guix.texi

             (socket-type 'stream)
             (protocol "tcp")
             (wait? #f)
             (user "root")
             (program (file-append openssh "/bin/ssh"))
             (arguments
              '("ssh" "-qT" "-i" "/path/to/ssh_key"
                "-W" "smtp-server:25" "user@@hostname")))))
@end example

See below for more details about @code{inetd-configuration}.
@end deffn

@deftp {Data Type} inetd-configuration
Data type representing the configuration of @command{inetd}.

@table @asis
@item @code{program} (default: @code{(file-append inetutils "/libexec/inetd")})
The @command{inetd} executable to use.

@item @code{entries} (default: @code{'()})
A list of @command{inetd} service entries.  Each entry should be created
by the @code{inetd-entry} constructor.
@end table
@end deftp

@deftp {Data Type} inetd-entry
Data type representing an entry in the @command{inetd} configuration.
Each entry corresponds to a socket where @command{inetd} will listen for
requests.

@table @asis
@item @code{node} (default: @code{#f})
Optional string, a comma-separated list of local addresses
@command{inetd} should use when listening for this service.
@xref{Configuration file,,, inetutils, GNU Inetutils} for a complete
description of all options.
@item @code{name}
A string, the name must correspond to an entry in @code{/etc/services}.
@item @code{socket-type}
One of @code{'stream}, @code{'dgram}, @code{'raw}, @code{'rdm} or
@code{'seqpacket}.
@item @code{protocol}
A string, must correspond to an entry in @code{/etc/protocols}.
@item @code{wait?} (default: @code{#t})
Whether @command{inetd} should wait for the server to exit before
listening to new service requests.
@item @code{user}
A string containing the user (and, optionally, group) name of the user
as whom the server should run.  The group name can be specified in a
suffix, separated by a colon or period, i.e. @code{"user"},
@code{"user:group"} or @code{"user.group"}.
@item @code{program} (default: @code{"internal"})
The server program which will serve the requests, or @code{"internal"}
if @command{inetd} should use a built-in service.
@item @code{arguments} (default: @code{'()})
A list strings or file-like objects, which are the server program's
arguments, starting with the zeroth argument, i.e. the name of the
program itself.  For @command{inetd}'s internal services, this entry
must be @code{'()} or @code{'("internal")}.
@end table

@xref{Configuration file,,, inetutils, GNU Inetutils} for a more
detailed discussion of each configuration field.
@end deftp

@cindex Tor
@deffn {Scheme Procedure} tor-service [@var{config-file}] [#:tor @var{tor}]
Return a service to run the @uref{https://torproject.org, Tor} anonymous
networking daemon.

The daemon runs as the @code{tor} unprivileged user.  It is passed
@var{config-file}, a file-like object, with an additional @code{User tor} line
and lines for hidden services added via @code{tor-hidden-service}.  Run
@command{man tor} for information about the configuration file.
@end deffn

@cindex hidden service
@deffn {Scheme Procedure} tor-hidden-service @var{name} @var{mapping}
Define a new Tor @dfn{hidden service} called @var{name} and implementing
@var{mapping}.  @var{mapping} is a list of port/host tuples, such as:

@example
 '((22 "127.0.0.1:22")
   (80 "127.0.0.1:8080"))
@end example

In this example, port 22 of the hidden service is mapped to local port 22, and
port 80 is mapped to local port 8080.

This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
the @file{hostname} file contains the @code{.onion} host name for the hidden
service.

See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
project's documentation} for more information.
@end deffn

The @code{(gnu services rsync)} module provides the following services:

You might want an rsync daemon if you have files that you want available
so anyone (or just yourself) can download existing files or upload new
files.

@deffn {Scheme Variable} rsync-service-type
This is the type for the @uref{https://rsync.samba.org, rsync} rsync daemon,
@command{rsync-configuration} record as in this example:

@example
(service rsync-service-type)
@end example

See below for details about @code{rsync-configuration}.
@end deffn

@deftp {Data Type} rsync-configuration
Data type representing the configuration for @code{rsync-service}.

