-admin.argrx.edu")
                    (kdc "keys.argrx.edu"))))))
@end lisp

@noindent
This example provides a Kerberos@tie{}5 client configuration which:
@itemize
@item Recognizes two realms, @i{viz:} ``EXAMPLE.COM'' and ``ARGRX.EDU'', both
of which have distinct administration servers and key distribution centers;
@item Will default to the realm ``EXAMPLE.COM'' if the realm is not explicitly
specified by clients;
@item Accepts services which only support encryption types known to be weak.
@end itemize

The @code{krb5-realm} and @code{krb5-configuration} types have many fields.
Only the most commonly used ones are described here.
For a full list, and more detailed explanation of each, see the MIT
@uref{http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf}
documentation.


@deftp {Data Type} krb5-realm
@cindex realm, kerberos
@table @asis
@item @code{name}
This field is a string identifying the name of the realm.
A common convention is to use the fully qualified DNS name of your organization,
converted to upper case.

@item @code{admin-server}
This field is a string identifying the host where the administration server is
running.

@item @code{kdc}
This field is a string identifying the key distribution center
for the realm.
@end table
@end deftp

@deftp {Data Type} krb5-configuration

@table @asis
@item @code{allow-weak-crypto?} (default: @code{#f})
If this flag is @code{#t} then services which only offer encryption algorithms
known to be weak will be accepted.

@item @code{default-realm} (default: @code{#f})
This field should be a string identifying the default Kerberos
realm for the client.
You should set this field to the name of your Kerberos realm.
If this value is @code{#f}
then a realm must be specified with every Kerberos principal when invoking programs
such as @command{kinit}.

@item @code{realms}
This should be a non-empty list of @code{krb5-realm} objects, which clients may
access.
Normally, one of them will have a @code{name} field matching the @code{default-realm}
field.
@end table
@end deftp


@subsubheading PAM krb5 Service
@cindex pam-krb5

The @code{pam-krb5} service allows for login authentication and password
management via Kerberos.
You will need this service if you want PAM enabled applications to authenticate
users using Kerberos.

@defvr {Scheme Variable} pam-krb5-service-type
A service type for the Kerberos 5 PAM module.
@end defvr

@deftp {Data Type} pam-krb5-configuration
Data type representing the configuration of the Kerberos 5 PAM module
This type has the following parameters:
@table @asis
@item @code{pam-krb5} (default: @code{pam-krb5})
The pam-krb5 package to use.

@item @code{minimum-uid} (default: @code{1000})
The smallest user ID for which Kerberos authentications should be attempted.
Local accounts with lower values will silently fail to authenticate.
@end table
@end deftp


@node Web Services
@subsubsection Web Services

@cindex web
@cindex www
@cindex HTTP
The @code{(gnu services web)} module provides the following service:

@deffn {Scheme Procedure} nginx-service [#:nginx nginx] @
       [#:log-directory ``/var/log/nginx''] @
       [#:run-directory ``/var/run/nginx''] @
       [#:server-list '()] @
       [#:upstream-list '()] @
       [#:config-file @code{#f}]

Return a service that runs @var{nginx}, the nginx web server.

The nginx daemon loads its runtime configuration from @var{config-file}.
Log files are written to @var{log-directory} and temporary runtime data
files are written to @var{run-directory}.  For proper operation, these
arguments should match what is in @var{config-file} to ensure that the
directories are created when the service is activated.

As an alternative to using a @var{config-file}, @var{server-list} can be
used to specify the list of @dfn{server blocks} required on the host and
@var{upstream-list} can be used to specify a list of @dfn{upstream
blocks} to configure.  For this to work, use the default value for
@var{config-file}.

@end deffn

@deffn {Scheme Variable} nginx-service-type
This is type for the nginx web server.

This service can be extended to add server blocks in addition to the
default one, as in this example:

@example
(simple-service 'my-extra-server nginx-service-type
                (list (nginx-server-configuration
                        (https-port #f)
                        (root "/srv/http/extra-website"))))
@end example
@end deffn

@deftp {Data Type} nginx-server-configuration
Data type representing the configuration of an nginx server block.
This type has the following parameters:

@table @asis
@item @code{http-port} (default: @code{80})
Nginx will listen for HTTP connection on this port.  Set it at @code{#f} if
nginx should not listen for HTTP (non secure) connection for this
@dfn{server block}.

