bug#69599: peercred package crashes guix go importer

[Carlo Zancanaro]

On Wed, Mar 06 2024, Nathan Dehnel wrote:
> ice-9/boot-9.scm:1683:16: In procedure raise-exception:
> In procedure getaddrinfo: System error

Looks like an issue with the domain. Guix tries to look up inet.af, but
the project doesn't have the domain any more[1].

Using "guix import go github.com/inetaf/peercred" instead should work.

Carlo

[1]: https://github.com/inetaf/tcpproxy/issues/39

bug#69397: guix import crate misses dependencies

[Carlo Zancanaro]

Hi Nathan,

I just tried running your example:

On Sun, Feb 25 2024, Nathan Dehnel wrote:
> guix import crate -r --recursive-dev-dependencies --allow-yanked 
> egui_dock@0.11

I saw that rust-bytemuck-1 was included as an input in lots of packages,
as you said. However, I also noticed that bytemuck is present in
Guix. "guix edit rust-bytemuck" opened gnu/packages/crates-io.scm which
defines the rust-bytemuck-1 variable to a package for rust-bytemuck.

Rather than importing bytemuck separately, it should be enough to add
(use-modules (gnu packages crates-io)) at the top of your scheme file to
bring the Guix definition in.

Carlo

bug#69129: sbcl-mcclim broke on upgrade to sbcl@2.4.0

[Carlo Zancanaro]

On Sat, Feb 17 2024, Sharlatan Hellseher wrote:
> I've added copyright header and use version field for commit.

Thanks for that. I feel like this work was entirely mechanical, so I
would have been fine without a copyright header, but I appreciate it.

I'm curious about the version/commit change, though. Given the -yule
suffix on the tag name changes with each version we will still need to
manually update the origin's commit. It feels like unnecessary
indirection to me. What is the benefit to referencing the package's
version in the origin like this?

Carlo

bug#69129: [PATCH v2 2/2] gnu: sbcl-mcclim: Reformatting.

[Carlo Zancanaro]

* gnu/packages/lisp-xyz.scm (sbcl-mcclim): Remove let and reindent.

Change-Id: Ib7faade37178aff779fbffe1cb439367b5740b91
---
 gnu/packages/lisp-xyz.scm | 129 +++---
 1 file changed, 64 insertions(+), 65 deletions(-)

diff --git a/gnu/packages/lisp-xyz.scm b/gnu/packages/lisp-xyz.scm
index 5a8108e811..7b145398fa 100644
--- a/gnu/packages/lisp-xyz.scm
+++ b/gnu/packages/lisp-xyz.scm
@@ -15481,72 +15481,71 @@ (define-public ecl-dejavu
   (sbcl-package->ecl-package sbcl-cl-dejavu))
 
 (define-public sbcl-mcclim
-  (let ((commit #f)) ; avoiding changing indentation
-(package
-  (name "sbcl-mcclim")
-  (version "0.9.8")
-  (source
-   (origin
- (method git-fetch)
- (uri (git-reference
-   (url "https://codeberg.org/McCLIM/McCLIM;)
-   (commit "0.9.8-yule")))
- (file-name (git-file-name "cl-mcclim" version))
- (sha256
-  (base32 "0gbi61jnnsz6fvhv18mf57jkq46bvcd0355vqdcnrni7xyi10sk8"
-  (build-system asdf-build-system/sbcl)
-  (native-inputs
-   (list sbcl-fiveam pkg-config))
-  (inputs
-   (list fontconfig
- freetype
- harfbuzz
- sbcl-alexandria
- sbcl-babel
- sbcl-bordeaux-threads
- sbcl-cffi
- sbcl-cl-base64
- sbcl-cl-dejavu
- sbcl-cl-freetype2
- sbcl-cl-pdf
- sbcl-cl-unicode
- sbcl-cl-vectors
- sbcl-cl-who
- sbcl-closer-mop
- sbcl-cluffer
- sbcl-clx
- sbcl-flexi-streams
- sbcl-flexichain
- sbcl-log4cl
- sbcl-lorem-ipsum
- sbcl-opticl
- sbcl-slime-swank
- sbcl-spatial-trees
- sbcl-trivial-features
- sbcl-trivial-garbage
- sbcl-trivial-gray-streams
- sbcl-zpb-ttf))
-  (arguments
-   '(#:asd-systems '("mcclim"
- "clim-examples"
- ;; clim-debugger is required by cleavir.
- "clim-debugger")
- #:phases
- (modify-phases %standard-phases
-   (add-after 'unpack 'fix-paths
- (lambda* (#:key inputs #:allow-other-keys)
-   (substitute* "Extensions/fontconfig/src/functions.lisp"
- (("libfontconfig\\.so")
-  (search-input-file inputs "/lib/libfontconfig.so")))
-   (substitute* "Extensions/harfbuzz/src/functions.lisp"
- (("libharfbuzz\\.so")
-  (search-input-file inputs "/lib/libharfbuzz.so"
-  (home-page "https://mcclim.common-lisp.dev/;)
-  (synopsis "Common Lisp GUI toolkit")
-  (description
-   "McCLIM is an implementation of the @emph{Common Lisp Interface Manager
+  (package
+(name "sbcl-mcclim")
+(version "0.9.8")
+(source
+ (origin
+   (method git-fetch)
+   (uri (git-reference
+ (url "https://codeberg.org/McCLIM/McCLIM;)
+ (commit "0.9.8-yule")))
+   (file-name (git-file-name "cl-mcclim" version))
+   (sha256
+(base32 "0gbi61jnnsz6fvhv18mf57jkq46bvcd0355vqdcnrni7xyi10sk8"
+(build-system asdf-build-system/sbcl)
+(native-inputs
+ (list sbcl-fiveam pkg-config))
+(inputs
+ (list fontconfig
+   freetype
+   harfbuzz
+   sbcl-alexandria
+   sbcl-babel
+   sbcl-bordeaux-threads
+   sbcl-cffi
+   sbcl-cl-base64
+   sbcl-cl-dejavu
+   sbcl-cl-freetype2
+   sbcl-cl-pdf
+   sbcl-cl-unicode
+   sbcl-cl-vectors
+   sbcl-cl-who
+   sbcl-closer-mop
+   sbcl-cluffer
+   sbcl-clx
+   sbcl-flexi-streams
+   sbcl-flexichain
+   sbcl-log4cl
+   sbcl-lorem-ipsum
+   sbcl-opticl
+   sbcl-slime-swank
+   sbcl-spatial-trees
+   sbcl-trivial-features
+   sbcl-trivial-garbage
+   sbcl-trivial-gray-streams
+   sbcl-zpb-ttf))
+(arguments
+ '(#:asd-systems '("mcclim"
+   "clim-examples"
+   ;; clim-debugger is required by cleavir.
+   "clim-debugger")
+   #:phases
+   (modify-phases %standard-phases
+ (add-after 'unpack 'fix-paths
+   (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "Extensions/fontconfig/src/functions.lisp"
+   (("libfontconfig\\.so")
+(search-input-file inputs "/lib/libfontconfig.so")))
+ (substitute* "Extensions/harfbuzz/src/functions.lisp"
+   (("libharfbuzz\\.so")
+(search-input-file inputs "/lib/libharfbuzz.so"
+(home-page "https://mcclim.common-lisp.dev/;)
+(synopsis "Common Lisp GUI toolkit")
+(description
+ "McCLIM is an implementation of 

bug#69129: [PATCH v2 1/2] gnu: sbcl-mcclim: Update to 0.9.8.

[Carlo Zancanaro]

* gnu/packages/lisp-xyz.scm (sbcl-mcclim): Update to 0.9.8, and add
sbcl-cluffer and sbcl-lorem-ipsum inputs.

Change-Id: I35bed62483973e2dd6f6f142df096abf765b4208
---
 gnu/packages/lisp-xyz.scm | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/lisp-xyz.scm b/gnu/packages/lisp-xyz.scm
index 045a3e939a..5a8108e811 100644
--- a/gnu/packages/lisp-xyz.scm
+++ b/gnu/packages/lisp-xyz.scm
@@ -15481,20 +15481,19 @@ (define-public ecl-dejavu
   (sbcl-package->ecl-package sbcl-cl-dejavu))
 
 (define-public sbcl-mcclim
-  (let ((commit "ece91cf035e2ccb1c6eb0bb867ae2bc45f627982")
-(revision "3"))
+  (let ((commit #f)) ; avoiding changing indentation
 (package
   (name "sbcl-mcclim")
-  (version (git-version "0.9.7" revision commit))
+  (version "0.9.8")
   (source
(origin
  (method git-fetch)
  (uri (git-reference
(url "https://codeberg.org/McCLIM/McCLIM;)
-   (commit commit)))
+   (commit "0.9.8-yule")))
  (file-name (git-file-name "cl-mcclim" version))
  (sha256
-  (base32 "0prn4f0nz604ykcg8004f1vndgjm7181wrlblq6mhasphca28c2k"
+  (base32 "0gbi61jnnsz6fvhv18mf57jkq46bvcd0355vqdcnrni7xyi10sk8"
   (build-system asdf-build-system/sbcl)
   (native-inputs
(list sbcl-fiveam pkg-config))
@@ -15514,10 +15513,12 @@ (define-public sbcl-mcclim
  sbcl-cl-vectors
  sbcl-cl-who
  sbcl-closer-mop
+ sbcl-cluffer
  sbcl-clx
  sbcl-flexi-streams
  sbcl-flexichain
  sbcl-log4cl
+ sbcl-lorem-ipsum
  sbcl-opticl
  sbcl-slime-swank
  sbcl-spatial-trees

base-commit: 91d80460296e2d5a01704d0f34fb966a45a165ae
-- 
2.41.0

bug#69129: [PATCH] gnu: sbcl-mcclim: Update to 0.9.8.

[Carlo Zancanaro]

* gnu/packages/lisp-xyz.scm (sbcl-mcclim): Update to 0.9.8, and add
sbcl-cluffer and sbcl-lorem-ipsum inputs.

Change-Id: I35bed62483973e2dd6f6f142df096abf765b4208
---

I have attempted to update sbcl-mcclim. I tested using the same steps
as Guillaume:

  $ guix shell sbcl sbcl-mcclim -- sbcl --no-userinit

Then at the sbcl prompt I ran:

  (require :asdf)
  (asdf:load-system "clim-examples")
  (clim-demo:demodemo)

Then I opened the stream test and it seemed to work properly. Testing
without this patch I could reproduce the failure, so hopefully this
fixes the real problems, too.

I didn't properly check all of the inputs, I just added the inputs
that I needed to make asdf happy and for it to build.

 gnu/packages/lisp-xyz.scm | 128 +++---
 1 file changed, 64 insertions(+), 64 deletions(-)

diff --git a/gnu/packages/lisp-xyz.scm b/gnu/packages/lisp-xyz.scm
index 045a3e939a..7b145398fa 100644
--- a/gnu/packages/lisp-xyz.scm
+++ b/gnu/packages/lisp-xyz.scm
@@ -15481,71 +15481,71 @@ (define-public ecl-dejavu
   (sbcl-package->ecl-package sbcl-cl-dejavu))
 
 (define-public sbcl-mcclim
-  (let ((commit "ece91cf035e2ccb1c6eb0bb867ae2bc45f627982")
-(revision "3"))
-(package
-  (name "sbcl-mcclim")
-  (version (git-version "0.9.7" revision commit))
-  (source
-   (origin
- (method git-fetch)
- (uri (git-reference
-   (url "https://codeberg.org/McCLIM/McCLIM;)
-   (commit commit)))
- (file-name (git-file-name "cl-mcclim" version))
- (sha256
-  (base32 "0prn4f0nz604ykcg8004f1vndgjm7181wrlblq6mhasphca28c2k"
-  (build-system asdf-build-system/sbcl)
-  (native-inputs
-   (list sbcl-fiveam pkg-config))
-  (inputs
-   (list fontconfig
- freetype
- harfbuzz
- sbcl-alexandria
- sbcl-babel
- sbcl-bordeaux-threads
- sbcl-cffi
- sbcl-cl-base64
- sbcl-cl-dejavu
- sbcl-cl-freetype2
- sbcl-cl-pdf
- sbcl-cl-unicode
- sbcl-cl-vectors
- sbcl-cl-who
- sbcl-closer-mop
- sbcl-clx
- sbcl-flexi-streams
- sbcl-flexichain
- sbcl-log4cl
- sbcl-opticl
- sbcl-slime-swank
- sbcl-spatial-trees
- sbcl-trivial-features
- sbcl-trivial-garbage
- sbcl-trivial-gray-streams
- sbcl-zpb-ttf))
-  (arguments
-   '(#:asd-systems '("mcclim"
- "clim-examples"
- ;; clim-debugger is required by cleavir.
- "clim-debugger")
- #:phases
- (modify-phases %standard-phases
-   (add-after 'unpack 'fix-paths
- (lambda* (#:key inputs #:allow-other-keys)
-   (substitute* "Extensions/fontconfig/src/functions.lisp"
- (("libfontconfig\\.so")
-  (search-input-file inputs "/lib/libfontconfig.so")))
-   (substitute* "Extensions/harfbuzz/src/functions.lisp"
- (("libharfbuzz\\.so")
-  (search-input-file inputs "/lib/libharfbuzz.so"
-  (home-page "https://mcclim.common-lisp.dev/;)
-  (synopsis "Common Lisp GUI toolkit")
-  (description
-   "McCLIM is an implementation of the @emph{Common Lisp Interface Manager
+  (package
+(name "sbcl-mcclim")
+(version "0.9.8")
+(source
+ (origin
+   (method git-fetch)
+   (uri (git-reference
+ (url "https://codeberg.org/McCLIM/McCLIM;)
+ (commit "0.9.8-yule")))
+   (file-name (git-file-name "cl-mcclim" version))
+   (sha256
+(base32 "0gbi61jnnsz6fvhv18mf57jkq46bvcd0355vqdcnrni7xyi10sk8"
+(build-system asdf-build-system/sbcl)
+(native-inputs
+ (list sbcl-fiveam pkg-config))
+(inputs
+ (list fontconfig
+   freetype
+   harfbuzz
+   sbcl-alexandria
+   sbcl-babel
+   sbcl-bordeaux-threads
+   sbcl-cffi
+   sbcl-cl-base64
+   sbcl-cl-dejavu
+   sbcl-cl-freetype2
+   sbcl-cl-pdf
+   sbcl-cl-unicode
+   sbcl-cl-vectors
+   sbcl-cl-who
+   sbcl-closer-mop
+   sbcl-cluffer
+   sbcl-clx
+   sbcl-flexi-streams
+   sbcl-flexichain
+   sbcl-log4cl
+   sbcl-lorem-ipsum
+   sbcl-opticl
+   sbcl-slime-swank
+   sbcl-spatial-trees
+   sbcl-trivial-features
+   sbcl-trivial-garbage
+   sbcl-trivial-gray-streams
+   sbcl-zpb-ttf))
+(arguments
+ '(#:asd-systems '("mcclim"
+   "clim-examples"
+   ;; clim-debugger is required by cleavir.
+   "clim-debugger")
+   #:phases
+   (modify-phases %standard-phases
+ (add-after 