@table @asis
@item @code{package} (default: @var{rsync})
@code{rsync} package to use.

@item @code{port-number} (default: @code{873})
TCP port on which @command{rsync} listens for incoming connections.  If port
is less than @code{1024} @command{rsync} needs to be started as the
@code{root} user and group.

@item @code{pid-file} (default: @code{"/var/run/rsyncd/rsyncd.pid"})
Name of the file where @command{rsync} writes its PID.

@item @code{lock-file} (default: @code{"/var/run/rsyncd/rsyncd.lock"})
Name of the file where @command{rsync} writes its lock file.

@item @code{log-file} (default: @code{"/var/log/rsyncd.log"})
Name of the file where @command{rsync} writes its log file.

@item @code{use-chroot?} (default: @var{#t})
Whether to use chroot for @command{rsync} shared directory.

@item @code{share-path} (default: @file{/srv/rsync})
Location of the @command{rsync} shared directory.

@item @code{share-comment} (default: @code{"Rsync share"})
Comment of the @command{rsync} shared directory.

@item @code{read-only?} (default: @var{#f})
Read-write permissions to shared directory.

@item @code{timeout} (default: @code{300})
I/O timeout in seconds.

@item @code{user} (default: @var{"root"})
Owner of the @code{rsync} process.

@item @code{group} (default: @var{"root"})
Group of the @code{rsync} process.

@item @code{uid} (default: @var{"rsyncd"})
User name or user ID that file transfers to and from that module should take
place as when the daemon was run as @code{root}.

@item @code{gid} (default: @var{"rsyncd"})
Group name or group ID that will be used when accessing the module.

@end table
@end deftp

Furthermore, @code{(gnu services ssh)} provides the following services.
@cindex SSH
@cindex SSH server

@deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
       [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
       [#:allow-empty-passwords? #f] [#:root-login? #f] @
       [#:syslog-output? #t] [#:x11-forwarding? #t] @
       [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] @
       [#:public-key-authentication? #t] [#:initialize? #t]
Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}.
@var{host-key} must designate a file containing the host key, and readable
only by root.

When @var{daemonic?} is true, @command{lshd} will detach from the
controlling terminal and log its output to syslogd, unless one sets
@var{syslog-output?} to false.  Obviously, it also makes lsh-service
depend on existence of syslogd service.  When @var{pid-file?} is true,
@command{lshd} writes its PID to the file called @var{pid-file}.

When @var{initialize?} is true, automatically create the seed and host key
upon service activation if they do not exist yet.  This may take long and
require interaction.

When @var{initialize?} is false, it is up to the user to initialize the
randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create
a key pair with the private key stored in file @var{host-key} (@pxref{lshd
basics,,, lsh, LSH Manual}).

When @var{interfaces} is empty, lshd listens for connections on all the
network interfaces; otherwise, @var{interfaces} must be a list of host names
or addresses.

@var{allow-empty-passwords?} specifies whether to accept log-ins with empty
passwords, and @var{root-login?} specifies whether to accept log-ins as
root.

The other options should be self-descriptive.
@end deffn

@cindex SSH
@cindex SSH server
@deffn {Scheme Variable} openssh-service-type
This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
shell daemon, @command{sshd}.  Its value must be an
@code{openssh-configuration} record as in this example:

@example
(service openssh-service-type
         (openssh-configuration
           (x11-forwarding? #t)
           (permit-root-login 'without-password)
           (authorized-keys
             `(("alice" ,(local-file "alice.pub"))
               ("bob" ,(local-file "bob.pub"))))))
@end example

See below for details about @code{openssh-configuration}.

This service can be extended with extra authorized keys, as in this
example:

@example
(service-extension openssh-service-type
                   (const `(("charlie"
                             ,(local-file "charlie.pub")))))
@end example
@end deffn

@deftp {Data Type} openssh-configuration
This is the configuration record for OpenSSH's @command{sshd}.

