guix.texi

Defaults to @samp{"128m"}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} string server-admin
Specifies the email address of the server administrator.

Defaults to @samp{"root@@localhost.localdomain"}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} host-name-list-or-* server-alias
The ServerAlias directive is used for HTTP Host header validation when
clients connect to the scheduler from external interfaces.  Using the
special name @code{*} can expose your system to known browser-based DNS
rebinding attacks, even when accessing sites through a firewall.  If the
auto-discovery of alternate names does not work, we recommend listing
each alternate name with a ServerAlias directive instead of using
@code{*}.

Defaults to @samp{*}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} string server-name
Specifies the fully-qualified host name of the server.

Defaults to @samp{"localhost"}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} server-tokens server-tokens
Specifies what information is included in the Server header of HTTP
responses.  @code{None} disables the Server header.  @code{ProductOnly}
reports @code{CUPS}.  @code{Major} reports @code{CUPS 2}.  @code{Minor}
reports @code{CUPS 2.0}.  @code{Minimal} reports @code{CUPS 2.0.0}.
@code{OS} reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is
the output of the @code{uname} command.  @code{Full} reports @code{CUPS
2.0.0 (@var{uname}) IPP/2.0}.

Defaults to @samp{Minimal}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} string set-env
Set the specified environment variable to be passed to child processes.

Defaults to @samp{"variable value"}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} multiline-string-list ssl-listen
Listens on the specified interfaces for encrypted connections.  Valid
values are of the form @var{address}:@var{port}, where @var{address} is
either an IPv6 address enclosed in brackets, an IPv4 address, or
@code{*} to indicate all addresses.

Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
Sets encryption options.  By default, CUPS only supports encryption
using TLS v1.0 or higher using known secure cipher suites.  The
@code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are
required for some older clients that do not implement newer ones.  The
@code{AllowSSL3} option enables SSL v3.0, which is required for some
older clients that do not support TLS v1.0.

Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} boolean strict-conformance?
Specifies whether the scheduler requires clients to strictly adhere to
the IPP specifications.

Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} non-negative-integer timeout
Specifies the HTTP request timeout, in seconds.

Defaults to @samp{300}.

@end deftypevr

@deftypevr {@code{cups-configuration} parameter} boolean web-interface?
Specifies whether the web interface is enabled.

Defaults to @samp{#f}.
@end deftypevr

At this point you're probably thinking ``oh dear, Guix manual, I like
you but you can stop already with the configuration options''.  Indeed.
However, one more point: it could be that you have an existing
@code{cupsd.conf} that you want to use.  In that case, you can pass an
@code{opaque-cups-configuration} as the configuration of a
@code{cups-service-type}.

Available @code{opaque-cups-configuration} fields are:

@deftypevr {@code{opaque-cups-configuration} parameter} package cups
The CUPS package.
@end deftypevr

@deftypevr {@code{opaque-cups-configuration} parameter} string cupsd.conf
The contents of the @code{cupsd.conf}, as a string.
@end deftypevr

@deftypevr {@code{opaque-cups-configuration} parameter} string cups-files.conf
The contents of the @code{cups-files.conf} file, as a string.
@end deftypevr

For example, if your @code{cupsd.conf} and @code{cups-files.conf} are in
strings of the same name, you could instantiate a CUPS service like
this:

@example
(service cups-service-type
         (opaque-cups-configuration
           (cupsd.conf cupsd.conf)
           (cups-files.conf cups-files.conf)))
@end example


@node Desktop Services
@subsubsection Desktop Services

The @code{(gnu services desktop)} module provides services that are
usually useful in the context of a ``desktop'' setup---that is, on a
machine running a graphical display server, possibly with graphical user
interfaces, etc.  It also defines services that provide specific desktop
environments like GNOME and XFCE.

To simplify things, the module defines a variable containing the set of
services that users typically expect on a machine with a graphical
environment and networking:

@defvr {Scheme Variable} %desktop-services
This is a list of services that builds upon @var{%base-services} and
adds or adjusts services for a typical ``desktop'' setup.