bug#46961: Nginx and certbot cervices don't play well togther

[Carlo Zancanaro]

On Wed, Jan 31 2024, Clément Lassieur wrote:

Removing guix-devel.


I've also removed Brice.


On Tue, Jan 30 2024, Carlo Zancanaro wrote:
 (format #t "Acquiring or renewing 
 certificate: ~a~%" name)


Here we could add ‘(force-output)’, because otherwise those logs 
arrive

after the certbot logs, and it's hard to understand anything.


Done.

+  ;; If we have a connection error, 
then bail early
+  ;; with exit code 2. We don't expect 
this to
+  ;; resolve within the timespan of 
this script.


Could we have a (log + force-output) here too?  (I imagine 
within a

‘begin’)


Done.

+  ;; If we have any other type of 
error, then continue
+  ;; but exit with a failing status 
code in the end.


and here?


Done.

And maybe a log also in case the command succeeds.  (So that 
would mean

to replace ‘unless’ with ‘if’).


Done.

+  (< attempt 12)) ; 12 * 10 seconds = 
2 minutes

 ^--
This comment is not true because certbot takes time to execute 
(around 15s on my vm).  I don't think there is a need to be that 
precise.


I haven't extracted/named the max-attempts value, but I have 
removed the comments that imply that the time frame is bounded.



Also could you update the example in the docs?


I have removed the %certbot-deploy-hook in the example in the 
manual.


... However, we could add a nginx-service-type and a 
dhcp-client-service-type so that people have an idea of what the 
minimal config is, maybe like I did in my first review: 
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961#23.


I have not added this. I understand the desire, but I'm wary of 
providing an example that's "too involved". The current example 
demonstrates a minimal config of certbot itself. I think you are 
looking to include an example of a minimal system that hosts a 
website using certbot provided certificates. I don't know where an 
example like that belongs, but I'm not yet convinced it belongs in 
the certbot service documentation.


Carlo

bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook.

[Carlo Zancanaro]

* gnu/services/certbot.scm (certbot-deploy-hook): Reload nginx.
* doc/guix.texi (Certificate services): Remove deploy-hook from example.

Change-Id: Ibb10481170a6fda7df72492072b939dd6a6ad176
---

I've pulled the nginx reloading into the regular deployment hook
here. I also removed the explicit deploy hook in the documentation,
because that is now the default behaviour.

 doc/guix.texi| 10 +-
 gnu/services/certbot.scm | 10 --
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 732abceb0f..c71d7e94cf 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32562,21 +32562,13 @@ Certificate Services
 must be a @code{certbot-configuration} record as in this example:
 
 @lisp
-(define %certbot-deploy-hook
-  (program-file "certbot-deploy-hook.scm"
-(with-imported-modules '((gnu services herd))
-  #~(begin
-  (use-modules (gnu services herd))
-  (with-shepherd-action 'nginx ('reload) result result)
-
 (service certbot-service-type
  (certbot-configuration
   (email "foo@@example.net")
   (certificates
(list
 (certificate-configuration
- (domains '("example.net" "www.example.net"))
- (deploy-hook %certbot-deploy-hook))
+ (domains '("example.net" "www.example.net")))
 (certificate-configuration
  (domains '("bar.example.net")))
 @end lisp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 10b99f5630..cb1be0c0e9 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -100,9 +100,11 @@ (define (certbot-deploy-hook name deploy-hook-script)
 deploy."
   (program-file
(string-append name "-deploy-hook")
-   (with-imported-modules '((guix build utils))
+   (with-imported-modules '((gnu services herd)
+(guix build utils))
  #~(begin
- (use-modules (guix build utils))
+ (use-modules (gnu services herd)
+  (guix build utils))
  (mkdir-p #$(string-append "/etc/certs/" name))
  (chmod #$(string-append "/etc/certs/" name) #o755)
 
@@ -120,6 +122,10 @@ (define (certbot-deploy-hook name deploy-hook-script)
   #$(string-append "/etc/certs/" name "/privkey.pem"))
  (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new")
   #$(string-append "/etc/certs/" name "/fullchain.pem"))
+
+ ;; With the new certificates in place, tell nginx to reload them.
+ (with-shepherd-action 'nginx ('reload) result result)
+
  #$@(if deploy-hook-script
 (list #~(invoke #$deploy-hook-script))
 '())
-- 
2.41.0

bug#46961: [PATCH v3 0/4] Make certbot play more nicely with nginx

[Carlo Zancanaro]

Carlo Zancanaro (4):
  services: certbot: Symlink certificates to /etc/certs.
  services: certbot: Create self-signed certificates before certbot
runs.
  services: certbot: Reload nginx in deploy hook.
  services: certbot: Add one-shot service to renew certificates.

 doc/guix.texi|  40 -
 gnu/services/certbot.scm | 185 +++
 2 files changed, 189 insertions(+), 36 deletions(-)


base-commit: 7a45f7b9e1b34912ee087daf4014aa4f67b11bf0
-- 
2.41.0

bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs.

[Carlo Zancanaro]

* gnu/services/certbot.scm (): Add
start-self-signed? field.
(generate-certificate-gexp): New procedure.
(certbot-activation): Generate self-signed certificates when
start-self-signed? is #t.
* doc/guix.texi (Certificate services): Document start-self-signed?.

Change-Id: Icfd85ae0c3e29324acbcde6ba283546cf0e27a1d
---
 doc/guix.texi|  6 
 gnu/services/certbot.scm | 62 ++--
 2 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 97be37f9b5..732abceb0f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32690,6 +32690,12 @@ Certificate Services
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.
 
+@item @code{start-self-signed?} (default: @code{#t})
+Whether to generate an initial self-signed certificate during system
+activation.  This option is particularly useful to allow @code{nginx} to
+start before @code{certbot} has run, because @code{certbot} relies on
+@code{nginx} running to perform HTTP challenges.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 3926d0551a..10b99f5630 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -35,6 +35,7 @@ (define-module (gnu services certbot)
   #:use-module (guix records)
   #:use-module (guix gexp)
   #:use-module (srfi srfi-1)
+  #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:export (certbot-service-type
 certbot-configuration
@@ -64,7 +65,9 @@ (define-record-type* 
   (cleanup-hookcertificate-cleanup-hook
(default #f))
   (deploy-hook certificate-configuration-deploy-hook
-   (default #f)))
+   (default #f))
+  (start-self-signed?  certificate-configuration-start-self-signed?
+   (default #t)))
 
 (define-record-type* 
   certbot-configuration make-certbot-configuration
@@ -91,7 +94,10 @@ (define-record-type* 
 (define (certbot-deploy-hook name deploy-hook-script)
   "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem
 from /etc/certs/NAME to /etc/letsenctypt/live/NAME.  If DEPLOY-HOOK-SCRIPT is
-not #f then it is run after the symlinks have been created."
+not #f then it is run after the symlinks have been created.  This wrapping is
+necessary for certificates with start-self-signed? set to #t, as it will
+overwrite the initial self-signed certificates upon the first successful
+deploy."
   (program-file
(string-append name "-deploy-hook")
(with-imported-modules '((guix build utils))
@@ -108,7 +114,8 @@ (define (certbot-deploy-hook name deploy-hook-script)
  "/etc/letsencrypt/live/" name "/fullchain.pem")
   #$(string-append "/etc/certs/" name "/fullchain.pem.new"))
 
- ;; Rename over the top of the old ones, if there are any.
+ ;; Rename over the top of the old ones, just in case they were the
+ ;; original self-signed certificates.
  (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new")
   #$(string-append "/etc/certs/" name "/privkey.pem"))
  (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new")
@@ -184,6 +191,47 @@ (define (certbot-renewal-jobs config)
#~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
   #$(certbot-command config
 
+(define (generate-certificate-gexp certbot-cert-directory rsa-key-size)
+  (match-lambda
+(($  name (primary-domain other-domains ...)
+challenge
+csr authentication-hook
+cleanup-hook deploy-hook)
+ (let (;; Arbitrary default subject, with just the
+   ;; right domain filled in. These values don't
+   ;; have any real significance.
+   (subject (string-append
+ "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN="
+ primary-domain))
+   (alt-names (if (null? other-domains)
+  #f
+  (format #f "subjectAltName=~{DNS:~a~^,~}"
+  other-domains)))
+   (directory (string-append "/etc/certs/" (or name primary-domain
+   #~(when (not (file-exists? #$directory))
+   ;; We generate self-signed certificates in /etc/certs/{domain},
+   ;; because certbot is very sensitive to its directory
+   ;; structure. It refuses to write over the top of existing files,
+   ;; so we need to use a directory outside of its control.
+   ;;
+   ;; These certificates are overwritten by the certbot deploy hook
+   ;; the first time it successfully obtains a letsencrypt-signed
+   ;; certificate.
+   (mkdir-p #$directory)
+   (chmod #$directory #o755)
+   

bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates.

[Carlo Zancanaro]

* gnu/services/certbot.scm (certbot-renewal-one-shot): New procedure.
(certbot-service-type)[extensions]: Add it to shepherd-root extension.
(certbot-command): Make connection errors return a different exit code.
(certbot-activation): Remove message with certificate renewal instructions.

Change-Id: I614ac6214a753dba0396e2385a75926c8355caa1
---

I've added some more logging here, and removed the comments that
implied that we expected the length of time for the retries to be
bounded.

 gnu/services/certbot.scm | 89 +---
 1 file changed, 75 insertions(+), 14 deletions(-)

diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index cb1be0c0e9..f287c8367f 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -180,15 +180,45 @@ (define certbot-command
(program-file
 "certbot-command"
 #~(begin
-(use-modules (ice-9 match))
-(let ((code 0))
+(use-modules (ice-9 match)
+ (ice-9 textual-ports))
+
+(define (log format-string . args)
+  (apply format #t format-string args)
+  (force-output))
+
+(define (file-contains? file string)
+  (string-contains (call-with-input-file file
+ get-string-all)
+   string))
+
+(define (connection-error?)
+  ;; Certbot errors are always exit code 1, so we need to look at
+  ;; the log file to see if there was a connection error.
+  (file-contains? "/var/log/letsencrypt/letsencrypt.log"
+  "Failed to establish a new connection"))
+
+(let ((script-code 0))
   (for-each
(match-lambda
  ((name . command)
-  (begin
-(format #t "Acquiring or renewing certificate: ~a~%" name)
-(set! code (or (apply system* command) code)
-   '#$commands) code)))
+  (log "Acquiring or renewing certificate: ~a~%" name)
+  (cond
+   ((zero? (status:exit-val (apply system* command)))
+(log "Certificate successfully acquired: ~a~%" name))
+   ((connection-error?)
+;; If we have a connection error, then bail early with
+;; exit code 2. We don't expect this to resolve within the
+;; timespan of this script.
+(log "Connection error - bailing out~%")
+(exit 2))
+   (else
+;; If we have any other type of error, then continue but
+;; exit with a failing status code in the end.
+(log "Error: ~a - continuing with other domains~%" name)
+(set! script-code 1)
+   '#$commands)
+  (exit script-code
 
 (define (certbot-renewal-jobs config)
   (list
@@ -197,6 +227,40 @@ (define (certbot-renewal-jobs config)
#~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
   #$(certbot-command config
 
+(define (certbot-renewal-one-shot config)
+  (list
+   ;; Renew certificates when the system first starts. This is a one-shot
+   ;; service, because the mcron configuration will take care of running this
+   ;; periodically. This is most useful the very first time the system starts,
+   ;; to overwrite our self-signed certificates as soon as possible without
+   ;; user intervention.
+   (shepherd-service
+(provision '(renew-certbot-certificates))
+(requirement '(nginx))
+(one-shot? #t)
+(start #~(lambda _
+   ;; This needs the network, but there's no reliable way to know
+   ;; if the network is up other than trying. If we fail due to a
+   ;; connection error we retry a number of times in the hope that
+   ;; the network comes up soon.
+   (let loop ((attempt 0))
+ (let ((code (status:exit-val
+  (system* #$(certbot-command config)
+   (cond
+((and (= code 2)  ; Exit code 2 means connection error
+  (< attempt 12)) ; Arbitrarily chosen max attempts
+ (sleep 10)   ; Arbitrarily chosen retry delay
+ (loop (1+ attempt)))
+((zero? code)
+ ;; Success!
+ #t)
+(else
+ ;; Failure.
+ #f))
+(auto-start? #t)
+(documentation "Call certbot to renew certificates.")
+(actions (list (shepherd-configuration-action (certbot-command 
config)))
+
 (define (generate-certificate-gexp certbot-cert-directory rsa-key-size)
   (match-lambda
 (($  name (primary-domain other-domains 

bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs.