@table @asis
@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
Name of the file where @command{sshd} writes its PID.

@item @code{port-number} (default: @code{22})
TCP port on which @command{sshd} listens for incoming connections.

@item @code{permit-root-login} (default: @code{#f})
This field determines whether and when to allow logins as root.  If
@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
If it's the symbol @code{'without-password}, then root logins are
permitted but not with password-based authentication.

@item @code{allow-empty-passwords?} (default: @code{#f})
When true, users with empty passwords may log in.  When false, they may
not.

@item @code{password-authentication?} (default: @code{#t})
When true, users may log in with their password.  When false, they have
other authentication methods.

@item @code{public-key-authentication?} (default: @code{#t})
When true, users may log in using public key authentication.  When
false, users have to use other authentication method.

Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
This is used only by protocol version 2.

@item @code{x11-forwarding?} (default: @code{#f})
When true, forwarding of X11 graphical client connections is
enabled---in other words, @command{ssh} options @option{-X} and
@option{-Y} will work.

@item @code{challenge-response-authentication?} (default: @code{#f})
Specifies whether challenge response authentication is allowed (e.g. via
PAM).

@item @code{use-pam?} (default: @code{#t})
Enables the Pluggable Authentication Module interface.  If set to
@code{#t}, this will enable PAM authentication using
@code{challenge-response-authentication?} and
@code{password-authentication?}, in addition to PAM account and session
module processing for all authentication types.

Because PAM challenge response authentication usually serves an
equivalent role to password authentication, you should disable either
@code{challenge-response-authentication?} or
@code{password-authentication?}.

@item @code{print-last-log?} (default: @code{#t})
Specifies whether @command{sshd} should print the date and time of the
last user login when a user logs in interactively.

@item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
Configures external subsystems (e.g. file transfer daemon).

This is a list of two-element lists, each of which containing the
subsystem name and a command (with optional arguments) to execute upon
subsystem request.

The command @command{internal-sftp} implements an in-process SFTP
server.  Alternately, one can specify the @command{sftp-server} command:
@example
(service openssh-service-type
         (openssh-configuration
          (subsystems
           `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
@end example

@item @code{accepted-environment} (default: @code{'()})
List of strings describing which environment variables may be exported.

Each string gets on its own line.  See the @code{AcceptEnv} option in
@code{man sshd_config}.

This example allows ssh-clients to export the @code{COLORTERM} variable.
It is set by terminal emulators, which support colors.  You can use it in
your shell's ressource file to enable colors for the prompt and commands
if this variable is set.

@example
(service openssh-service-type
         (openssh-configuration
           (accepted-environment '("COLORTERM"))))
@end example

@item @code{authorized-keys} (default: @code{'()})
@cindex authorized keys, SSH
@cindex SSH authorized keys
This is the list of authorized keys.  Each element of the list is a user
name followed by one or more file-like objects that represent SSH public
keys.  For example:

@example
(openssh-configuration
  (authorized-keys
    `(("rekado" ,(local-file "rekado.pub"))
      ("chris" ,(local-file "chris.pub"))
      ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))
@end example

@noindent
registers the specified public keys for user accounts @code{rekado},
@code{chris}, and @code{root}.

Additional authorized keys can be specified @i{via}
@code{service-extension}.

Note that this does @emph{not} interfere with the use of
@file{~/.ssh/authorized_keys}.
@end table
@end deftp

@deffn {Scheme Procedure} dropbear-service [@var{config}]
Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
daemon} with the given @var{config}, a @code{<dropbear-configuration>}
object.

For example, to specify a Dropbear service listening on port 1234, add
this call to the operating system's @code{services} field:

@example
(dropbear-service (dropbear-configuration
                    (port-number 1234)))
@end example
@end deffn

@deftp {Data Type} dropbear-configuration
This data type represents the configuration of a Dropbear SSH daemon.

@table @asis
@item @code{dropbear} (default: @var{dropbear})
The Dropbear package to use.