In particular, it adds a graphical login manager (@pxref{X Window,
@code{slim-service}}), screen lockers,
a network management tool (@pxref{Networking
Services, @code{wicd-service}}), energy and color management services,
the @code{elogind} login and seat manager, the Polkit privilege service,
the GeoClue location service, an NTP client (@pxref{Networking
Services}), the Avahi daemon, and has the name service switch service
configured to be able to use @code{nss-mdns} (@pxref{Name Service
Switch, mDNS}).
@end defvr

The @var{%desktop-services} variable can be used as the @code{services}
field of an @code{operating-system} declaration (@pxref{operating-system
Reference, @code{services}}).

Additionally, the @code{gnome-desktop-service} and
@code{xfce-desktop-service} procedures can add GNOME and/or XFCE to a
system.  To ``add GNOME'' means that system-level services like the
backlight adjustment helpers and the power management utilities are
added to the system, extending @code{polkit} and @code{dbus}
appropriately, allowing GNOME to operate with elevated privileges on a
limited number of special-purpose system interfaces.  Additionally,
adding a service made by @code{gnome-desktop-service} adds the GNOME
metapackage to the system profile.  Likewise, adding the XFCE service
not only adds the @code{xfce} metapackage to the system profile, but it
also gives the Thunar file manager the ability to open a ``root-mode''
file management window, if the user authenticates using the
administrator's password via the standard polkit graphical interface.

@deffn {Scheme Procedure} gnome-desktop-service
Return a service that adds the @code{gnome} package to the system
profile, and extends polkit with the actions from
@code{gnome-settings-daemon}.
@end deffn

@deffn {Scheme Procedure} xfce-desktop-service
Return a service that adds the @code{xfce} package to the system profile,
and extends polkit with the ability for @code{thunar} to manipulate the
file system as root from within a user session, after the user has
authenticated with the administrator's password.
@end deffn

Because the GNOME and XFCE desktop services pull in so many packages,
the default @code{%desktop-services} variable doesn't include either of
them by default.  To add GNOME or XFCE, just @code{cons} them onto
@code{%desktop-services} in the @code{services} field of your
@code{operating-system}:

@example
(use-modules (gnu))
(use-service-modules desktop)
(operating-system
  ...
  ;; cons* adds items to the list given as its last argument.
  (services (cons* (gnome-desktop-service)
                   (xfce-desktop-service)
                   %desktop-services))
  ...)
@end example

These desktop environments will then be available as options in the
graphical login window.

The actual service definitions included in @code{%desktop-services} and
provided by @code{(gnu services dbus)} and @code{(gnu services desktop)}
are described below.

@deffn {Scheme Procedure} dbus-service [#:dbus @var{dbus}] [#:services '()]
Return a service that runs the ``system bus'', using @var{dbus}, with
support for @var{services}.

@uref{http://dbus.freedesktop.org/, D-Bus} is an inter-process communication
facility.  Its system bus is used to allow system services to communicate
and to be notified of system-wide events.

@var{services} must be a list of packages that provide an
@file{etc/dbus-1/system.d} directory containing additional D-Bus configuration
and policy files.  For example, to allow avahi-daemon to use the system bus,
@var{services} must be equal to @code{(list avahi)}.
@end deffn

@deffn {Scheme Procedure} elogind-service [#:config @var{config}]
Return a service that runs the @code{elogind} login and
seat management daemon.  @uref{https://github.com/andywingo/elogind,
Elogind} exposes a D-Bus interface that can be used to know which users
are logged in, know what kind of sessions they have open, suspend the
system, inhibit system suspend, reboot the system, and other tasks.

Elogind handles most system-level power events for a computer, for
example suspending the system when a lid is closed, or shutting it down
when the power button is pressed.