[Carlo Zancanaro]

* gnu/services/certbot.scm (certbot-deploy-hook): New procedure.
(certbot-command): Pass new deploy hook to certbot.
* doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout, except in
the certbot deploy-hook description.

Change-Id: I2ba5e4903d1e293e566b732a84b07d5a134b697d
---
 doc/guix.texi| 24 
 gnu/services/certbot.scm | 36 ++--
 2 files changed, 46 insertions(+), 14 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index bb0af26d93..97be37f9b5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -43,7 +43,7 @@
 Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@*
 Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@*
 Copyright @copyright{} 2017 Federico Beffa@*
-Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
+Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@*
 Copyright @copyright{} 2017 Thomas Danckaert@*
 Copyright @copyright{} 2017 humanitiesNerd@*
 Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
@@ -28135,7 +28135,7 @@ Messaging Services
 them.  See @url{https://prosody.im/doc/letsencrypt}.
 
 @example
-prosodyctl --root cert import /etc/letsencrypt/live
+prosodyctl --root cert import /etc/certs
 @end example
 
 The available configuration parameters follow.  Each parameter
@@ -28846,8 +28846,8 @@ Telephony Services
   (welcome-text
 "Welcome to this Mumble server running on Guix!")
   (cert-required? #t) ;disallow text password logins
-  (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
-  (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
+  (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem")
+  (ssl-key "/etc/certs/mumble.example.com/privkey.pem")))
 @end lisp
 
 After reconfiguring your system, you can manually set the mumble-server
@@ -28965,12 +28965,12 @@ Telephony Services
 File name of the SSL/TLS certificate used for encrypted connections.
 
 @lisp
-(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
+(ssl-cert "/etc/certs/example.com/fullchain.pem")
 @end lisp
 @item @code{ssl-key} (default: @code{#f})
 Filepath to the ssl private key used for encrypted connections.
 @lisp
-(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
+(ssl-key "/etc/certs/example.com/privkey.pem")
 @end lisp
 
 @item @code{ssl-dh-params} (default: @code{#f})
@@ -32694,8 +32694,8 @@ Certificate Services
 @end deftp
 
 For each @code{certificate-configuration}, the certificate is saved to
-@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is
-saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}.
+@code{/etc/certs/@var{name}/fullchain.pem} and the key is
+saved to @code{/etc/certs/@var{name}/privkey.pem}.
 @node DNS Services
 @subsection DNS Services
 @cindex DNS (domain name system)
@@ -37381,9 +37381,9 @@ Version Control Services
  (listen '("443 ssl"))
  (server-name "git.my-host.org")
  (ssl-certificate
-  "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
+  "/etc/certs/git.my-host.org/fullchain.pem")
  (ssl-certificate-key
-  "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
+  "/etc/certs/git.my-host.org/privkey.pem")
  (locations
   (list
(git-http-nginx-location-configuration
@@ -38508,9 +38508,9 @@ Version Control Services
(nginx-server-block
  (nginx-server-configuration
(ssl-certificate
- "/etc/letsencrypt/live/myweb.site/fullchain.pem")
+ "/etc/certs/myweb.site/fullchain.pem")
(ssl-certificate-key
- "/etc/letsencrypt/live/myweb.site/privkey.pem")
+ "/etc/certs/myweb.site/privkey.pem")
(listen '("443 ssl http2" "[::]:443 ssl http2"))
(locations
  (list
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 0c45471659..3926d0551a 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2020 Jack Hill 
 ;;; Copyright © 2020 Tobias Geerinckx-Rice 
 ;;; Copyright © 2021 Raghav Gururajan 
+;;; Copyright © 2024 Carlo Zancanaro 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -87,6 +88,35 @@ (define-record-type* 
   (body
(list "return 301 https://$host$request_uri;;))
 
+(define (certbot-deploy-hook name deploy-hook-script)
+  "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem
+from /etc/certs/NAME to /etc/letsenctypt/live/NAME.  If DEPLOY-HOOK-SCRIPT is
+not

bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx

[Carlo Zancanaro]

Hi Felix,

On Tue, Jan 30 2024, Felix Lechner wrote:

On Tue, Jan 30 2024, Carlo Zancanaro wrote:

certbot can't produce certificates without a functional nginx


Yes, it can. The option is called --standalone. [1]


You are correct, of course. If I had been more precise I would 
have said "with our current configuration, certbot can't produce 
certificates without a functional nginx".


Maybe another way to bootstrap the certificates would be to hold 
off on starting Nginx or Apache until all certificates are 
obtained?


This could work, but I see a few downsides.

As Clément has already mentioned, this would make nginx dependent 
on certbot. This causes problems for servers disconnected from the 
general internet, but it also shifts complexity into the nginx 
service without much benefit over the patch series I'm proposing. 
We'd need to add more configuration on the nginx side to control 
whether to delay startup based on whether we actually want 
certificates. This would delay the startup of the whole nginx 
process, even if some server configurations don't require new 
certificates.


For renewal, we would also have two options: (1) use --standalone, 
and require a period of downtime for our web server; or (2) use 
--webroot, and maintain two code paths for the two cases. I think 
it's a bad idea for Guix to make a decision that requires downtime 
of user systems if there's an alternative, so I don't like (1). 
Maintaining two "similar but different" code paths for (2) doesn't 
seem like a clear advantage over the patch series I'm proposing.



Anyway, that's what I do manually.


I use the DNS challenge type, with hooks which automatically 
create/remove DNS records. This solves all the problems I'm 
bringing up (i.e. doesn't require nginx, doesn't involve downtime, 
has a single code path), but I don't think Guix can assume that 
all users have the ability to do this. My aim with this patch 
series is to make the default certbot configuration work for the 
common case of a simple web server, without manual intervention.


Carlo

bug#46961: [PATCH v2 2/4] services: certbot: Create self-signed certificates before certbot runs.

[Carlo Zancanaro]

* gnu/services/certbot.scm (): Add
start-self-signed? field.
(generate-certificate-gexp): New procedure.
(certbot-activation): Generate self-signed certificates when
start-self-signed? is #t.
* doc/guix.texi (Certificate services): Document start-self-signed?.

Change-Id: Icfd85ae0c3e29324acbcde6ba283546cf0e27a1d
---
 doc/guix.texi|  6 
 gnu/services/certbot.scm | 62 ++--
 2 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index b134d45a16..58a65fe0b7 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32690,6 +32690,12 @@ Certificate Services
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.
 
+@item @code{start-self-signed?} (default: @code{#t})
+Whether to generate an initial self-signed certificate during system
+activation.  This option is particularly useful to allow @code{nginx} to
+start before @code{certbot} has run, because @code{certbot} relies on
+@code{nginx} running to perform HTTP challenges.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 3926d0551a..10b99f5630 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -35,6 +35,7 @@ (define-module (gnu services certbot)
   #:use-module (guix records)
   #:use-module (guix gexp)
   #:use-module (srfi srfi-1)
+  #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:export (certbot-service-type
 certbot-configuration
@@ -64,7 +65,9 @@ (define-record-type* 
   (cleanup-hookcertificate-cleanup-hook
(default #f))
   (deploy-hook certificate-configuration-deploy-hook
-   (default #f)))
+   (default #f))
+  (start-self-signed?  certificate-configuration-start-self-signed?
+   (default #t)))
 
 (define-record-type* 
   certbot-configuration make-certbot-configuration
@@ -91,7 +94,10 @@ (define-record-type* 
 (define (certbot-deploy-hook name deploy-hook-script)
   "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem
 from /etc/certs/NAME to /etc/letsenctypt/live/NAME.  If DEPLOY-HOOK-SCRIPT is
-not #f then it is run after the symlinks have been created."
+not #f then it is run after the symlinks have been created.  This wrapping is
+necessary for certificates with start-self-signed? set to #t, as it will
+overwrite the initial self-signed certificates upon the first successful
+deploy."
   (program-file
(string-append name "-deploy-hook")
(with-imported-modules '((guix build utils))
@@ -108,7 +114,8 @@ (define (certbot-deploy-hook name deploy-hook-script)
  "/etc/letsencrypt/live/" name "/fullchain.pem")
   #$(string-append "/etc/certs/" name "/fullchain.pem.new"))
 
- ;; Rename over the top of the old ones, if there are any.
+ ;; Rename over the top of the old ones, just in case they were the
+ ;; original self-signed certificates.
  (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new")
   #$(string-append "/etc/certs/" name "/privkey.pem"))
  (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new")
@@ -184,6 +191,47 @@ (define (certbot-renewal-jobs config)
#~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
   #$(certbot-command config
 
+(define (generate-certificate-gexp certbot-cert-directory rsa-key-size)
+  (match-lambda
+(($  name (primary-domain other-domains ...)
+challenge
+csr authentication-hook
+cleanup-hook deploy-hook)
+ (let (;; Arbitrary default subject, with just the
+   ;; right domain filled in. These values don't
+   ;; have any real significance.
+   (subject (string-append
+ "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN="
+ primary-domain))
+   (alt-names (if (null? other-domains)
+  #f
+  (format #f "subjectAltName=~{DNS:~a~^,~}"
+  other-domains)))
+   (directory (string-append "/etc/certs/" (or name primary-domain
+   #~(when (not (file-exists? #$directory))
+   ;; We generate self-signed certificates in /etc/certs/{domain},
+   ;; because certbot is very sensitive to its directory
+   ;; structure. It refuses to write over the top of existing files,
+   ;; so we need to use a directory outside of its control.
+   ;;
+   ;; These certificates are overwritten by the certbot deploy hook
+   ;; the first time it successfully obtains a letsencrypt-signed
+   ;; certificate.
+   (mkdir-p #$directory)
+   (chmod #$directory #o755)
+   

bug#46961: [PATCH v2 4/4] services: certbot: Add one-shot service to renew certificates.

[Carlo Zancanaro]

* gnu/services/certbot.scm (certbot-renewal-one-shot): New procedure.
(certbot-service-type)[extensions]: Add it to shepherd-root extension.
(certbot-command): Make connection errors return a different exit code.
(certbot-activation): Remove message with certificate renewal instructions.