@item @code{https-port} (default: @code{443})
Nginx will listen for HTTPS connection on this port.  Set it at @code{#f} if
nginx should not listen for HTTPS (secure) connection for this @dfn{server block}.

Note that nginx can listen for HTTP and HTTPS connections in the same
@dfn{server block}.

@item @code{server-name} (default: @code{(list 'default)})
A list of server names this server represents. @code{'default} represents the
default server for connections matching no other server.

@item @code{root} (default: @code{"/srv/http"})
Root of the website nginx will serve.

@item @code{locations} (default: @code{'()})
A list of @dfn{nginx-location-configuration} or
@dfn{nginx-named-location-configuration} records to use within this
server block.

@item @code{index} (default: @code{(list "index.html")})
Index files to look for when clients ask for a directory.  If it cannot be found,
Nginx will send the list of files in the directory.

@item @code{ssl-certificate} (default: @code{"/etc/nginx/cert.pem"})
Where to find the certificate for secure connections.  Set it to @code{#f} if
you don't have a certificate or you don't want to use HTTPS.

@item @code{ssl-certificate-key} (default: @code{"/etc/nginx/key.pem"})
Where to find the private key for secure connections.  Set it to @code{#f} if
you don't have a key or you don't want to use HTTPS.

@item @code{server-tokens?} (default: @code{#f})
Whether the server should add its configuration to response.

@end table
@end deftp

@node VPN Services
@subsubsection VPN Services
@cindex VPN (virtual private network)
@cindex virtual private network (VPN)

The @code{(gnu services vpn)} module provides services related to
@dfn{virtual private networks} (VPNs).  It provides a @emph{client} service for
your machine to connect to a VPN, and a @emph{servire} service for your machine
to host a VPN.  Both services use @uref{https://openvpn.net/, OpenVPN}.

@deffn {Scheme Procedure} openvpn-client-service @
       [#:config (openvpn-client-configuration)]

Return a service that runs @command{openvpn}, a VPN daemon, as a client.
@end deffn

@deffn {Scheme Procedure} openvpn-server-service @
       [#:config (openvpn-server-configuration)]

Return a service that runs @command{openvpn}, a VPN daemon, as a server.

Both can be run simultaneously.
@end deffn

@c %automatically generated documentation

Available @code{openvpn-client-configuration} fields are:

@deftypevr @code{openvpn-client-configuration} parameter package openvpn
The OpenVPN package.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter string pid-file
The OpenVPN pid file.

Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter proto proto
The protocol (UDP or TCP) used to open a channel between clients and
servers.

Defaults to @samp{udp}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter dev dev
The device type used to represent the VPN connection.

Defaults to @samp{tun}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter string ca
The certificate authority to check connections against.

Defaults to @samp{"/etc/openvpn/ca.crt"}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter string cert
The certificate of the machine the daemon is running on.  It should be
signed by the authority given in @code{ca}.

Defaults to @samp{"/etc/openvpn/client.crt"}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter string key
The key of the machine the daemon is running on.  It must be the key whose
certificate is @code{cert}.

Defaults to @samp{"/etc/openvpn/client.key"}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter boolean comp-lzo?
Whether to use the lzo compression algorithm.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter boolean persist-key?
Don't re-read key files across SIGUSR1 or --ping-restart.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter boolean persist-tun?
Don't close and reopen TUN/TAP device or run up/down scripts across
SIGUSR1 or --ping-restart restarts.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter number verbosity
Verbosity level.

Defaults to @samp{3}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter tls-auth-client tls-auth
Add an additional layer of HMAC authentication on top of the TLS control
channel to protect against DoS attacks.

Defaults to @samp{#f}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter key-usage verify-key-usage?
Whether to check the server certificate has server usage extension.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter bind bind?
Bind to a specific local port number.

Defaults to @samp{#f}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter resolv-retry resolv-retry?
Retry resolving server address.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-client-configuration} parameter openvpn-remote-list remote
A list of remote servers to connect to.

Defaults to @samp{()}.