@item @code{port-number} (default: 22)
The TCP port where the daemon waits for incoming connections.

@item @code{syslog-output?} (default: @code{#t})
Whether to enable syslog output.

@item @code{pid-file} (default: @code{"/var/run/dropbear.pid"})
File name of the daemon's PID file.

@item @code{root-login?} (default: @code{#f})
Whether to allow @code{root} logins.

@item @code{allow-empty-passwords?} (default: @code{#f})
Whether to allow empty passwords.

@item @code{password-authentication?} (default: @code{#t})
Whether to enable password-based authentication.
@end table
@end deftp

@defvr {Scheme Variable} %facebook-host-aliases
This variable contains a string for use in @file{/etc/hosts}
(@pxref{Host Names,,, libc, The GNU C Library Reference Manual}).  Each
line contains a entry that maps a known server name of the Facebook
on-line service---e.g., @code{www.facebook.com}---to the local
host---@code{127.0.0.1} or its IPv6 equivalent, @code{::1}.

This variable is typically used in the @code{hosts-file} field of an
@code{operating-system} declaration (@pxref{operating-system Reference,
@file{/etc/hosts}}):

@example
(use-modules (gnu) (guix))

(operating-system
  (host-name "mymachine")
  ;; ...
  (hosts-file
    ;; Create a /etc/hosts file with aliases for "localhost"
    ;; and "mymachine", as well as for Facebook servers.
    (plain-file "hosts"
                (string-append (local-host-aliases host-name)
                               %facebook-host-aliases))))
@end example

This mechanism can prevent programs running locally, such as Web
browsers, from accessing Facebook.
@end defvr

The @code{(gnu services avahi)} provides the following definition.

@deffn {Scheme Procedure} avahi-service [#:avahi @var{avahi}] @
          [#:host-name #f] [#:publish? #t] [#:ipv4? #t] @
          [#:ipv6? #t] [#:wide-area? #f] @
          [#:domains-to-browse '()] [#:debug? #f]
Return a service that runs @command{avahi-daemon}, a system-wide
mDNS/DNS-SD responder that allows for service discovery and
"zero-configuration" host name lookups (see @uref{http://avahi.org/}), and
extends the name service cache daemon (nscd) so that it can resolve
@code{.local} host names using
@uref{http://0pointer.de/lennart/projects/nss-mdns/, nss-mdns}.  Additionally,
add the @var{avahi} package to the system profile so that commands such as
@command{avahi-browse} are directly usable.

If @var{host-name} is different from @code{#f}, use that as the host name to
publish for this machine; otherwise, use the machine's actual host name.

When @var{publish?} is true, publishing of host names and services is allowed;
in particular, avahi-daemon will publish the machine's host name and IP
address via mDNS on the local network.

When @var{wide-area?} is true, DNS-SD over unicast DNS is enabled.

Boolean values @var{ipv4?} and @var{ipv6?} determine whether to use IPv4/IPv6
sockets.
@end deffn

@deffn {Scheme Variable} openvswitch-service-type
This is the type of the @uref{http://www.openvswitch.org, Open vSwitch}
service, whose value should be an @code{openvswitch-configuration}
object.
@end deffn

@deftp {Data Type} openvswitch-configuration
Data type representing the configuration of Open vSwitch, a multilayer
virtual switch which is designed to enable massive network automation
through programmatic extension.

@table @asis
@item @code{package} (default: @var{openvswitch})
Package object of the Open vSwitch.

@end table
@end deftp

@node X Window
@subsubsection X Window

@cindex X11
@cindex X Window System
@cindex login manager
Support for the X Window graphical display system---specifically
Xorg---is provided by the @code{(gnu services xorg)} module.  Note that
there is no @code{xorg-service} procedure.  Instead, the X server is
started by the @dfn{login manager}, by default SLiM.

@cindex window manager
To use X11, you must install at least one @dfn{window manager}---for
example the @code{windowmaker} or @code{openbox} packages---preferably
by adding it to the @code{packages} field of your operating system
definition (@pxref{operating-system Reference, system-wide packages}).