Change-Id: I614ac6214a753dba0396e2385a75926c8355caa1
---
 gnu/services/certbot.scm | 77 +---
 1 file changed, 65 insertions(+), 12 deletions(-)

diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 490b9e8d6d..d6354c86d3 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -183,15 +183,37 @@ (define certbot-command
(program-file
 "certbot-command"
 #~(begin
-(use-modules (ice-9 match))
-(let ((code 0))
+(use-modules (ice-9 match)
+ (ice-9 textual-ports))
+
+(define (file-contains? file string)
+  (string-contains (call-with-input-file file
+ get-string-all)
+   string))
+
+(define (connection-error?)
+  (file-contains? "/var/log/letsencrypt/letsencrypt.log"
+  "Failed to establish a new connection"))
+
+(let ((script-code 0))
   (for-each
(match-lambda
  ((name . command)
   (begin
 (format #t "Acquiring or renewing certificate: ~a~%" name)
-(set! code (or (apply system* command) code)
-   '#$commands) code)))
+(unless (zero? (status:exit-val (apply system* command)))
+  ;; Certbot errors are always exit code 1, but we'd like
+  ;; to separate connection errors from other error types.
+  (if (connection-error?)
+  ;; If we have a connection error, then bail early
+  ;; with exit code 2. We don't expect this to
+  ;; resolve within the timespan of this script.
+  (exit 2)
+  ;; If we have any other type of error, then continue
+  ;; but exit with a failing status code in the end.
+  (set! script-code 1))
+   '#$commands)
+  (exit script-code
 
 (define (certbot-renewal-jobs config)
   (list
@@ -200,6 +222,40 @@ (define (certbot-renewal-jobs config)
#~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
   #$(certbot-command config
 
+(define (certbot-renewal-one-shot config)
+  (list
+   ;; Renew certificates when the system first starts. This is a one-shot
+   ;; service, because the mcron configuration will take care of running this
+   ;; periodically. This is most useful the very first time the system starts,
+   ;; to overwrite our self-signed certificates as soon as possible without
+   ;; user intervention.
+   (shepherd-service
+(provision '(renew-certbot-certificates))
+(requirement '(nginx))
+(one-shot? #t)
+(start #~(lambda _
+   ;; This needs the network, but there's no reliable way to know
+   ;; if the network is up other than trying. If we fail due to a
+   ;; connection error we retry a number of times in the hope that
+   ;; the network comes up soon.
+   (let loop ((attempt 0))
+ (let ((code (status:exit-val
+  (system* #$(certbot-command config)
+   (cond
+((and (= code 2)  ; Exit code 2 means connection error
+  (< attempt 12)) ; 12 * 10 seconds = 2 minutes
+ (sleep 10)
+ (loop (1+ attempt)))
+((zero? code)
+ ;; Success!
+ #t)
+(else
+ ;; Failure.
+ #f))
+(auto-start? #t)
+(documentation "Call certbot to renew certificates.")
+(actions (list (shepherd-configuration-action (certbot-command 
config)))
+
 (define (generate-certificate-gexp certbot-cert-directory rsa-key-size)
   (match-lambda
 (($  name (primary-domain other-domains ...)
@@ -243,9 +299,7 @@ (define (generate-certificate-gexp certbot-cert-directory 
rsa-key-size)
 
 (define (certbot-activation config)
   (let* ((certbot-directory "/var/lib/certbot")
- (certbot-cert-directory "/etc/letsencrypt/live")
- (script (in-vicinity certbot-directory "renew-certificates"))
- (message (format #f (G_ "~a may need to be run~%") script)))
+ (certbot-cert-directory "/etc/letsencrypt/live"))
 (match config
   (($  package webroot certificates email
   server rsa-key-size default-location)
@@ -261,10 

bug#46961: [PATCH v2 1/4] services: certbot: Symlink certificates to /etc/certs.

[Carlo Zancanaro]

* gnu/services/certbot.scm (certbot-deploy-hook): New procedure.
(certbot-command): Pass new deploy hook to certbot.
* doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout.

Change-Id: I2ba5e4903d1e293e566b732a84b07d5a134b697d
---
 doc/guix.texi| 26 +-
 gnu/services/certbot.scm | 36 ++--
 2 files changed, 47 insertions(+), 15 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index bb0af26d93..b134d45a16 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -43,7 +43,7 @@
 Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@*
 Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@*
 Copyright @copyright{} 2017 Federico Beffa@*
-Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
+Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@*
 Copyright @copyright{} 2017 Thomas Danckaert@*
 Copyright @copyright{} 2017 humanitiesNerd@*
 Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
@@ -28135,7 +28135,7 @@ Messaging Services
 them.  See @url{https://prosody.im/doc/letsencrypt}.
 
 @example
-prosodyctl --root cert import /etc/letsencrypt/live
+prosodyctl --root cert import /etc/certs
 @end example
 
 The available configuration parameters follow.  Each parameter
@@ -28846,8 +28846,8 @@ Telephony Services
   (welcome-text
 "Welcome to this Mumble server running on Guix!")
   (cert-required? #t) ;disallow text password logins
-  (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
-  (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
+  (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem")
+  (ssl-key "/etc/certs/mumble.example.com/privkey.pem")))
 @end lisp
 
 After reconfiguring your system, you can manually set the mumble-server
@@ -28965,12 +28965,12 @@ Telephony Services
 File name of the SSL/TLS certificate used for encrypted connections.
 
 @lisp
-(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
+(ssl-cert "/etc/certs/example.com/fullchain.pem")
 @end lisp
 @item @code{ssl-key} (default: @code{#f})
 Filepath to the ssl private key used for encrypted connections.
 @lisp
-(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
+(ssl-key "/etc/certs/example.com/privkey.pem")
 @end lisp
 
 @item @code{ssl-dh-params} (default: @code{#f})
@@ -32685,7 +32685,7 @@ Certificate Services
 Command to be run in a shell once for each successfully issued
 certificate.  For this command, the shell variable
 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
-example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+example, @samp{"/etc/certs/example.com"}) containing the new
 certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.
@@ -32694,8 +32694,8 @@ Certificate Services
 @end deftp
 
 For each @code{certificate-configuration}, the certificate is saved to
-@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is
-saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}.
+@code{/etc/certs/@var{name}/fullchain.pem} and the key is
+saved to @code{/etc/certs/@var{name}/privkey.pem}.
 @node DNS Services
 @subsection DNS Services
 @cindex DNS (domain name system)
@@ -37381,9 +37381,9 @@ Version Control Services
  (listen '("443 ssl"))
  (server-name "git.my-host.org")
  (ssl-certificate
-  "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
+  "/etc/certs/git.my-host.org/fullchain.pem")
  (ssl-certificate-key
-  "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
+  "/etc/certs/git.my-host.org/privkey.pem")
  (locations
   (list
(git-http-nginx-location-configuration
@@ -38508,9 +38508,9 @@ Version Control Services
(nginx-server-block
  (nginx-server-configuration
(ssl-certificate
- "/etc/letsencrypt/live/myweb.site/fullchain.pem")
+ "/etc/certs/myweb.site/fullchain.pem")
(ssl-certificate-key
- "/etc/letsencrypt/live/myweb.site/privkey.pem")
+ "/etc/certs/myweb.site/privkey.pem")
(listen '("443 ssl http2" "[::]:443 ssl http2"))
(locations
  (list
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 0c45471659..3926d0551a 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -6,6 +6,7 @@
 ;;; Copyright ©

bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx

[Carlo Zancanaro]

Hi Guix,

This patch series is a few changes to make certbot default to doing
"the right thing" in the common case of wanting certificates for an
nginx web server.

The initial change (in v1 of these patches) was to solve the certbot
bootstrapping problem. Nginx won't start without valid certificates,
but certbot can't produce certificates without a functional
nginx. This is solved by generating self-signed certificates to start
with, and then replacing them once certbot has run. Doing this
requires storing certificates in a different location (because certbot
is very particular). I've chosen /etc/certs/.

The other two changes (new to v2 of this series) make things a bit
easier to use: a one-shot shepherd service to renew certificates when
the machine starts up, and a default deploy-hook to reload the nginx
configuration (which picks up the new certificates). I think these
changes make certbot "do the right thing", at the expense of being
slightly more magical.

On IRC podiki suggested I should copy guix-devel and Brice (the
original bug reporter), so I've done that, too.

Carlo Zancanaro (4):
  services: certbot: Symlink certificates to /etc/certs.
  services: certbot: Create self-signed certificates before certbot
runs.
  services: certbot: Add a default deploy hook to reload nginx.
  services: certbot: Add one-shot service to renew certificates.

 doc/guix.texi|  38 ++---
 gnu/services/certbot.scm | 178 ---
 2 files changed, 188 insertions(+), 28 deletions(-)


base-commit: 144c95032e517bb8ce466b930fe91506bcc92b2b
-- 
2.41.0

bug#46961: [PATCH v2 3/4] services: certbot: Add a default deploy hook to reload nginx.

[Carlo Zancanaro]

* gnu/services/certbot.scm (%default-deploy-hook): New variable.
()[deploy-hook]: Use it as default deploy hook.
* doc/guix.texi (Certificate services): Document new default deploy hook.

Change-Id: Ibb10481170a6fda7df72492072b939dd6a6ad176
---
 doc/guix.texi|  6 +-
 gnu/services/certbot.scm | 13 +++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 58a65fe0b7..0f372a460f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32681,7 +32681,7 @@ Certificate Services
 additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
 of the @code{auth-hook} script.
 
-@item @code{deploy-hook} (default: @code{#f})
+@item @code{deploy-hook} (default: @code{%default-deploy-hook})
 Command to be run in a shell once for each successfully issued
 certificate.  For this command, the shell variable
 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
@@ -32690,6 +32690,10 @@ Certificate Services
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.
 
+The default deploy hook calls the @code{reload} action of the
+@code{nginx} Shepherd service, to reload the newly generated
+certificates.
+
 @item @code{start-self-signed?} (default: @code{#t})
 Whether to generate an initial self-signed certificate during system
 activation.  This option is particularly useful to allow @code{nginx} to
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 10b99f5630..490b9e8d6d 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -37,7 +37,8 @@ (define-module (gnu services certbot)
   #:use-module (srfi srfi-1)
   #:use-module (ice-9 format)
   #:use-module (ice-9 match)
-  #:export (certbot-service-type
+  #:export (%default-deploy-hook
+certbot-service-type
 certbot-configuration
 certbot-configuration?
 certificate-configuration))
@@ -49,6 +50,14 @@ (define-module (gnu services certbot)
 ;;; Code:
 
 
+(define %default-deploy-hook
+  (program-file
+   "reload-nginx.scm"
+   (with-imported-modules '((gnu services herd))
+ #~(begin
+ (use-modules (gnu services herd))
+ (with-shepherd-action 'nginx ('reload) result result)
+
 (define-record-type* 
   certificate-configuration make-certificate-configuration
   certificate-configuration?
@@ -65,7 +74,7 @@ (define-record-type* 
   (cleanup-hookcertificate-cleanup-hook
(default #f))
   (deploy-hook certificate-configuration-deploy-hook
-   (default #f))
+   (default %default-deploy-hook))
   (start-self-signed?  certificate-configuration-start-self-signed?
(default #t)))
 
-- 
2.41.0

bug#46961: Nginx and certbot cervices don't play well togther

[Carlo Zancanaro]

Hi Clément,

Thanks for taking the time to review my change. I've responded inline
below.

On Mon, Jan 29 2024, Clément Lassieur wrote:
> This is great, thank you!  I tested it, it worked.  Could you please
> just make sure lines fit within 80 columns?

Yep, no worries.

> Would it make sense now to run ‘update-certificates’ at end of the
> activation stuff?

We can't run it during activation, because nginx won't have started yet.
However, I am planning a follow-up to add a one-shot service to run
certbot after nginx starts. I'll see if I can add it to this series, but
if I run into any issues I'll leave it for later.

> And would it make sense to reload nginx after ‘update-certificates’ is
> run?

This would be a sensible default. There is an example in the manual of
configuring certbot to reload nginx, so this should be straightforward
to add.

> gnu/services/certbot.scm:203:26: warning: "subjectAltName=~{DNS:~a~^,~}": 
> unsupported format option ~{, use (ice-9 format) instead

Ha! I import (ice-9 format), but within the gexp (and then I don't use
it, whoops!). Must be a leftover from a previous iteration. I'll fix
this up.

>> + ;; Due to the way certbot runs, we need to
>> + ;; create the self-signed certificates in the
>> + ;; archive folder and symlink them into the live
>> + ;; folder. This mimics what certbot does well
>> + ;; enough to make acquiring new certificates
>> + ;; work.
>
> In another mail you say it doesn't work as well as you thought it did?
> What doesn't work?

This comment doesn't describe the code any more. In my first attempt I
was trying to generate certificates in /etc/letsencrypt/live/ and get
certbot to write over them when it ran. Unfortunately, it refused to do
so. I then tried writing to /etc/letsencrypt/archive/ and symlinking
into /etc/letsencrypt/live/ (which is what this comment describes), but
that also failed. Certbot refuses to write over any existing files when
fetching a certificate.

It looks like other acme clients might be happier to overwrite existing
files, but changing away from certbot seemed like more work than adding
a deploy hook to do what we need.

I'll follow up with a v2 of this patch when I get a chance.

Carlo

bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs

[Carlo Zancanaro]

On Wed, Jan 24 2024, Carlo Zancanaro wrote:

+ ;; Due to the way certbot runs, we need to
+ ;; create the self-signed certificates in the
+ ;; archive folder and symlink them into the live
+ ;; folder. This mimics what certbot does well
+ ;; enough to make acquiring new certificates
+ ;; work.


Gah, this comment is from a previous iteration. It turns out it 
didn't

work as well as I thought it did.

I'm happy to update this comment, but I won't do that until I've 
heard
back about the more substantive aspects of the change. I'm also 
happy

for whoever merges this to change this comment appropriately.

bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run

[Carlo Zancanaro]

>From time to time people have issues with setting up a new system with
certbot generating certificates for an nginx server. The issue is that
nginx won't start without being able to load certificates, but certbot
can't generate certificates (through the default HTTP challenge)
without a running nginx server.

Breaking this has generally required two reconfigures: one with nginx
configured without loading certificates, and then a second reconfigure
after running certbot to add the certificate configuration. This is a
bit of a pain, so I've made Guix generate a self-signed certificate to
allow nginx to start before certbot has run.

Unfortunately, I couldn't put the certificates in the same location as
certbot, because certbot is very particular about its directories not
existing when it requests a certificate for the first time. Rather
than try to convince it to do what I wanted, I opted to add another
level of indirection and move certificates to /etc/certs/. This is
backwards compatible, because the old /etc/letsenctypt/live/ is
maintained by certbot. The only real difference is for the initial
bootstrapping of a certificate.