The @var{config} keyword argument specifies the configuration for
elogind, and should be the result of an @code{(elogind-configuration
(@var{parameter} @var{value})...)} invocation.  Available parameters and
their default values are:

@table @code
@item kill-user-processes?
@code{#f}
@item kill-only-users
@code{()}
@item kill-exclude-users
@code{("root")}
@item inhibit-delay-max-seconds
@code{5}
@item handle-power-key
@code{poweroff}
@item handle-suspend-key
@code{suspend}
@item handle-hibernate-key
@code{hibernate}
@item handle-lid-switch
@code{suspend}
@item handle-lid-switch-docked
@code{ignore}
@item power-key-ignore-inhibited?
@code{#f}
@item suspend-key-ignore-inhibited?
@code{#f}
@item hibernate-key-ignore-inhibited?
@code{#f}
@item lid-switch-ignore-inhibited?
@code{#t}
@item holdoff-timeout-seconds
@code{30}
@item idle-action
@code{ignore}
@item idle-action-seconds
@code{(* 30 60)}
@item runtime-directory-size-percent
@code{10}
@item runtime-directory-size
@code{#f}
@item remove-ipc?
@code{#t}
@item suspend-state
@code{("mem" "standby" "freeze")}
@item suspend-mode
@code{()}
@item hibernate-state
@code{("disk")}
@item hibernate-mode
@code{("platform" "shutdown")}
@item hybrid-sleep-state
@code{("disk")}
@item hybrid-sleep-mode
@code{("suspend" "platform" "shutdown")}
@end table
@end deffn

@deffn {Scheme Procedure} polkit-service @
                         [#:polkit @var{polkit}]
Return a service that runs the
@uref{http://www.freedesktop.org/wiki/Software/polkit/, Polkit privilege
management service}, which allows system administrators to grant access to
privileged operations in a structured way.  By querying the Polkit service, a
privileged system component can know when it should grant additional
capabilities to ordinary users.  For example, an ordinary user can be granted
the capability to suspend the system if the user is logged in locally.
@end deffn

@deffn {Scheme Procedure} upower-service [#:upower @var{upower}] @
                         [#:watts-up-pro? #f] @
                         [#:poll-batteries? #t] @
                         [#:ignore-lid? #f] @
                         [#:use-percentage-for-policy? #f] @
                         [#:percentage-low 10] @
                         [#:percentage-critical 3] @
                         [#:percentage-action 2] @
                         [#:time-low 1200] @
                         [#:time-critical 300] @
                         [#:time-action 120] @
                         [#:critical-power-action 'hybrid-sleep]
Return a service that runs @uref{http://upower.freedesktop.org/,
@command{upowerd}}, a system-wide monitor for power consumption and battery
levels, with the given configuration settings.  It implements the
@code{org.freedesktop.UPower} D-Bus interface, and is notably used by
GNOME.
@end deffn

@deffn {Scheme Procedure} udisks-service [#:udisks @var{udisks}]
Return a service for @uref{http://udisks.freedesktop.org/docs/latest/,
UDisks}, a @dfn{disk management} daemon that provides user interfaces with
notifications and ways to mount/unmount disks.  Programs that talk to UDisks
include the @command{udisksctl} command, part of UDisks, and GNOME Disks.
@end deffn

@deffn {Scheme Procedure} colord-service [#:colord @var{colord}]
Return a service that runs @command{colord}, a system service with a D-Bus
interface to manage the color profiles of input and output devices such as
screens and scanners.  It is notably used by the GNOME Color Manager graphical
tool.  See @uref{http://www.freedesktop.org/software/colord/, the colord web
site} for more information.
@end deffn

@deffn {Scheme Procedure} geoclue-application name [#:allowed? #t] [#:system? #f] [#:users '()]
Return a configuration allowing an application to access GeoClue
location data.  @var{name} is the Desktop ID of the application, without
the @code{.desktop} part.  If @var{allowed?} is true, the application
will have access to location information by default.  The boolean
@var{system?}  value indicates whether an application is a system component
or not.  Finally @var{users} is a list of UIDs of all users for which
this application is allowed location info access.  An empty users list
means that all users are allowed.
@end deffn

@defvr {Scheme Variable} %standard-geoclue-applications
The standard list of well-known GeoClue application configurations,
granting authority to the GNOME date-and-time utility to ask for the
current location in order to set the time zone, and allowing the
IceCat and Epiphany web browsers to request location information.
IceCat and Epiphany both query the user before allowing a web page to
know the user's location.
@end defvr