Available @code{openvpn-remote-configuration} fields are:

@deftypevr @code{openvpn-remote-configuration} parameter string name
Server name.

Defaults to @samp{"my-server"}.

@end deftypevr

@deftypevr @code{openvpn-remote-configuration} parameter number port
Port number the server listens to.

Defaults to @samp{1194}.

@end deftypevr

@end deftypevr
@c %end of automatic openvpn-client documentation

@c %automatically generated documentation

Available @code{openvpn-server-configuration} fields are:

@deftypevr @code{openvpn-server-configuration} parameter package openvpn
The OpenVPN package.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter string pid-file
The OpenVPN pid file.

Defaults to @samp{"/var/run/openvpn/openvpn.pid"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter proto proto
The protocol (UDP or TCP) used to open a channel between clients and
servers.

Defaults to @samp{udp}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter dev dev
The device type used to represent the VPN connection.

Defaults to @samp{tun}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter string ca
The certificate authority to check connections against.

Defaults to @samp{"/etc/openvpn/ca.crt"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter string cert
The certificate of the machine the daemon is running on.  It should be
signed by the authority given in @code{ca}.

Defaults to @samp{"/etc/openvpn/client.crt"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter string key
The key of the machine the daemon is running on.  It must be the key whose
certificate is @code{cert}.

Defaults to @samp{"/etc/openvpn/client.key"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter boolean comp-lzo?
Whether to use the lzo compression algorithm.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter boolean persist-key?
Don't re-read key files across SIGUSR1 or --ping-restart.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter boolean persist-tun?
Don't close and reopen TUN/TAP device or run up/down scripts across
SIGUSR1 or --ping-restart restarts.

Defaults to @samp{#t}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter number verbosity
Verbosity level.

Defaults to @samp{3}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter tls-auth-server tls-auth
Add an additional layer of HMAC authentication on top of the TLS control
channel to protect against DoS attacks.

Defaults to @samp{#f}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter number port
Specifies the port number on which the server listens.

Defaults to @samp{1194}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter ip-mask server
An ip and mask specifying the subnet inside the virtual network.

Defaults to @samp{"10.8.0.0 255.255.255.0"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter cidr6 server-ipv6
A CIDR notation specifying the IPv6 subnet inside the virtual network.

Defaults to @samp{#f}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter string dh
The Diffie-Hellman parameters file.

Defaults to @samp{"/etc/openvpn/dh2048.pem"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter string ifconfig-pool-persist
The file that records client IPs.

Defaults to @samp{"/etc/openvpn/ipp.txt"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter gateway redirect-gateway?
When true, the server will act as a gateway for its clients.

Defaults to @samp{#f}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter boolean client-to-client?
When true, clients are alowed to talk to each other inside the VPN.

Defaults to @samp{#f}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter keepalive keepalive
Causes ping-like messages to be sent back and forth over the link so
that each side knows when the other side has gone down.  @code{keepalive}
requires a pair.  The first element is the period of the ping sending,
and the second element is the timeout before considering the other side
down.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter number max-clients
The maximum number of clients.

Defaults to @samp{100}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter string status
The status file.  This file shows a small report on current connection.
It is trunkated and rewritten every minute.

Defaults to @samp{"/var/run/openvpn/status"}.

@end deftypevr

@deftypevr @code{openvpn-server-configuration} parameter openvpn-ccd-list client-config-dir
The list of configuration for some clients.

Defaults to @samp{()}.

Available @code{openvpn-ccd-configuration} fields are:

@deftypevr @code{openvpn-ccd-configuration} parameter string name
Client name.

Defaults to @samp{"client"}.

@end deftypevr

@deftypevr @code{openvpn-ccd-configuration} parameter ip-mask iroute
Client own network

Defaults to @samp{#f}.

@end deftypevr

@deftypevr @code{openvpn-ccd-configuration} parameter ip-mask ifconfig-push
Client VPN IP.

Defaults to @samp{#f}.

@end deftypevr

@end deftypevr


@c %end of automatic openvpn-server documentation


@deftp {Data Type} nginx-upstream-configuration
Data type representing the configuration of an nginx @code{upstream}
block.  This type has the following parameters:

@table @asis
@item @code{name}
Name for this group of servers.