@defvr {Scheme Variable} slim-service-type
This is the type for the SLiM graphical login manager for X11.

@cindex session types (X11)
@cindex X11 session types
SLiM looks for @dfn{session types} described by the @file{.desktop} files in
@file{/run/current-system/profile/share/xsessions} and allows users to
choose a session from the log-in screen using @kbd{F1}.  Packages such
as @code{xfce}, @code{sawfish}, and @code{ratpoison} provide
@file{.desktop} files; adding them to the system-wide set of packages
automatically makes them available at the log-in screen.

In addition, @file{~/.xsession} files are honored.  When available,
@file{~/.xsession} must be an executable that starts a window manager
and/or other X clients.
@end defvr

@deftp {Data Type} slim-configuration
Data type representing the configuration of @code{slim-service-type}.

@table @asis
@item @code{allow-empty-passwords?} (default: @code{#t})
Whether to allow logins with empty passwords.

@item @code{auto-login?} (default: @code{#f})
@itemx @code{default-user} (default: @code{""})
When @code{auto-login?} is false, SLiM presents a log-in screen.

When @code{auto-login?} is true, SLiM logs in directly as
@code{default-user}.

@item @code{theme} (default: @code{%default-slim-theme})
@itemx @code{theme-name} (default: @code{%default-slim-theme-name})
The graphical theme to use and its name.

@item @code{auto-login-session} (default: @code{#f})
If true, this must be the name of the executable to start as the default
session---e.g., @code{(file-append windowmaker "/bin/windowmaker")}.

If false, a session described by one of the available @file{.desktop}
files in @code{/run/current-system/profile} and @code{~/.guix-profile}
will be used.

@quotation Note
You must install at least one window manager in the system profile or in
your user profile.  Failing to do that, if @code{auto-login-session} is
false, you will be unable to log in.
@end quotation

@item @code{startx} (default: @code{(xorg-start-command)})
The command used to start the X11 graphical server.

@item @code{xauth} (default: @code{xauth})
The XAuth package to use.

@item @code{shepherd} (default: @code{shepherd})
The Shepherd package used when invoking @command{halt} and
@command{reboot}.

@item @code{sessreg} (default: @code{sessreg})
The sessreg package used in order to register the session.

@item @code{slim} (default: @code{slim})
The SLiM package to use.
@end table
@end deftp

@defvr {Scheme Variable} %default-theme
@defvrx {Scheme Variable} %default-theme-name
The default SLiM theme and its name.
@end defvr


@deftp {Data Type} sddm-configuration
This is the data type representing the sddm service configuration.

@table @asis
@item @code{display-server} (default: "x11")
Select display server to use for the greeter. Valid values are "x11"
or "wayland".

@item @code{numlock} (default: "on")
Valid values are "on", "off" or "none".

@item @code{halt-command} (default @code{#~(string-apppend #$shepherd "/sbin/halt")})
Command to run when halting.

@item @code{reboot-command} (default @code{#~(string-append #$shepherd "/sbin/reboot")})
Command to run when rebooting.

@item @code{theme} (default "maldives")
Theme to use. Default themes provided by SDDM are "elarun" or "maldives".

@item @code{themes-directory} (default "/run/current-system/profile/share/sddm/themes")
Directory to look for themes.

@item @code{faces-directory} (default "/run/current-system/profile/share/sddm/faces")
Directory to look for faces.

@item @code{default-path} (default "/run/current-system/profile/bin")
Default PATH to use.

@item @code{minimum-uid} (default 1000)
Minimum UID to display in SDDM.

@item @code{maximum-uid} (default 2000)
Maximum UID to display in SDDM

@item @code{remember-last-user?} (default #t)
Remember last user.

@item @code{remember-last-session?} (default #t)
Remember last session.

@item @code{hide-users} (default "")
Usernames to hide from SDDM greeter.