Carlo Zancanaro (2):
  services: certbot: Symlink certificates to /etc/certs
  services: certbot: Create self-signed certificates before certbot runs

 doc/guix.texi| 32 +--
 gnu/services/certbot.scm | 86 ++--
 2 files changed, 102 insertions(+), 16 deletions(-)


base-commit: ffc5fefce370f5fc01091869e13fdf525be1e0c0
-- 
2.41.0

bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs

[Carlo Zancanaro]

* gnu/services/certbot.scm (certbot-deploy-hook): New procedure.
(certbot-command): Pass new deploy hook to certbot.
* doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout.
---
 doc/guix.texi| 26 +-
 gnu/services/certbot.scm | 34 --
 2 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index a6187690bb..2d43ab9a65 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -43,7 +43,7 @@
 Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@*
 Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@*
 Copyright @copyright{} 2017 Federico Beffa@*
-Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
+Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@*
 Copyright @copyright{} 2017 Thomas Danckaert@*
 Copyright @copyright{} 2017 humanitiesNerd@*
 Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
@@ -28117,7 +28117,7 @@ Messaging Services
 them.  See @url{https://prosody.im/doc/letsencrypt}.
 
 @example
-prosodyctl --root cert import /etc/letsencrypt/live
+prosodyctl --root cert import /etc/certs
 @end example
 
 The available configuration parameters follow.  Each parameter
@@ -28820,8 +28820,8 @@ Telephony Services
   (welcome-text
 "Welcome to this Mumble server running on Guix!")
   (cert-required? #t) ;disallow text password logins
-  (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem")
-  (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
+  (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem")
+  (ssl-key "/etc/certs/mumble.example.com/privkey.pem")))
 @end lisp
 
 After reconfiguring your system, you can manually set the mumble-server
@@ -28939,12 +28939,12 @@ Telephony Services
 File name of the SSL/TLS certificate used for encrypted connections.
 
 @lisp
-(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem")
+(ssl-cert "/etc/certs/example.com/fullchain.pem")
 @end lisp
 @item @code{ssl-key} (default: @code{#f})
 Filepath to the ssl private key used for encrypted connections.
 @lisp
-(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem")
+(ssl-key "/etc/certs/example.com/privkey.pem")
 @end lisp
 
 @item @code{ssl-dh-params} (default: @code{#f})
@@ -32659,7 +32659,7 @@ Certificate Services
 Command to be run in a shell once for each successfully issued
 certificate.  For this command, the shell variable
 @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for
-example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new
+example, @samp{"/etc/certs/example.com"}) containing the new
 certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.
@@ -32668,8 +32668,8 @@ Certificate Services
 @end deftp
 
 For each @code{certificate-configuration}, the certificate is saved to
-@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is
-saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}.
+@code{/etc/certs/@var{name}/fullchain.pem} and the key is
+saved to @code{/etc/certs/@var{name}/privkey.pem}.
 @node DNS Services
 @subsection DNS Services
 @cindex DNS (domain name system)
@@ -37355,9 +37355,9 @@ Version Control Services
  (listen '("443 ssl"))
  (server-name "git.my-host.org")
  (ssl-certificate
-  "/etc/letsencrypt/live/git.my-host.org/fullchain.pem")
+  "/etc/certs/git.my-host.org/fullchain.pem")
  (ssl-certificate-key
-  "/etc/letsencrypt/live/git.my-host.org/privkey.pem")
+  "/etc/certs/git.my-host.org/privkey.pem")
  (locations
   (list
(git-http-nginx-location-configuration
@@ -38482,9 +38482,9 @@ Version Control Services
(nginx-server-block
  (nginx-server-configuration
(ssl-certificate
- "/etc/letsencrypt/live/myweb.site/fullchain.pem")
+ "/etc/certs/myweb.site/fullchain.pem")
(ssl-certificate-key
- "/etc/letsencrypt/live/myweb.site/privkey.pem")
+ "/etc/certs/myweb.site/privkey.pem")
(listen '("443 ssl http2" "[::]:443 ssl http2"))
(locations
  (list
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 0c45471659..58e709f8a4 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2020 Jack Hill 
 ;;; Copyright © 2020 Tobias Geerinckx-Rice 
 ;;; Copyr

bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs

[Carlo Zancanaro]

* gnu/services/certbot.scm (): Add
start-self-signed? field.
(generate-certificate-gexp): New procedure.
(certbot-activation): Generate self-signed certificates when
start-self-signed? is #t.
* doc/guix.texi (Certificate services): Document start-self-signed?.
---
 doc/guix.texi|  6 +
 gnu/services/certbot.scm | 56 +---
 2 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 2d43ab9a65..15b256d0a3 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32664,6 +32664,12 @@ Certificate Services
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.
 
+@item @code{start-self-signed?} (default: @code{#t})
+Whether to generate an initial self-signed certificate during system
+activation.  This option is particularly useful to allow @code{nginx} to
+start before @code{certbot} has run, because @code{certbot} relies on
+@code{nginx} running to perform HTTP challenges.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 58e709f8a4..bb321a1b50 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -64,7 +64,9 @@ (define-record-type* 
   (cleanup-hookcertificate-cleanup-hook
(default #f))
   (deploy-hook certificate-configuration-deploy-hook
-   (default #f)))
+   (default #f))
+  (start-self-signed?  certificate-configuration-start-self-signed?
+   (default #t)))
 
 (define-record-type* 
   certbot-configuration make-certbot-configuration
@@ -91,7 +93,10 @@ (define-record-type* 
 (define (certbot-deploy-hook name deploy-hook-script)
   "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem
 from /etc/certs/NAME to /etc/letsenctypt/live/NAME.  If DEPLOY-HOOK-SCRIPT is
-not #f then it is run after the symlinks have been created."
+not #f then it is run after the symlinks have been created.  This wrapping is
+necessary for certificates with start-self-signed? set to #t, as it will
+overwrite the initial self-signed certificates upon the first successful
+deploy."
   (program-file
(string-append name "-deploy-hook")
(with-imported-modules '((guix build utils))
@@ -108,7 +113,8 @@ (define (certbot-deploy-hook name deploy-hook-script)
  "/etc/letsencrypt/live/" name "/fullchain.pem")
   #$(string-append "/etc/certs/" name "/fullchain.pem.new"))
 
- ;; Rename over the top of the old ones, if there are any.
+ ;; Rename over the top of the old ones, just in case they were the
+ ;; original self-signed certificates.
  (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new")
   #$(string-append "/etc/certs/" name "/privkey.pem"))
  (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new")
@@ -182,6 +188,44 @@ (define (certbot-renewal-jobs config)
#~(job '(next-minute-from (next-hour '(0 12)) (list (random 60)))
   #$(certbot-command config
 
+(define (generate-certificate-gexp certbot-cert-directory rsa-key-size)
+  (match-lambda
+(($  name (primary-domain other-domains ...) 
challenge
+csr authentication-hook
+cleanup-hook deploy-hook)
+ (let (;; Arbitrary default subject, with just the
+   ;; right domain filled in. These values don't
+   ;; have any real significance.
+   (subject (string-append "/C=US/ST=Oregon/L=Portland/O=Company 
Name/OU=Org/CN="
+   primary-domain))
+   (alt-names (if (null? other-domains)
+  #f
+  (format #f "subjectAltName=~{DNS:~a~^,~}" 
other-domains)))
+   (directory (string-append "/etc/certs/" (or name primary-domain
+   #~(begin
+   (use-modules (ice-9 format))
+   (when (not (file-exists? #$directory))
+ ;; Due to the way certbot runs, we need to
+ ;; create the self-signed certificates in the
+ ;; archive folder and symlink them into the live
+ ;; folder. This mimics what certbot does well
+ ;; enough to make acquiring new certificates
+ ;; work.
+ (mkdir-p #$directory)
+ (chmod #$directory #o755)
+ (invoke #$(file-append openssl "/bin/openssl")
+ "req" "-x509"
+ "-newkey" #$(string-append "rsa:" (or rsa-key-size 
"4096"))
+ "-keyout" #$(string-append directory "/privkey.pem")
+ "-out" #$(string-append directory "/fullchain.pem")
+ "-sha256"
+ "-days" "1" ; Only one day, because we expect certbot to 
run
+ "-nodes"
+ "-subj" #$subject
+ 

bug#66659: [PATCH] home: services: Don't crash on-first-login when nothing to do

[Carlo Zancanaro]

* gnu/home/services.scm (compute-on-first-login-script): Ensure that WHEN is
syntactically valid in expansion.
---
 gnu/home/services.scm | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/home/services.scm b/gnu/home/services.scm
index 651c068f79..3f018e3893 100644
--- a/gnu/home/services.scm
+++ b/gnu/home/services.scm
@@ -435,7 +435,10 @@ (define (compute-on-first-login-script _ gexps)
  ;; after complete logout/reboot.
  (if (file-exists? xdg-runtime-dir)
  (when (claim-first-run flag-file-path)
-   #$@gexps)
+   #$@gexps
+   ;; An empty WHEN body is not syntactically valid, so we put an
+   ;; arbitrary form here to ensure it's not empty.
+   #t)
  ;; TRANSLATORS: 'on-first-login' is the name of a service and
  ;; shouldn't be translated
  (warning (G_ "XDG_RUNTIME_DIR doesn't exists, on-first-login 
script

base-commit: 80c8f5b57aa3699445fab29e0f75f5955e697509
-- 
2.41.0

bug#66659: (home-)on-first-login script broken when no gexps are added

[Carlo Zancanaro]

On Sat, Oct 21 2023, Nils Landt wrote:
> ...
> As you can see, there is no body in the "when" expression.
>
> Code in gnu/home/services.scm:438 :
>
>   (if (file-exists? xdg-runtime-dir)
>   (when (claim-first-run flag-file-path)
> #$@gexps)
>
> In my case, it appears that gexps is empty, resulting in the invalid syntax.

Ah, yep, that's an issue. That issue was introduced in 
6b0a32196982a0a2f4dbb59d35e55833a5545ac6.

I guess this raises a question about how to resolve this: if we have no gexps, 
do we still want to claim the first run?

If yes: we can add #t (or whatever) to the end of the "when" form to make sure 
it's never empty.

If no: we can generate an empty on-first-login script that does nothing.

The previous behaviour was to still claim the first run, so I'll send through a 
patch that does that.

Carlo

bug#55391: Multiple slim services

[Carlo Zancanaro]

Hi André,

On Mon, May 16 2022, André A. Gomes wrote:
Here it goes.  The manual states that you can have two slim 
services on different ttys.  Am I misinterpreting something? 
Thank you!


I don't think you're misinterpreting anything, but Josselin is 
correct when they say


On Fri, May 13 2022, Josselin Poiret wrote:
If I understand the relevant code properly, this should happen 
only when you try to extend a service type (eg. 
slim-service-type) with another service


In your case, you're using set-xorg-configuration which tries to 
extend your slim-service-type service. Unfortunately, you want to 
define two of them, which causes the extension mechanism to fail 
complaining about the ambiguity.


You should be able to fix this by adding the xorg-configuration 
directly into the slim service that you're defining, something 
like this:


   (cons* (service slim-service-type (slim-configuration
  (display ":0")
  (vt "vt7")
  (xorg-configuration
   (xorg-configuration
(modules (list 
xf86-input-libinput

xf86-input-evdev
   xf86-input-wacom))
(keyboard-layout 
keyboard-layout)

(server-arguments
 ;; disable screen-saver 
 timeout

 (append (list "-s" "0")
 
%default-xorg-server-arguments))
(extra-config (list 
xorg-touchpad

xorg-monitor))
  (service slim-service-type (slim-configuration
  (display ":0")
  (vt "vt8")
  ;; I wasn't sure if you 
  wanted the same
  ;; xorg-configuration here, 
  so I left it out.

  ))
  (modify-services %desktop-services
(delete gdm-service-type)
(delete (screen-locker-service xlockmore "xlock"

I hope that helps,

Carlo

bug#50872: Prosody service + letsencrypt certs improvements

[Carlo Zancanaro]

Hi Christine,

On Tue, Sep 28 2021, Christine Lemmer-Webber wrote:
Hm, in other words we really ought to run this attached to some 
hook related to the letsencrypt services... when they renew 
successfully, it should trigger this command, I'd think.  We do 
similar things for nginx, etc...


I'm pretty sure Guix doesn't do anything automatic when 
certificates are renewed. For nginx there's an example in the 
manual for how to set up a deploy hook to reload the 
certificates[1], so I expect that you'll have to set up something 
similar.


My prosody setup has this deploy hook:

   (program-file
"reload-certificates"
#~(let ((prosodyctl (string-append #$(specification->package 
"prosody")

   "/bin/prosodyctl")))
(system* prosodyctl "--root" "cert" "import" 
"/etc/letsencrypt/live")

(system* prosodyctl "reload")))

but I have recently had some trouble with it (prosody hasn't been 
reloading the certificate properly). I don't think my issue is 
related to this deploy hook, though.


I hope that helps!

Carlo

[1]: 
https://guix.gnu.org/en/manual/en/html_node/Certificate-Services.html

bug#30093: what manual workaround?