@deffn {Scheme Procedure} geoclue-service [#:colord @var{colord}] @
                         [#:whitelist '()] @
                         [#:wifi-geolocation-url "https://location.services.mozilla.com/v1/geolocate?key=geoclue"] @
                         [#:submit-data? #f]
                         [#:wifi-submission-url "https://location.services.mozilla.com/v1/submit?key=geoclue"] @
                         [#:submission-nick "geoclue"] @
                         [#:applications %standard-geoclue-applications]
Return a service that runs the GeoClue location service.  This service
provides a D-Bus interface to allow applications to request access to a
user's physical location, and optionally to add information to online
location databases.  See
@uref{https://wiki.freedesktop.org/www/Software/GeoClue/, the GeoClue
web site} for more information.
@end deffn

@deffn {Scheme Procedure} bluetooth-service [#:bluez @var{bluez}]
Return a service that runs the @command{bluetoothd} daemon, which manages
all the Bluetooth devices and provides a number of D-Bus interfaces.

Users need to be in the @code{lp} group to access the D-Bus service.
@end deffn

@node Database Services
@subsubsection Database Services

@cindex database
@cindex SQL
The @code{(gnu services databases)} module provides the following services.

@deffn {Scheme Procedure} postgresql-service [#:postgresql postgresql] @
       [#:config-file] [#:data-directory ``/var/lib/postgresql/data''] @
       [#:port 5432] [#:locale ``en_US.utf8'']
Return a service that runs @var{postgresql}, the PostgreSQL database
server.

The PostgreSQL daemon loads its runtime configuration from @var{config-file},
creates a database cluster with @var{locale} as the default
locale, stored in @var{data-directory}.  It then listens on @var{port}.
@end deffn

@deffn {Scheme Procedure} mysql-service [#:config (mysql-configuration)]
Return a service that runs @command{mysqld}, the MySQL or MariaDB
database server.

The optional @var{config} argument specifies the configuration for
@command{mysqld}, which should be a @code{<mysql-configuration>} object.
@end deffn

@deftp {Data Type} mysql-configuration
Data type representing the configuration of @var{mysql-service}.

@table @asis
@item @code{mysql} (default: @var{mariadb})
Package object of the MySQL database server, can be either @var{mariadb}
or @var{mysql}.

For MySQL, a temporary root password will be displayed at activation time.
For MariaDB, the root password is empty.

@item @code{port} (default: @code{3306})
TCP port on which the database server listens for incoming connections.
@end table
@end deftp

@defvr {Scheme Variable} redis-service-type
This is the service type for the @uref{https://redis.io/, Redis}
key/value store, whose value is a @code{redis-configuration} object.
@end defvr

@deftp {Data Type} redis-configuration
Data type representing the configuration of redis.

@table @asis
@item @code{redis} (default: @code{redis})
The Redis package to use.

@item @code{bind} (default: @code{"127.0.0.1"})
Network interface on which to listen.

@item @code{port} (default: @code{6379})
Port on which to accept connections on, a value of 0 will disable
listining on a TCP socket.

@item @code{working-directory} (default: @code{"/var/lib/redis"})
Directory in which to store the database and related files.
@end table
@end deftp

@node Mail Services
@subsubsection Mail Services

@cindex mail
@cindex email
The @code{(gnu services mail)} module provides Guix service definitions
for email services: IMAP, POP3, and LMTP servers, as well as mail
transport agents (MTAs).  Lots of acronyms!  These services are detailed
in the subsections below.

@subsubheading Dovecot Service

@deffn {Scheme Procedure} dovecot-service [#:config (dovecot-configuration)]
Return a service that runs the Dovecot IMAP/POP3/LMTP mail server.
@end deffn

By default, Dovecot does not need much configuration; the default
configuration object created by @code{(dovecot-configuration)} will
suffice if your mail is delivered to @code{~/Maildir}.  A self-signed
certificate will be generated for TLS-protected connections, though
Dovecot will also listen on cleartext ports by default.  There are a
number of options, though, which mail administrators might need to change,
and as is the case with other services, Guix allows the system
administrator to specify these parameters via a uniform Scheme interface.