@item @code{hide-shells} (default @code{#~(string-append #$shadow "/sbin/nologin")})
Users with shells listed will be hidden from the SDDM greeter.

@item @code{session-command} (default @code{#~(string-append #$sddm "/share/sddm/scripts/wayland-session")})
Script to run before starting a wayland session.

@item @code{sessions-directory} (default "/run/current-system/profile/share/wayland-sessions")
Directory to look for desktop files starting wayland sessions.

@item @code{xorg-server-path} (default @code{xorg-start-command})
Path to xorg-server.

@item @code{xauth-path} (default @code{#~(string-append #$xauth "/bin/xauth")})
Path to xauth.

@item @code{xephyr-path} (default @code{#~(string-append #$xorg-server "/bin/Xephyr")})
Path to Xephyr.

@item @code{xdisplay-start} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xsetup")})
Script to run after starting xorg-server.

@item @code{xdisplay-stop} (default @code{#~(string-append #$sddm "/share/sddm/scripts/Xstop")})
Script to run before stopping xorg-server.

@item @code{xsession-command} (default: @code{xinitr })
Script to run before starting a X session.

@item @code{xsessions-directory} (default: "/run/current-system/profile/share/xsessions")
Directory to look for desktop files starting X sessions.

@item @code{minimum-vt} (default: 7)
Minimum VT to use.

@item @code{xserver-arguments} (default "-nolisten tcp")
Arguments to pass to xorg-server.

@item @code{auto-login-user} (default "")
User to use for auto-login.

@item @code{auto-login-session} (default "")
Desktop file to use for auto-login.

@item @code{relogin?} (default #f)
Relogin after logout.

@end table
@end deftp

@cindex login manager
@cindex X11 login
@deffn {Scheme Procedure} sddm-service config
Return a service that spawns the SDDM graphical login manager for config of
type @code{<sddm-configuration>}.

@example
  (sddm-service (sddm-configuration
                 (auto-login-user "Alice")
                 (auto-login-session "xfce.desktop")))
@end example
@end deffn

@deffn {Scheme Procedure} xorg-start-command [#:guile] @
  [#:modules %default-xorg-modules] @
  [#:fonts %default-xorg-fonts] @
  [#:configuration-file (xorg-configuration-file @dots{})] @
  [#:xorg-server @var{xorg-server}]
Return a @code{startx} script in which @var{modules}, a list of X module
packages, and @var{fonts}, a list of X font directories, are available.  See
@code{xorg-wrapper} for more details on the arguments.  The result should be
used in place of @code{startx}.

Usually the X server is started by a login manager.
@end deffn

@deffn {Scheme Procedure} xorg-configuration-file @
  [#:modules %default-xorg-modules] @
  [#:fonts %default-xorg-fonts] @
  [#:drivers '()] [#:resolutions '()] [#:extra-config '()]
Return a configuration file for the Xorg server containing search paths for
all the common drivers.

@var{modules} must be a list of @dfn{module packages} loaded by the Xorg
server---e.g., @code{xf86-video-vesa}, @code{xf86-input-keyboard}, and so on.
@var{fonts} must be a list of font directories to add to the server's
@dfn{font path}.

@var{drivers} must be either the empty list, in which case Xorg chooses a
graphics driver automatically, or a list of driver names that will be tried in
this order---e.g., @code{("modesetting" "vesa")}.

Likewise, when @var{resolutions} is the empty list, Xorg chooses an
appropriate screen resolution; otherwise, it must be a list of
resolutions---e.g., @code{((1024 768) (640 480))}.