[Carlo Zancanaro]

Hi Tomás,

I'm not certain what your problem is, but I've run into problems 
with XDG_DATA_DIRS in the past, and I've added these lines in my 
profile script *before* sourcing any Guix profiles:


   # XDG_DATA_DIRS often starts off empty, but an empty value is
   # interpreted as this value. Loading a profile can set it, 
   though,

   # which effectively ignores the default value. We want it to
   # instead add to the default, so we set it here to the default
   # value.
   if [ -z "$XDG_DATA_DIRS" ]; then
   export XDG_DATA_DIRS="/usr/local/share/:/usr/share/"
   fi

I see you have this line in your profile script:

export 
XDG_DATA_DIRS="$GUIX_PROFILE/share:${XDG_DATA_DIRS:-/usr/local/share/:/usr/share/}"


but you call this *after* sourcing the Guix profiles, which means 
if Guix sets XDG_DATA_DIRS then the fallback case (i.e. including 
/usr/local/share and /usr/share) won't have any effect, and the 
default paths (which Ubuntu expects) won't end up in the path.


I'm not as familiar with GI_TYPELIB_PATH, but I think it might 
need something similar with a default value of 
/usr/lib/girepository-1.0 (that's mostly a guess, based on a quick 
search of the internet and my local Ubuntu machine).


I hope that helps!

Carlo

bug#31719: icedtea-3 binaries contain references to icedtea-2

[Carlo Zancanaro]

Hi Ludo!

On Tue, Apr 20 2021, Ludovic Courtès wrote:

 (find-library (lambda (name)
-(or (search-path
- library-path
- (string-append "lib" 
name ".so"))
-(string-append "lib" 
name ".so")

+(search-path
+ library-path
+ (string-append "lib" name 
".so")

(for-each


As discussed on IRC, the "or" is actually important here to avoid 
substituting #f as the library name. I've attached a patch on top 
of yours that adds the "or" back (including the other two that I 
missed in my earlier patch), and also switches to "string-append" 
which is less sensitive to this problem.


I have built up to openjdk11 with this patch, and I see less #f's 
in the result. There are still some in the compiled libraries, but 
I haven't investigated thoroughly as to whether they're correct or 
not.


Carlo

>From 60101b27543b7cc41a052d5bec95234ea4977d35 Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro 
Date: Tue, 20 Apr 2021 21:22:20 +1000
Subject: [PATCH] gnu: Fix openjdk library substitution when libraries aren't
 found

* gnu/packages/java.scm (icedtea-8, openjdk9, openjdk11): Fix JNI library
substitution to not substitute #f if the library can't be found.
---
 gnu/packages/java.scm | 33 ++---
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index b780f7a85f..8a1ba5f262 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -1806,9 +1806,10 @@ new Date();"))
   (search-path-as-string->list
(getenv "LIBRARY_PATH"
 (find-library (lambda (name)
-(search-path
- library-path
- (string-append "lib" name ".so")
+(or (search-path
+ library-path
+ (string-append "lib" name ".so"))
+(string-append "lib" name ".so")
(for-each
 (lambda (file)
   (catch 'decoding-error
@@ -1816,9 +1817,9 @@ new Date();"))
   (substitute* file
 (("VERSIONED_JNI_LIB_NAME\\(\"(.*)\", \"(.*)\"\\)"
   _ name version)
- (format #f "\"~a\""  (find-library name)))
+ (string-append "\"" (find-library name) "\""))
 (("JNI_LIB_NAME\\(\"(.*)\"\\)" _ name)
- (format #f "\"~a\"" (find-library name)
+ (string-append "\"" (find-library name) "\""
 (lambda _
   ;; Those are safe to skip.
   (format (current-error-port)
@@ -1956,9 +1957,10 @@ new Date();"))
   (search-path-as-string->list
(getenv "LIBRARY_PATH"
 (find-library (lambda (name)
-(search-path
- library-path
- (string-append "lib" name ".so")
+(or (search-path
+ library-path
+ (string-append "lib" name ".so"))
+(string-append "lib" name ".so")
(for-each
 (lambda (file)
   (catch 'decoding-error
@@ -1966,9 +1968,9 @@ new Date();"))
   (substitute* file
 (("VERSIONED_JNI_LIB_NAME\\(\"(.*)\", \"(.*)\"\\)"
   _ name version)
- (format #f "\"~a\""  (find-library name)))
+ (string-append "\"" (find-library name) "\""))
  

bug#31719: Chains of dependencies getting longer

[Carlo Zancanaro]

On 20 April 2021 4:18:03 am AEST, Ricardo Wurmus  wrote:
>I just looked over the patch, and while I’m not sure it’s the best way to do 
>things (matching “openjdk” or “icedtea” in the package name seems a little 
>error prone in the presence of packages whose names might include these 
>strings), but I think it’s a definite improvement.

Yeah, I'm agreed on that. I tried for a while to find a way to exclude native 
inputs, but as far as I could tell they all ended up as inputs within the build 
phases. I'd be happy to change it if somebody can give me a hint about how to 
pick out the native inputs.

Carlo

bug#31719: Chains of dependencies getting longer

[Carlo Zancanaro]

On Sat, Apr 17 2021, Carlo Zancanaro wrote:
I'm in the process of rebuilding Java from icedtea-8 upwards to 
check,


I've now built and checked the JRE/JDKs from 10 to 14, and none of 
them retain a reference to any other JRE/JDK according to "guix gc 
--references".


Carlo

bug#31719: Chains of dependencies getting longer

[Carlo Zancanaro]

Here's a patch that should clean up these runtime dependencies. 
It's a bit specific to this particular case, but I think that 
might be fine for now.


I think it would make more sense for native inputs to not have 
their paths included in LIBRARY_PATH. Does it even make sense for 
them to be there? I thought LIBRARY_PATH was for compilers to find 
dependencies when compiling so they can link their output binaries 
against them. Having native inputs show up there seems wrong.


I'm in the process of rebuilding Java from icedtea-8 upwards to 
check, but I have already tested that modifying openjdk 9 and 10 
leads to "guix gc --references" show that openjdk 10 does not 
depend on openjdk 9. I have also tested that I can run some 
complex Java programs on my machine using the openjdk 10 built 
using this patch.


Carlo

>From f98dc5ad5662cc62f198d8f50e7dd719cf941315 Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro 
Date: Sat, 17 Apr 2021 16:33:06 +1000
Subject: [PATCH] gnu: Clean up runtime dependencies between Java versions.

* gnu/packages/java.scm (icedtea-8, openjdk9, openjdk11): Don't consider
icedtea/openjdk input paths when rewriting JNI libraries.
---
 gnu/packages/java.scm | 36 ++--
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 207f136513..3c4013ab6f 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus 
 ;;; Copyright © 2016 Leo Famulari 
 ;;; Copyright © 2016, 2017 Roel Janssen 
-;;; Copyright © 2017, 2019 Carlo Zancanaro 
+;;; Copyright © 2017, 2019, 2021 Carlo Zancanaro 
 ;;; Copyright © 2017-2020 Julien Lepiller 
 ;;; Copyright © 2017 Thomas Danckaert 
 ;;; Copyright © 2016, 2017, 2018 Alex Vong 
@@ -1792,8 +1792,13 @@ new Date();"))
  (add-after 'unpack 'patch-jni-libs
;; Hardcode dynamically loaded libraries.
(lambda _
- (let* ((library-path (search-path-as-string->list
-   (getenv "LIBRARY_PATH")))
+ (use-modules (srfi srfi-1))
+ (define (icedtea-or-openjdk? path)
+   (or (string-contains path "openjdk")
+   (string-contains path "icedtea")))
+ (let* ((library-path (remove icedtea-or-openjdk?
+  (search-path-as-string->list
+   (getenv "LIBRARY_PATH"
 (find-library (lambda (name)
 (search-path
  library-path
@@ -1931,12 +1936,18 @@ new Date();"))
  (add-after 'unpack 'patch-jni-libs
;; Hardcode dynamically loaded libraries.
(lambda _
- (let* ((library-path (search-path-as-string->list
-   (getenv "LIBRARY_PATH")))
+ (use-modules (srfi srfi-1))
+ (define (icedtea-or-openjdk? path)
+   (or (string-contains path "openjdk")
+   (string-contains path "icedtea")))
+ (let* ((library-path (remove icedtea-or-openjdk?
+  (search-path-as-string->list
+   (getenv "LIBRARY_PATH"
 (find-library (lambda (name)
-(search-path
- library-path
- (string-append "lib" name ".so")
+(or (search-path
+ library-path
+ (string-append "lib" name ".so"))
+(string-append "lib" name ".so")
(for-each
 (lambda (file)
   (catch 'decoding-error
@@ -2139,8 +2150,13 @@ new Date();"))
  (add-after 'unpack 'patch-jni-libs
;; Hardcode dynamically loaded libraries.
(lambda _
- (let* ((library-path (search-path-as-string->list
-   (getenv "LIBRARY_PATH")))
+ (use-modules (srfi srfi-1))
+ (define (icedtea-or-openjdk? path)
+   (or (string-contains path "openjdk")
+   (string-contains path "icedtea")))
+ (let* ((library-path (remove icedtea-or-openjdk?
+  (search-path-as-string->list
+   (getenv "LIBRARY_PATH"
 (find-library (lambda (name)
 (search-path
  library-path
-- 
2.31.1

bug#31719: Chains of dependencies getting longer

[Carlo Zancanaro]

On Sat, Apr 17 2021, Björn Höfling wrote:
Sorry, I currently don't find the time to look at the problem. 
Would someone else give it a try?


I just had a quick look, and I think we can resolve it by changing 
the patch-jni-libs to not rewrite references to "mlib_image" and 
"splashscreen". It looks like they're provided as part of the JVM 
built itself, but our build phase hard codes a reference to the 
previous JVM's build result instead of using the current JVM's 
build result. They're the only dependencies I've found so far, but 
I've only looked at openjdk10 and openjdk14.


I'll put together a patch later today, if I haven't been beaten to 
it by then.


Carlo

bug#47634: Accompany .asc and .DIGESTS keys for the ISO

[Carlo Zancanaro]

On 9 April 2021 3:34:20 am AEST, bo0od  wrote:
>This is nicely written by Qubes documentation:
>
>https://www.qubes-os.org/security/verifying-signatures/

From that page:

> If you’ve already verified the signatures on the ISO directly, then verifying 
> digests is not necessary.

Which implies that the signatures are sufficient, right?

What is the benefit to providing the key (.asc) and hashes (.DIGESTS)? The page 
you linked provides rationale for providing and checking digital signatures, 
but we already provide them.

Carlo

bug#45360: Cannot log in to GNOME on foreign distro with Guix

[Carlo Zancanaro]

Hi Evan!

On Tue, Dec 22 2020, Evan Straw wrote:
... When I add a package (like stumpwm) that needs to set 
XDG_DATA_DIRS, the problem seems to reappear. ...


I think I've had this problem in the past. I'm currently running 
on a foreign distribution, and I have this in my ~/.profile file:


   # XDG_DATA_DIRS often starts off empty, but an empty value is
   # interpreted as this value. Loading a profile can set it, 
   though,

   # which effectively ignores the default value. We want it to
   # instead add to the default, so we set it here to the default
   # value.
   if [ -z "$XDG_DATA_DIRS" ]; then
   export XDG_DATA_DIRS="/usr/local/share/:/usr/share/"
   fi

I think I took the default value from 
https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html 
where it says:


   If $XDG_DATA_DIRS is either not set or empty, a value equal to 
   /usr/local/share/:/usr/share/ should be used.


I hope that helps!

Is this a bug, or is it possible I've just misconfigured 
something?


We should consider this a bug, because Guix's attempt to add to 
the XDG_DATA_DIRS environment variable clobbers the default value 
that foreign distributions are relying on.


We should at least document this in the manual, maybe in "(guix) 
Application Setup".


Carlo

bug#44863: Warning about importing a MELPA package

[Carlo Zancanaro]

On Mon, Dec 07 2020, Carlo Zancanaro wrote:

... unfortunately it no longer applies cleanly to master.


Actually, I think I was wrong about this. I must have done 
something wrong when I tried to apply the patch before sending my 
email. When I tried again it worked, and it seems to be fetching 
the git references properly.

bug#44863: Warning about importing a MELPA package

[Carlo Zancanaro]

On Wed, Nov 25 2020, Zhu Zihao wrote:
... We may better warn user don't submit package which download 
url belongs to MELPA. Maybe emit warning while executing `guix 
import elpa -a melpa XXX`, or writing this rule to manual.


I submitted a patch a while ago to make the MELPA importer pull 
the latest git commit (at the time of import) and use that as the 
source. The importer has to do a bit more work (eg. appropriately 
setting #:files in the Guix package).


You can find my patch at https://issues.guix.gnu.org/issue/38769 
but unfortunately it no longer applies cleanly to master. I'll 
take a look at fixing it up.

bug#44808: Default to allowing password authentication on leaves users vulnerable

[Carlo Zancanaro]

Hey Chris!

On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
... Plus, few distributions do what we're doing anymore, 
precisely because of wanting to be secure by default.