For example, to specify that mail is located at @code{maildir~/.mail},
one would instantiate the Dovecot service like this:

@example
(dovecot-service #:config
                 (dovecot-configuration
                  (mail-location "maildir:~/.mail")))
@end example

The available configuration parameters follow.  Each parameter
definition is preceded by its type; for example, @samp{string-list foo}
indicates that the @code{foo} parameter should be specified as a list of
strings.  There is also a way to specify the configuration as a string,
if you have an old @code{dovecot.conf} file that you want to port over
from some other system; see the end for more details.

@c The following documentation was initially generated by
@c (generate-documentation) in (gnu services mail).  Manually maintained
@c documentation is better, so we shouldn't hesitate to edit below as
@c needed.  However if the change you want to make to this documentation
@c can be done in an automated way, it's probably easier to change
@c (generate-documentation) than to make it below and have to deal with
@c the churn as dovecot updates.

Available @code{dovecot-configuration} fields are:

@deftypevr {@code{dovecot-configuration} parameter} package dovecot
The dovecot package.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} comma-separated-string-list listen
A list of IPs or hosts where to listen for connections.  @samp{*}
listens on all IPv4 interfaces, @samp{::} listens on all IPv6
interfaces.  If you want to specify non-default ports or anything more
complex, customize the address and port fields of the
@samp{inet-listener} of the specific services you are interested in.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} protocol-configuration-list protocols
List of protocols we want to serve.  Available protocols include
@samp{imap}, @samp{pop3}, and @samp{lmtp}.

Available @code{protocol-configuration} fields are:

@deftypevr {@code{protocol-configuration} parameter} string name
The name of the protocol.
@end deftypevr

@deftypevr {@code{protocol-configuration} parameter} string auth-socket-path
UNIX socket path to the master authentication server to find users.
This is used by imap (for shared users) and lda.
It defaults to @samp{"/var/run/dovecot/auth-userdb"}.
@end deftypevr

@deftypevr {@code{protocol-configuration} parameter} space-separated-string-list mail-plugins
Space separated list of plugins to load.
@end deftypevr

@deftypevr {@code{protocol-configuration} parameter} non-negative-integer mail-max-userip-connections
Maximum number of IMAP connections allowed for a user from each IP
address.  NOTE: The username is compared case-sensitively.
Defaults to @samp{10}.
@end deftypevr

@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} service-configuration-list services
List of services to enable.  Available services include @samp{imap},
@samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and
@samp{lmtp}.

Available @code{service-configuration} fields are:

@deftypevr {@code{service-configuration} parameter} string kind
The service kind.  Valid values include @code{director},
@code{imap-login}, @code{pop3-login}, @code{lmtp}, @code{imap},
@code{pop3}, @code{auth}, @code{auth-worker}, @code{dict},
@code{tcpwrap}, @code{quota-warning}, or anything else.
@end deftypevr

@deftypevr {@code{service-configuration} parameter} listener-configuration-list listeners
Listeners for the service.  A listener is either a
@code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or
an @code{inet-listener-configuration}.
Defaults to @samp{()}.

Available @code{unix-listener-configuration} fields are:

@deftypevr {@code{unix-listener-configuration} parameter} file-name path
The file name on which to listen.
@end deftypevr

@deftypevr {@code{unix-listener-configuration} parameter} string mode
The access mode for the socket.
Defaults to @samp{"0600"}.
@end deftypevr

@deftypevr {@code{unix-listener-configuration} parameter} string user
The user to own the socket.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{unix-listener-configuration} parameter} string group
The group to own the socket.
Defaults to @samp{""}.
@end deftypevr


Available @code{fifo-listener-configuration} fields are:

@deftypevr {@code{fifo-listener-configuration} parameter} file-name path
The file name on which to listen.
@end deftypevr

@deftypevr {@code{fifo-listener-configuration} parameter} string mode
The access mode for the socket.
Defaults to @samp{"0600"}.
@end deftypevr