@item @code{servers}
Specify the addresses of the servers in the group.  The address can be
specified as a IP address (e.g. @samp{127.0.0.1}), domain name
(e.g. @samp{backend1.example.com}) or a path to a UNIX socket using the
prefix @samp{unix:}.  For addresses using an IP address or domain name,
the default port is 80, and a different port can be specified
explicitly.

@end table
@end deftp

@deftp {Data Type} nginx-location-configuration
Data type representing the configuration of an nginx @code{location}
block.  This type has the following parameters:

@table @asis
@item @code{uri}
URI which this location block matches.

@anchor{nginx-location-configuration body}
@item @code{body}
Body of the location block, specified as a string. This can contain many
configuration directives.  For example, to pass requests to a upstream
server group defined using an @code{nginx-upstream-configuration} block,
the following directive would be specified in the body @samp{proxy_pass
http://upstream-name;}.

@end table
@end deftp

@deftp {Data Type} nginx-named-location-configuration
Data type representing the configuration of an nginx named location
block.  Named location blocks are used for request redirection, and not
used for regular request processing.  This type has the following
parameters:

@table @asis
@item @code{name}
Name to identify this location block.

@item @code{body}
@xref{nginx-location-configuration body}, as the body for named location
blocks can be used in a similar way to the
@code{nginx-location-configuration body}.  One restriction is that the
body of a named location block cannot contain location blocks.

@end table
@end deftp

@node Network File System
@subsubsection Network File System
@cindex NFS

The @code{(gnu services nfs)} module provides the following services,
which are most commonly used in relation to mounting or exporting
directory trees as @dfn{network file systems} (NFS).

@subsubheading RPC Bind Service
@cindex rpcbind

The RPC Bind service provides a facility to map program numbers into
universal addresses.
Many NFS related services use this facility.  Hence it is automatically
started when a dependent service starts.

@defvr {Scheme Variable} rpcbind-service-type
A service type  for the RPC portmapper daemon.
@end defvr


@deftp {Data Type} rpcbind-configuration
Data type representing the configuration of the RPC Bind Service.
This type has the following parameters:
@table @asis
@item @code{rpcbind} (default: @code{rpcbind})
The rpcbind package to use.

@item @code{warm-start?} (default: @code{#t})
If this parameter is @code{#t}, then the daemon will read a
state file on startup thus reloading state information saved by a previous
instance.
@end table
@end deftp


@subsubheading Pipefs Pseudo File System
@cindex pipefs
@cindex rpc_pipefs

The pipefs file system is used to transfer NFS related data
between the kernel and user space programs.

@defvr {Scheme Variable} pipefs-service-type
A service type for the pipefs pseudo file system.
@end defvr

@deftp {Data Type} pipefs-configuration
Data type representing the configuration of the pipefs pseudo file system service.
This type has the following parameters:
@table @asis
@item @code{mount-point} (default: @code{"/var/lib/nfs/rpc_pipefs"})
The directory to which the file system is to be attached.
@end table
@end deftp


@subsubheading GSS Daemon Service
@cindex GSSD
@cindex GSS
@cindex global security system

The @dfn{global security system} (GSS) daemon provides strong security for RPC
based protocols.
Before exchanging RPC requests an RPC client must establish a security
context.  Typically this is done using the Kerberos command @command{kinit}
or automatically at login time using PAM services (@pxref{Kerberos Services}).

@defvr {Scheme Variable} gss-service-type
A service type for the Global Security System (GSS) daemon.
@end defvr

@deftp {Data Type} gss-configuration
Data type representing the configuration of the GSS daemon service.
This type has the following parameters:
@table @asis
@item @code{nfs-utils} (default: @code{nfs-utils})
The package in which the @command{rpc.gssd} command is to be found.

@item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
The directory where the pipefs file system is mounted.

@end table
@end deftp


@subsubheading IDMAP Daemon Service
@cindex idmapd
@cindex name mapper

The idmap daemon service provides mapping between user IDs and user names.
Typically it is required in order to access file systems mounted via NFSv4.

@defvr {Scheme Variable} idmap-service-type
A service type for the Identity Mapper (IDMAP) daemon.