Last, @var{extra-config} is a list of strings or objects appended to the
configuration file.  It is used to pass extra text to be
added verbatim to the configuration file.
@end deffn

@deffn {Scheme Procedure} screen-locker-service @var{package} [@var{program}]
Add @var{package}, a package for a screen locker or screen saver whose
command is @var{program}, to the set of setuid programs and add a PAM entry
for it.  For example:

@lisp
(screen-locker-service xlockmore "xlock")
@end lisp

makes the good ol' XlockMore usable.
@end deffn


@node Printing Services
@subsubsection Printing Services

@cindex printer support with CUPS
The @code{(gnu services cups)} module provides a Guix service definition
for the CUPS printing service.  To add printer support to a GuixSD
system, add a @code{cups-service} to the operating system definition:

@deffn {Scheme Variable} cups-service-type
The service type for the CUPS print server.  Its value should be a valid
CUPS configuration (see below).  To use the default settings, simply
write:
@example
(service cups-service-type)
@end example
@end deffn

The CUPS configuration controls the basic things about your CUPS
installation: what interfaces it listens on, what to do if a print job
fails, how much logging to do, and so on.  To actually add a printer,
you have to visit the @url{http://localhost:631} URL, or use a tool such
as GNOME's printer configuration services.  By default, configuring a
CUPS service will generate a self-signed certificate if needed, for
secure connections to the print server.

Suppose you want to enable the Web interface of CUPS and also add
support for Epson printers @i{via} the @code{escpr} package and for HP
printers @i{via} the @code{hplip} package.  You can do that directly,
like this (you need to use the @code{(gnu packages cups)} module):

@example
(service cups-service-type
         (cups-configuration
           (web-interface? #t)
           (extensions
             (list cups-filters escpr hplip))))
@end example

The available configuration parameters follow.  Each parameter
definition is preceded by its type; for example, @samp{string-list foo}
indicates that the @code{foo} parameter should be specified as a list of
strings.  There is also a way to specify the configuration as a string,
if you have an old @code{cupsd.conf} file that you want to port over
from some other system; see the end for more details.

@c The following documentation was initially generated by
@c (generate-documentation) in (gnu services cups).  Manually maintained
@c documentation is better, so we shouldn't hesitate to edit below as
@c needed.  However if the change you want to make to this documentation
@c can be done in an automated way, it's probably easier to change
@c (generate-documentation) than to make it below and have to deal with
@c the churn as CUPS updates.


Available @code{cups-configuration} fields are:

@deftypevr {@code{cups-configuration} parameter} package cups
The CUPS package.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} package-list extensions
Drivers and other extensions to the CUPS package.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} files-configuration files-configuration
Configuration of where to write logs, what directories to use for print
spools, and related privileged configuration parameters.

Available @code{files-configuration} fields are:

@deftypevr {@code{files-configuration} parameter} log-location access-log
Defines the access log filename.  Specifying a blank filename disables
access log generation.  The value @code{stderr} causes log entries to be
sent to the standard error file when the scheduler is running in the
foreground, or to the system log daemon when run in the background.  The
value @code{syslog} causes log entries to be sent to the system log
daemon.  The server name may be included in filenames using the string
@code{%s}, as in @code{/var/log/cups/%s-access_log}.

Defaults to @samp{"/var/log/cups/access_log"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} file-name cache-dir
Where CUPS should cache data.

Defaults to @samp{"/var/cache/cups"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} string config-file-perm
Specifies the permissions for all configuration files that the scheduler
writes.

Note that the permissions for the printers.conf file are currently
masked to only allow access from the scheduler user (typically root).
This is done because printer device URIs sometimes contain sensitive
authentication information that should not be generally known on the
system.  There is no way to disable this security feature.

Defaults to @samp{"0640"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} log-location error-log
Defines the error log filename.  Specifying a blank filename disables
access log generation.  The value @code{stderr} causes log entries to be
sent to the standard error file when the scheduler is running in the
foreground, or to the system log daemon when run in the background.  The
value @code{syslog} causes log entries to be sent to the system log
daemon.  The server name may be included in filenames using the string
@code{%s}, as in @code{/var/log/cups/%s-error_log}.

Defaults to @samp{"/var/log/cups/error_log"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} string fatal-errors
Specifies which errors are fatal, causing the scheduler to exit.  The
kind strings are:

@table @code
@item none
No errors are fatal.