Is this true? Debian defaults to passwords being allowed. I think 
it even allows root login by default. At least, I have always had 
to add "PermitRootLogin no" and "PasswordAuthentication no" 
whenever I install openssh-server on debian.


I'm on board with what you're proposing, and I think Guix should 
default to the more secure option, but I'm not sure that an 
"average user" (whatever that means for Guix's demographic) would 
expect that password authentication is disabled by default.


Carlo

bug#43465: obs icons

[Carlo Zancanaro]

On Sat, Sep 19 2020, raingloom wrote:

this is the one you need:

XDG_DATA_DIRS=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/share


If that's true, then my instinct that it was related to 
environment variables is wrong, because my user profile has 
XDG_DATA_DIRS pointing into the profile, and the icons don't load. 
That might imply that OBS is looking for something that one of its 
inputs is contributing to the build environment, but which isn't 
propagated propagate into the profile when it's installed.


Carlo

bug#43465: obs icons

[Carlo Zancanaro]

On Thu, Sep 17 2020, Adam Kandur via Bug reports for GNU Guix 
wrote:
when i install obs in my user profile and run it - it runs but 
without any icons.


I can confirm this happens on my machine, too.


but if i run it from obs env - it works with all fancy icons.


I didn't know this, though. I just tested on my machine and found 
that:


- "guix environment --ad-hoc obs -- obs" does not have icons
- "guix environment obs --ad-hoc obs -- obs" has icons

I don't have time to dig into why right now, but I'm curious as to 
what's going wrong. I assume it's to do with an environment 
variable of some sort. Here is the output of "env" on my machine 
in the two environments (removing DISPLAY, TERM, USER, HOME, and 
LOGNAME).


$ guix environment --pure obs --ad-hoc obs -- env
PATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/bin:/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/sbin
CMAKE_PREFIX_PATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/
PKG_CONFIG_PATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/lib/pkgconfig:/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/share/pkgconfig
QMAKEPATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/lib/qt5
QT_PLUGIN_PATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/lib/qt5/plugins
XDG_DATA_DIRS=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/share
XDG_CONFIG_DIRS=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/etc/xdg
C_INCLUDE_PATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/include
CPLUS_INCLUDE_PATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/include/c++:/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/include
LIBRARY_PATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/lib
GUIX_LOCPATH=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile/lib/locale
GUIX_ENVIRONMENT=/gnu/store/79d2a2zqgyg0zgvkfw2hq6k4vj1qbf41-profile

$ guix environment --pure --ad-hoc coreutils --ad-hoc obs -- env
PATH=/gnu/store/ylim73lin9v56d2dalk8q4a53r6ji53a-profile/bin
GUIX_ENVIRONMENT=/gnu/store/ylim73lin9v56d2dalk8q4a53r6ji53a-profile

Carlo

bug#41418: Rendered graphs in manual have improperly rendered text

[Carlo Zancanaro]

Apologies, immediately after sending this email I saw #41282, 
which is the same bug. I don't know whether it's better to close 
this, or to merge them, so I'll leave that up to someone else to 
decide. :)

bug#41418: Rendered graphs in manual have improperly rendered text

[Carlo Zancanaro]

I was looking at the manual for the guix graph command today, and 
I noticed that the text in the images isn't being rendered 
properly. Instead of legible characters, it's just boxes.


For example: 
https://guix.gnu.org/manual/en/html_node/Invoking-guix-graph.html#Invoking-guix-graph


I looked through all the images and it looks like only the graphs 
are affected (ie. the installer screenshots and guix size output 
looked fine), however all of the graphs are affected.

bug#36977: Add OpenSubdiv library, and add as Blender dependency

[Carlo Zancanaro]

On Sun, Aug 11 2019, Carlo Zancanaro wrote:
... adding it to the Blender inputs didn't cause the subdivision 
modifier to work. ...


Well, it turns out I just had to add the -DWITH_OPENSUBDIV=ON 
configure flag. Here's a new patch to do that!


>From 231763df5b336118dae973da9dbde362dd1c1465 Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro 
Date: Mon, 12 Aug 2019 20:15:11 +1000
Subject: [PATCH] gnu: blender: Add opensubdiv as an input

* gnu/packages/graphics.scm (blender)[inputs]: Add opensubdiv.
[arguments]: Add "-DWITH_OPENSUBDIV=ON" to #:configure-flags.
---
 gnu/packages/graphics.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm
index 11ea550039..b9207f284d 100644
--- a/gnu/packages/graphics.scm
+++ b/gnu/packages/graphics.scm
@@ -147,6 +147,7 @@ architectures.")
"-DWITH_INSTALL_PORTABLE=OFF"
"-DWITH_JACK=ON"
"-DWITH_MOD_OCEANSIM=ON"
+   "-DWITH_OPENSUBDIV=ON"
"-DWITH_PYTHON_INSTALL=OFF"
(string-append "-DPYTHON_LIBRARY=python" ,python-version "m")
(string-append "-DPYTHON_LIBPATH=" (assoc-ref %build-inputs "python")
@@ -182,6 +183,7 @@ architectures.")
("libx11" ,libx11)
("openimageio" ,openimageio)
("openexr" ,openexr)
+   ("opensubdiv" ,opensubdiv)
("ilmbase" ,ilmbase)
("openjpeg" ,openjpeg)
("libjpeg" ,libjpeg)
-- 
2.22.0

bug#36977: Add OpenSubdiv library, and add as Blender dependency

[Carlo Zancanaro]

On Fri, Aug 09 2019, Christopher Lemmer Webber wrote:
I was surprised to open Blender 2.80 and find that subdivision 
surfaces (necessary for organic modeling) were doing nothing.  I 
couldn't figure out why this was, until I found out that Blender 
now uses OpenSubdiv for subdivision surfaces.


I gave this a go, but it didn't go as smoothly as I had hoped. I 
packaged opensubdiv, which I have attached, but adding it to the 
Blender inputs didn't cause the subdivision modifier to work. I'm 
not really able to take this any further, but this is at least 
something to start with!


>From 959496bd6461474a30ce0e28ee0f6765a7523671 Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro 
Date: Sun, 11 Aug 2019 21:25:14 +1000
Subject: [PATCH] gnu: Add opensubdiv.

* gnu/packages/graphics.scm (opensubdiv): New variable.
---
 gnu/packages/graphics.scm | 43 +++
 1 file changed, 43 insertions(+)

diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm
index bc3a418e99..11ea550039 100644
--- a/gnu/packages/graphics.scm
+++ b/gnu/packages/graphics.scm
@@ -12,6 +12,7 @@
 ;;; Copyright © 2018 Alex Kost 
 ;;; Copyright © 2018 Kei Kebreau 
 ;;; Copyright © 2019 Mark H Weaver 
+;;; Copyright © 2019 Carlo Zancanaro 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -77,6 +78,48 @@
   #:use-module (guix packages)
   #:use-module (guix utils))
 
+(define-public opensubdiv
+  (package
+(name "opensubdiv")
+(version "3.4.0")
+(source (origin
+  (method url-fetch)
+  (uri (string-append "https://github.com/PixarAnimationStudios/OpenSubdiv/archive/v3_4_0.tar.gz;))
+  (sha256
+   (base32
+"1r3ki5lql9i71c775n6d8gxix4svg9f17ck0i58wfw9kz29b4cnr"
+(build-system cmake-build-system)
+(arguments
+ `(#:phases (modify-phases %standard-phases
+  (add-before 'configure 'set-glew-location
+(lambda* (#:key inputs #:allow-other-keys)
+  (setenv "GLEW_LOCATION" (assoc-ref inputs "glew"))
+  #t))
+  (add-before 'check 'start-xorg-server
+(lambda* (#:key inputs #:allow-other-keys)
+  ;; The test suite requires a running X server.
+  (system (string-append (assoc-ref inputs "xorg-server")
+ "/bin/Xvfb :1 &"))
+  (setenv "DISPLAY" ":1")
+  #t)
+(native-inputs
+ `(("xorg-server" ,xorg-server)))
+(inputs
+ `(("glew" ,glew)
+   ("libxrandr" ,libxrandr)
+   ("libxcursor" ,libxcursor)
+   ("libxinerama" ,libxinerama)
+   ("libxi" ,libxi)
+   ("zlib" ,zlib)
+   ("glfw" ,glfw)))
+(home-page "http://graphics.pixar.com/opensubdiv/;)
+(synopsis "High performance subdivision surface evaluation")
+(description
+ "OpenSubdiv is a set of libraries that implement high performance
+subdivision surface (subdiv) evaluation on massively parallel CPU and GPU
+architectures.")
+(license license:asl2.0)))
+
 (define-public blender
   (package
 (name "blender")
-- 
2.22.0

bug#34454: Gtk upstream bug #1280 causes crashes in IceCat and Emacs

[Carlo Zancanaro]

Hi Mark,

Thanks so much for taking a look at this!

On Sat, Mar 30 2019, Mark H Weaver wrote:
If those affected by this issue would like to test this patch 
and report back, that would be helpful.


I applied your patch to my local Guix, and everything is working 
fine again. I had been working around the problem by using 
emacs-no-x-toolkit, but with your patch I can use the normal emacs 
package again without issues.


Carlo

bug#34658: Emacs crashes

[Carlo Zancanaro]

On Tue, Feb 26 2019, Leo Famulari wrote:
It will aid debugging if you can tell us which commit you 
upgraded from, as well.


Good call.

I think the last Guix commit that I was branched from (where Emacs 
worked properly) was e36d043882462f2252aa8e6fe7c34bfbee6d3175.

bug#34658: Emacs crashes

[Carlo Zancanaro]

I updated my Guix installation and user profile yesterday, and 
since then Emacs has started crashing. I've attached the output of 
running "emacs -Q".


I'm using my own branch of Guix that is based on 
089a2c51ff4d4d8ddd180001b25535019c0d35c0, but I haven't modified 
Emacs. As a workaround I am now using emacs-no-x-toolkit, which 
does not have this problem.


The output claims that it's a GTK bug, but I have not experienced 
it before today.


X protocol error: BadMatch (invalid parameter attributes) on protocol request 2
When compiled with GTK, Emacs cannot recover from X disconnects.
This is a GTK bug: https://bugzilla.gnome.org/show_bug.cgi?id=85715
For details, see etc/PROBLEMS.
Fatal error 6: Aborted
Backtrace:
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x50b032]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4f1f34]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x50b0c3]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4c1171]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4c4bc5]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4c4c4b]
/gnu/store/8baabfjazsr7s4y0jig1sn84xnxf75xa-libx11-1.6.6/lib/libX11.so.6(_XError+0xf5)[0x7f2bca6ff475]
/gnu/store/8baabfjazsr7s4y0jig1sn84xnxf75xa-libx11-1.6.6/lib/libX11.so.6(+0x434f7)[0x7f2bca6fc4f7]
/gnu/store/8baabfjazsr7s4y0jig1sn84xnxf75xa-libx11-1.6.6/lib/libX11.so.6(+0x435a5)[0x7f2bca6fc5a5]
/gnu/store/8baabfjazsr7s4y0jig1sn84xnxf75xa-libx11-1.6.6/lib/libX11.so.6(_XReply+0x208)[0x7f2bca6fd428]
/gnu/store/8baabfjazsr7s4y0jig1sn84xnxf75xa-libx11-1.6.6/lib/libX11.so.6(+0x90bad)[0x7f2bca749bad]
/gnu/store/8baabfjazsr7s4y0jig1sn84xnxf75xa-libx11-1.6.6/lib/libX11.so.6(XkbGetUpdatedMap+0x63)[0x7f2bca749c53]
/gnu/store/8baabfjazsr7s4y0jig1sn84xnxf75xa-libx11-1.6.6/lib/libX11.so.6(XkbGetMap+0x6d)[0x7f2bca749d0d]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4d1977]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x565d16]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x59ba68]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x565c83]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x59ba68]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x565c83]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x59ba68]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x565c83]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x59ba68]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x565c83]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x59ba68]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x564d20]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x56509f]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x568c80]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x5642ee]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4f48dc]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x56428c]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4f2278]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4f7206]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x4f754b]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x41c67e]
/gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/libc.so.6(__libc_start_main+0xee)[0x7f2bc963ab3e]
/gnu/store/9b5ii2pbk4wbjbm6l2jl2i8spnsiznk3-emacs-26.1/bin/emacs-26.1[0x41d2ba]
aborted (core dumped)

bug#34630: slock: unable to disable OOM killer. Make sure to suid or sgid slock.

[Carlo Zancanaro]

Hey Matthew,

I have successfully used slock on a Guix system, but I haven't 
tried using the Guix slock on a foreign distribution. I would 
expect it to not work, and the error message gives us an idea why:


When using the guix installed slock, it doesn't lock the screen, 
and errors with the following error: "slock: unable to disable 
OOM killer. Make sure to suid or sgid slock."


None of the programs in the Guix store (ie. /gnu/store) will have 
setuid or setgid set. On a Guix system you can install a slock 
screen-locker-service, which will provide a setuid binary for 
slock (via the setuid-program-service). This is done automatically 
as part of the default %desktop-services. I don't know of a way to 
do this on a foreign distribution.