@deftypevr {@code{fifo-listener-configuration} parameter} string user
The user to own the socket.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{fifo-listener-configuration} parameter} string group
The group to own the socket.
Defaults to @samp{""}.
@end deftypevr


Available @code{inet-listener-configuration} fields are:

@deftypevr {@code{inet-listener-configuration} parameter} string protocol
The protocol to listen for.
@end deftypevr

@deftypevr {@code{inet-listener-configuration} parameter} string address
The address on which to listen, or empty for all addresses.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{inet-listener-configuration} parameter} non-negative-integer port
The port on which to listen.
@end deftypevr

@deftypevr {@code{inet-listener-configuration} parameter} boolean ssl?
Whether to use SSL for this service; @samp{yes}, @samp{no}, or
@samp{required}.
Defaults to @samp{#t}.
@end deftypevr

@end deftypevr

@deftypevr {@code{service-configuration} parameter} non-negative-integer service-count
Number of connections to handle before starting a new process.
Typically the only useful values are 0 (unlimited) or 1.  1 is more
secure, but 0 is faster.  <doc/wiki/LoginProcess.txt>.
Defaults to @samp{1}.
@end deftypevr

@deftypevr {@code{service-configuration} parameter} non-negative-integer process-min-avail
Number of processes to always keep waiting for more connections.
Defaults to @samp{0}.
@end deftypevr

@deftypevr {@code{service-configuration} parameter} non-negative-integer vsz-limit
If you set @samp{service-count 0}, you probably need to grow
this.
Defaults to @samp{256000000}.
@end deftypevr

@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} dict-configuration dict
Dict configuration, as created by the @code{dict-configuration}
constructor.

Available @code{dict-configuration} fields are:

@deftypevr {@code{dict-configuration} parameter} free-form-fields entries
A list of key-value pairs that this dict should hold.
Defaults to @samp{()}.
@end deftypevr

@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} passdb-configuration-list passdbs
A list of passdb configurations, each one created by the
@code{passdb-configuration} constructor.

Available @code{passdb-configuration} fields are:

@deftypevr {@code{passdb-configuration} parameter} string driver
The driver that the passdb should use.  Valid values include
@samp{pam}, @samp{passwd}, @samp{shadow}, @samp{bsdauth}, and
@samp{static}.
Defaults to @samp{"pam"}.
@end deftypevr

@deftypevr {@code{passdb-configuration} parameter} free-form-args args
A list of key-value args to the passdb driver.
Defaults to @samp{()}.
@end deftypevr

@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} userdb-configuration-list userdbs
List of userdb configurations, each one created by the
@code{userdb-configuration} constructor.

Available @code{userdb-configuration} fields are:

@deftypevr {@code{userdb-configuration} parameter} string driver
The driver that the userdb should use.  Valid values include
@samp{passwd} and @samp{static}.
Defaults to @samp{"passwd"}.
@end deftypevr

@deftypevr {@code{userdb-configuration} parameter} free-form-args args
A list of key-value args to the userdb driver.
Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{userdb-configuration} parameter} free-form-args override-fields
Override fields from passwd.
Defaults to @samp{()}.
@end deftypevr

@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} plugin-configuration plugin-configuration
Plug-in configuration, created by the @code{plugin-configuration}
constructor.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} list-of-namespace-configuration namespaces
List of namespaces.  Each item in the list is created by the
@code{namespace-configuration} constructor.