@item all
All of the errors below are fatal.

@item browse
Browsing initialization errors are fatal, for example failed connections
to the DNS-SD daemon.

@item config
Configuration file syntax errors are fatal.

@item listen
Listen or Port errors are fatal, except for IPv6 failures on the
loopback or @code{any} addresses.

@item log
Log file creation or write errors are fatal.

@item permissions
Bad startup file permissions are fatal, for example shared TLS
certificate and key files with world-read permissions.
@end table

Defaults to @samp{"all -browse"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} boolean file-device?
Specifies whether the file pseudo-device can be used for new printer
queues.  The URI @uref{file:///dev/null} is always allowed.

Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} string group
Specifies the group name or ID that will be used when executing external
programs.

Defaults to @samp{"lp"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} string log-file-perm
Specifies the permissions for all log files that the scheduler writes.

Defaults to @samp{"0644"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} log-location page-log
Defines the page log filename.  Specifying a blank filename disables
access log generation.  The value @code{stderr} causes log entries to be
sent to the standard error file when the scheduler is running in the
foreground, or to the system log daemon when run in the background.  The
value @code{syslog} causes log entries to be sent to the system log
daemon.  The server name may be included in filenames using the string
@code{%s}, as in @code{/var/log/cups/%s-page_log}.

Defaults to @samp{"/var/log/cups/page_log"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} string remote-root
Specifies the username that is associated with unauthenticated accesses
by clients claiming to be the root user.  The default is @code{remroot}.

Defaults to @samp{"remroot"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} file-name request-root
Specifies the directory that contains print jobs and other HTTP request
data.

Defaults to @samp{"/var/spool/cups"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} sandboxing sandboxing
Specifies the level of security sandboxing that is applied to print
filters, backends, and other child processes of the scheduler; either
@code{relaxed} or @code{strict}.  This directive is currently only
used/supported on macOS.

Defaults to @samp{strict}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} file-name server-keychain
Specifies the location of TLS certificates and private keys.  CUPS will
look for public and private keys in this directory: a @code{.crt} files
for PEM-encoded certificates and corresponding @code{.key} files for
PEM-encoded private keys.

Defaults to @samp{"/etc/cups/ssl"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} file-name server-root
Specifies the directory containing the server configuration files.

Defaults to @samp{"/etc/cups"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} boolean sync-on-close?
Specifies whether the scheduler calls fsync(2) after writing
configuration or state files.

Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} space-separated-string-list system-group
Specifies the group(s) to use for @code{@@SYSTEM} group authentication.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} file-name temp-dir
Specifies the directory where temporary files are stored.

Defaults to @samp{"/var/spool/cups/tmp"}.
@end deftypevr

@deftypevr {@code{files-configuration} parameter} string user
Specifies the user name or ID that is used when running external
programs.

Defaults to @samp{"lp"}.
@end deftypevr
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} access-log-level access-log-level
Specifies the logging level for the AccessLog file.  The @code{config}
level logs when printers and classes are added, deleted, or modified and
when configuration files are accessed or updated.  The @code{actions}
level logs when print jobs are submitted, held, released, modified, or
canceled, and any of the conditions for @code{config}.  The @code{all}
level logs all requests.

Defaults to @samp{actions}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} boolean auto-purge-jobs?
Specifies whether to purge job history data automatically when it is no
longer required for quotas.

Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} browse-local-protocols browse-local-protocols
Specifies which protocols to use for local printer sharing.

Defaults to @samp{dnssd}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} boolean browse-web-if?
Specifies whether the CUPS web interface is advertised.

Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} boolean browsing?
Specifies whether shared printers are advertised.

Defaults to @samp{#f}.
@end deftypevr

@deftypevr {@code{cups-configuration} parameter} string classification
Specifies the security classification of the server.  Any valid banner
name can be used, including "classified", "confidential", "secret",
"topsecret", and "unclassified", or the banner can be omitted to disable
secure printing functions.

Defaults to @samp{""}.
@end deftypevr