Available @code{namespace-configuration} fields are:

@deftypevr {@code{namespace-configuration} parameter} string name
Name for this namespace.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} string type
Namespace type: @samp{private}, @samp{shared} or @samp{public}.
Defaults to @samp{"private"}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} string separator
Hierarchy separator to use. You should use the same separator for
all namespaces or some clients get confused.  @samp{/} is usually a good
one.  The default however depends on the underlying mail storage
format.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} string prefix
Prefix required to access this namespace.  This needs to be
different for all namespaces. For example @samp{Public/}.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} string location
Physical location of the mailbox. This is in the same format as
mail_location, which is also the default for it.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} boolean inbox?
There can be only one INBOX, and this setting defines which
namespace has it.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} boolean hidden?
If namespace is hidden, it's not advertised to clients via NAMESPACE
extension. You'll most likely also want to set @samp{list? #f}.  This is mostly
useful when converting from another server with different namespaces
which you want to deprecate but still keep working.  For example you can
create hidden namespaces with prefixes @samp{~/mail/}, @samp{~%u/mail/}
and @samp{mail/}.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} boolean list?
Show the mailboxes under this namespace with the LIST command. This
makes the namespace visible for clients that do not support the NAMESPACE
extension.  The special @code{children} value lists child mailboxes, but
hides the namespace prefix.
Defaults to @samp{#t}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} boolean subscriptions?
Namespace handles its own subscriptions.  If set to @code{#f}, the
parent namespace handles them.  The empty prefix should always have this
as @code{#t}).
Defaults to @samp{#t}.
@end deftypevr

@deftypevr {@code{namespace-configuration} parameter} mailbox-configuration-list mailboxes
List of predefined mailboxes in this namespace.
Defaults to @samp{()}.

Available @code{mailbox-configuration} fields are:

@deftypevr {@code{mailbox-configuration} parameter} string name
Name for this mailbox.
@end deftypevr

@deftypevr {@code{mailbox-configuration} parameter} string auto
@samp{create} will automatically create this mailbox.
@samp{subscribe} will both create and subscribe to the mailbox.
Defaults to @samp{"no"}.
@end deftypevr

@deftypevr {@code{mailbox-configuration} parameter} space-separated-string-list special-use
List of IMAP @code{SPECIAL-USE} attributes as specified by RFC 6154.
Valid values are @code{\All}, @code{\Archive}, @code{\Drafts},
@code{\Flagged}, @code{\Junk}, @code{\Sent}, and @code{\Trash}.
Defaults to @samp{()}.
@end deftypevr

@end deftypevr

@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} file-name base-dir
Base directory where to store runtime data.
Defaults to @samp{"/var/run/dovecot/"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string login-greeting
Greeting message for clients.
Defaults to @samp{"Dovecot ready."}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-trusted-networks
List of trusted network ranges.  Connections from these IPs are
allowed to override their IP addresses and ports (for logging and for
authentication checks).  @samp{disable-plaintext-auth} is also ignored
for these networks.  Typically you would specify your IMAP proxy servers
here.
Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list login-access-sockets
List of login access check sockets (e.g. tcpwrap).
Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} boolean verbose-proctitle?
Show more verbose process titles (in ps).  Currently shows user name
and IP address.  Useful for seeing who is actually using the IMAP
processes (e.g. shared mailboxes or if the same uid is used for multiple
accounts).
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} boolean shutdown-clients?
Should all processes be killed when Dovecot master process shuts down.
Setting this to @code{#f} means that Dovecot can be upgraded without
forcing existing client connections to close (although that could also
be a problem if the upgrade is e.g. due to a security fix).
Defaults to @samp{#t}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} non-negative-integer doveadm-worker-count
If non-zero, run mail commands via this many connections to doveadm
server, instead of running them directly in the same process.
Defaults to @samp{0}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string doveadm-socket-path
UNIX socket or host:port used for connecting to doveadm server.
Defaults to @samp{"doveadm-server"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list import-environment
List of environment variables that are preserved on Dovecot startup
and passed down to all of its child processes.  You can also give
key=value pairs to always set specific settings.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} boolean disable-plaintext-auth?
Disable LOGIN command and all other plaintext authentications unless
SSL/TLS is used (LOGINDISABLED capability).  Note that if the remote IP
matches the local IP (i.e. you're connecting from the same computer),
the connection is considered secure and plaintext authentication is
allowed.  See also ssl=required setting.
Defaults to @samp{#t}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-cache-size
Authentication cache size (e.g. @samp{#e10e6}).  0 means it's disabled.
Note that bsdauth, PAM and vpopmail require @samp{cache-key} to be set
for caching to be used.
Defaults to @samp{0}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-cache-ttl
Time to live for cached data.  After TTL expires the cached record
is no longer used, *except* if the main database lookup returns internal
failure.  We also try to handle password changes automatically: If
user's previous authentication was successful, but this one wasn't, the
cache isn't used.  For now this works only with plaintext
authentication.
Defaults to @samp{"1 hour"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-cache-negative-ttl
TTL for negative hits (user not found, password mismatch).
0 disables caching them completely.
Defaults to @samp{"1 hour"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-realms
List of realms for SASL authentication mechanisms that need them.
You can leave it empty if you don't want to support multiple realms.
Many clients simply use the first one listed here, so keep the default
realm first.
Defaults to @samp{()}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-default-realm
Default realm/domain to use if none was specified.  This is used for
both SASL realms and appending @@domain to username in plaintext
logins.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-username-chars
List of allowed characters in username.  If the user-given username
contains a character not listed in here, the login automatically fails.
This is just an extra check to make sure user can't exploit any
potential quote escaping vulnerabilities with SQL/LDAP databases.  If
you want to allow all characters, set this value to empty.
Defaults to @samp{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@@"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-username-translation
Username character translations before it's looked up from
databases.  The value contains series of from -> to characters.  For
example @samp{#@@/@@} means that @samp{#} and @samp{/} characters are
translated to @samp{@@}.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-username-format
Username formatting before it's looked up from databases.  You can
use the standard variables here, e.g. %Lu would lowercase the username,
%n would drop away the domain if it was given, or @samp{%n-AT-%d} would
change the @samp{@@} into @samp{-AT-}.  This translation is done after
@samp{auth-username-translation} changes.
Defaults to @samp{"%Lu"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-master-user-separator
If you want to allow master users to log in by specifying the master
username within the normal username string (i.e. not using SASL
mechanism's support for it), you can specify the separator character
here.  The format is then <username><separator><master username>.
UW-IMAP uses @samp{*} as the separator, so that could be a good
choice.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-anonymous-username
Username to use for users logging in with ANONYMOUS SASL
mechanism.
Defaults to @samp{"anonymous"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} non-negative-integer auth-worker-max-count
Maximum number of dovecot-auth worker processes.  They're used to
execute blocking passdb and userdb queries (e.g. MySQL and PAM).
They're automatically created and destroyed as needed.
Defaults to @samp{30}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-gssapi-hostname
Host name to use in GSSAPI principal names.  The default is to use
the name returned by gethostname().  Use @samp{$ALL} (with quotes) to
allow all keytab entries.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-krb5-keytab
Kerberos keytab to use for the GSSAPI mechanism.  Will use the
system default (usually @file{/etc/krb5.keytab}) if not specified.  You may
need to change the auth service to run as root to be able to read this
file.
Defaults to @samp{""}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} boolean auth-use-winbind?
Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon
and @samp{ntlm-auth} helper.
<doc/wiki/Authentication/Mechanisms/Winbind.txt>.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} file-name auth-winbind-helper-path
Path for Samba's @samp{ntlm-auth} helper binary.
Defaults to @samp{"/usr/bin/ntlm_auth"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} string auth-failure-delay
Time to delay before replying to failed authentications.
Defaults to @samp{"2 secs"}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
Require a valid SSL client certificate or the authentication
fails.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-username-from-cert?
Take the username from client's SSL certificate, using
@code{X509_NAME_get_text_by_NID()} which returns the subject's DN's
CommonName.
Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list auth-mechanisms
List of wanted authentication mechanisms.  Supported mechanisms are:
@samp{plain}, @samp{login}, @samp{digest-md5}, @samp{cram-md5},
@samp{ntlm}, @samp{rpa}, @samp{apop}, @samp{anonymous}, @samp{gssapi},
@samp{otp}, @samp{skey}, and @samp{gss-spnego}.  NOTE: See also
@samp{disable-plaintext-auth} setting.
@end deftypevr

@deftypevr {@code{dovecot-configuration} parameter} space-separated-string-list director-servers
List of IPs or hostnames to all director servers, including ourself.