Carlo

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

Hey Ludo’,

On Mon, Sep 24 2018, Ludovic Courtès wrote:
If that’s fine with you, I can apply the patch you initially 
posted so we can start taking advantage of it (I’d like to push 
a Guix release by the end of October.)  WDYT?


That sounds good to me!

Thanks for your patience through this. It's taken a bit of time 
for my ideas to fully form, but I think it's coming together.


Carlo

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

Hey Ludo’,

On Fri, Sep 21 2018, Ludovic Courtès wrote:

What would you put there?  Do you have concrete examples?


I would have three possible values: 'never, 'always, 'manual.

'never would mean that the service should never be restarted. This 
is for things like udev, or the filesystems, which should never be 
restarted on a running system.


'always would mean that the service is always safe to restart. I 
don't immediately know what services would fit in this category 
(maybe sshd, given Efraim's comment; maybe ntpd? I'm sure there 
are others). Things like nginx will probably not fall into this 
category, because they involve some downtime when restarting. 
Reloading their configuration (via a "reload" action, or similar) 
is not enough because the binary and/or libraries might have 
changed (and, in the worst case, might have an incompatible 
configuration format, although I would expect that to be 
exceedingly rare).


'manual would mean that the service should be restarted, but it 
need to be done at an appropriate time. This should prompt the 
user with the names of the services, and we should provide an 
option to guix system reconfigure to restart these services as 
part of the reconfigure. We could call the option 
"--restart-services".


[ ... ] I just have to know that to restart wicd I have to run 
"herd restart networking".


There’s ‘guix system search’ that provides this kind of info 
(see ), but I agree we 
could do better.


I actually checked this before sending my previous message, but I 
didn't see that it includes "shepherdnames". I tested with "guix 
system search wicd" which didn't show any, but I see now that 
searching "guix system search xmpp" does helpfully show how to 
restart the service.


We can go with your patch and a message along the lines of what 
we discussed above, and then work on the improvements you 
mentioned, one at a time.  That way we’ll have the warm feeling 
of having achieved something, even if there’s more to come.  :-)


I won't be able to look at writing the code for this for a few 
weeks, but hopefully I'll get to it around mid- to late-October.


Carlo

bug#32787: Typos in Shepperd

[Carlo Zancanaro]

On Fri, Sep 21 2018, Rafael Fontenelle wrote:

Please check if the commit message is as expected.


I changed your commit message slightly (ironically, fixing a typo) 
and pushed it as 86b3ef0fdc0d1374cb0a822755887b3d58142c26.


Thanks!

Carlo

bug#32787: Typos in Shepperd

[Carlo Zancanaro]

Hey Rafael!

On Fri, Sep 21 2018, Rafael Fontenelle wrote:

diff --git a/ANNOUNCE--0.5 b/ANNOUNCE--0.5
 ...
diff --git a/ANNOUNCE--0.6 b/ANNOUNCE--0.6
 ...
diff --git a/ChangeLog-2003 b/ChangeLog-2003
 ...


I am a bit conflicted about these ones, because in my mind these 
are "append only" files. All of the other ones look fine, though.


Could you send the patch through as formatted by "git 
format-patch" and with a commit message in the "ChangeLog"[1] 
format? It's probably easiest to just copy the style of commit 
messages in the repository.


Thanks!

Carlo

[1]: 
https://www.gnu.org/prep/standards/html_node/Change-Logs.html#Change-Logs

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

Hey Ludo’,


From the POV of the Shepherd, services carry no semantics.


In Guix we have as much information as possible about the 
services. We should be know which services should be upgraded 
automatically, which ones we should prompt the user to upgrade, 
and which ones are never safe to upgrade. Maybe we could add a 
"restart-strategy" to the shepherd-service object?


Thus I think it’s reasonable to print a message along the lines 
of:


  The following services were upgraded: …
  Please run “herd restart SERVICE” to stop, upgrade, and 
  restart services that were not automatically upgraded.


WDYT?


The main reasons I'm not super happy with this are that it's not 
discoverable (which is bad for new users), and it requires 
interaction (so cannot be an unattended upgrade). In particular 
for discoverability, some of our services don't take advantage of 
the Shepherd's ability to have multiple "provision" values. For 
instance, I just have to know that to restart wicd I have to run 
"herd restart networking".


Maybe this should be a separate ticket. Replacing the services and 
printing a generic message will still be an improvement on what 
Guix currently does, and I don't want to hold that up just because 
I think we can do better.


Carlo

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

[...] so presumably messages go to /dev/kmsg and/or the console.


I don't remember seeing anything about the exception in any of the 
output that I looked at. I'm a bit confused about where different 
bits of output go, so I'll take a look at how output is handled in 
a few weeks, when the rest of life settles down a bit.



I wouldn’t consider it a blocker for 0.5.0 though.  WDYT?


Yeah, I agree. We should try to improve it, but as long as we 
haven't made things worse (which we haven't) then it shouldn't 
block a release.


We still need to work out what we want to do on the Guix side once 
the Shepherd is released. Do we want to restart services that we 
can, or print a message telling users how to do so? Maybe 
individual services should be able to specify their preference?


Carlo

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

Hey Ludo’,

On Thu, Sep 20 2018, Ludovic Courtès wrote:
Commit c4ba8c79db0aa4ba3517acc82ebafe16105fbb97 reinstates the 
commit and removes the leftover #:replace, which was responsible 
for the problem: ...


That's great! I didn't even know about the #:replace option, so 
I'm glad you were able to find it.


If there’s nothing left to add to Shepherd, we can release 0.5.0 
within a few days and then commit the Guix side of this change.


This seems like the sort of thing that shouldn't have been this 
tricky. Is the exception printed somewhere? If not, then I think 
we should print the exception, or at least some information, when 
a service fails to load.


Carlo

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

On Sun, Sep 02 2018, Ludovic Courtès wrote:
First, could you check (in a VM) whether the boot failure is 
reproducible when that patch that removes ‘EINTR-safe’ is 
applied?


As far as I can tell it's completely reproducible.


If it’s 100% reproducible, could you share the VM’s output?


Sure. It's attached.



vm-output
Description: Binary data


Indeed.  In addition, some low-level services such as file 
system mounts cannot be restarted without rebooting, so it’s not 
useful to mention them.  Perhaps we should simply print (1) the 
list of services that were restarted, and (2) a message saying 
that users should explicitly run “herd restart SERVICE” to 
upgrade other services.


WDYT?


If there are services that must never be restarted, then maybe we 
don't want to indiscriminately print out a message to restart 
everything. We need some way to mark services that must not be 
restarted. If that's the case, then we might as well just 
automatically restart the services that we can rather than 
printing a message saying to do so. What do we gain by adding an 
extra step to that process?


Carlo


signature.asc
Description: PGP signature

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

Hey Ludo’,

On Sat, Sep 01 2018, Ludovic Courtès wrote:
I’d like to make sure we understand the story with ‘EINTR-safe’, 
but after that I’m happy to push a release.


Do you have any thoughts about why it could be failing, or things 
I could investigate? I don't know where to start.


One possible improvement would be to print out the services 
that need to be restarted to be upgraded.


Yes, that’d be nice.


I have done this, but now it seems a bit overwhelming how many 
services would need to be manually restarted. My modified code 
writes a message like this:


To complete the upgrade, restart the following services:
   file-systems
   user-file-systems
   file-system-/boot/efi
   file-system-/dev/pts
   file-system-/dev/shm
   file-system-/gnu/store
   file-system-/run/systemd
   file-system-/run/user
   file-system-/sys/fs/cgroup/elogind
   file-system-/sys/fs/cgroup
   file-system-/sys/fs/cgroup/cpuset
   file-system-/sys/fs/cgroup/cpu
   file-system-/sys/fs/cgroup/cpuacct
   file-system-/sys/fs/cgroup/memory
   file-system-/sys/fs/cgroup/devices
   file-system-/sys/fs/cgroup/freezer
   file-system-/sys/fs/cgroup/blkio
   file-system-/sys/fs/cgroup/perf_event
   root-file-system
   user-processes
   host-name
   udev
   nscd
   guix-daemon
   urandom-seed
   syslogd
   loopback
   term-tty6
   term-tty5
   term-tty4
   term-tty3
   term-tty2
   term-tty1
   console-font-tty1
   console-font-tty2
   console-font-tty3
   console-font-tty4
   console-font-tty5
   console-font-tty6
   virtual-terminal
   ntpd
   dbus-system
   elogind
   upower-daemon
   avahi-daemon
   wpa-supplicant
   networking
   xorg-server
   cups

The same list is printed every time on my system, because the 
diffing is only on the level of the canonical-name. Most of these 
services are being "replaced" by services that are exactly the 
same, so they don't really need to be restarted. I don't really 
know what to do about this, Even if it were fixed, on an actual 
upgrade I assume many of these services would be different, and 
thus would be printed legitimately.


I'm also confused why some of these things are services (like 
host-name).


I'll send through an updated patch once I've cleaned it up a bit, 
but I'm not as positive about it as I was initially.


Carlo


signature.asc
Description: PGP signature

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

On Sat, Sep 01 2018, Carlo Zancanaro wrote:
I'll send through an updated patch once I've cleaned it up a 
bit, [ ... ]


Updated patch attached.

From 47647b767930d16ab5a3b855993daf6ddf98f230 Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro 
Date: Sun, 26 Aug 2018 21:54:14 +1000
Subject: [PATCH] gnu: services: Load all services on reconfigure, not just
 stopped ones

* doc/guix.texi (Invoking guix system): Document the new behaviour.
* gnu/services/shepherd.scm (shepherd-service-upgrade): Return a list of
  services that need to be restarted to complete their upgrade.
* guix/scripts/system.scm (call-with-service-upgrade-info): Rename an internal
  variable to reflect the change to shepherd-service-upgrade.
  (upgrade-shepherd-services): Print the names of services that need to be
  restarted in order to be upgraded.
---
 doc/guix.texi |  8 
 gnu/services/shepherd.scm | 23 ---
 guix/scripts/system.scm   | 20 
 3 files changed, 24 insertions(+), 27 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index d2d278df4..421762122 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -33,7 +33,7 @@ Copyright @copyright{} 2016 Alex ter Weele@*
 Copyright @copyright{} 2017, 2018 Clément Lassieur@*
 Copyright @copyright{} 2017 Mathieu Othacehe@*
 Copyright @copyright{} 2017 Federico Beffa@*
-Copyright @copyright{} 2017 Carlo Zancanaro@*
+Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
 Copyright @copyright{} 2017 Thomas Danckaert@*
 Copyright @copyright{} 2017 humanitiesNerd@*
 Copyright @copyright{} 2017 Christopher Allan Webber@*
@@ -21143,9 +21143,9 @@ systems already running GuixSD.}.
 This effects all the configuration specified in @var{file}: user
 accounts, system services, global package list, setuid programs, etc.
 The command starts system services specified in @var{file} that are not
-currently running; if a service is currently running, it does not
-attempt to upgrade it since this would not be possible without stopping it
-first.
+currently running; if a service is currently running this command will
+arrange for it to be upgraded the next time it is stopped (eg. by
+@code{herd stop X} or @code{herd restart X}).
 
 This command creates a new generation whose number is one greater than
 the current generation (as reported by @command{guix system
diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index 4cd224984..4c7e72049 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016, 2018 Ludovic Courtès 
 ;;; Copyright © 2017 Clément Lassieur 
+;;; Copyright © 2018 Carlo Zancanaro 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -329,7 +330,7 @@ symbols provided/required by a service."
 (define (shepherd-service-upgrade live target)
   "Return two values: the subset of LIVE (a list of ) that needs
 to be unloaded, and the subset of TARGET (a list of ) that
-needs to be loaded."
+need to be restarted to complete their upgrade."
   (define (essential? service)
 (memq (first (live-service-provision service))
   '(root shepherd)))
@@ -346,12 +347,6 @@ needs to be loaded."
 (and=> (lookup-live (shepherd-service-canonical-name service))
live-service-running))
 
-  (define (stopped service)
-(match (lookup-live (shepherd-service-canonical-name service))
-  (#f #f)
-  (service (and (not (live-service-running service))
-service
-
   (define live-service-dependents
 (shepherd-service-back-edges live
  #:provision live-service-provision
@@ -362,16 +357,14 @@ needs to be loaded."
   (#f (every obsolete? (live-service-dependents service)))
   (_  #f)))
 
-  (define to-load
-;; Only load services that are either new or currently stopped.
-(remove running? target))
+  (define to-restart
+;; Restart services that are currently running.
+(filter running? target))
 
   (define to-unload
-;; Unload services that are (1) no longer required, or (2) are in TO-LOAD.
-(remove essential?
-(append (filter obsolete? live)
-(filter-map stopped to-load
+;; Unload services that are no longer required.
+(remove essential? (filter obsolete? live)))
 
-  (values to-unload to-load))
+  (values to-unload to-restart))
 
 ;;; shepherd.scm ends here
diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
index 69bd05b51..41a348a5b 100644
--- a/guix/scripts/system.scm
+++ b/guix/scripts/system.scm
@@ -310,9 +310,9 @@ names of services to load (upgrade), and the list of names of services to
 unload."
   (match (current-services)
 ((services ...)
- (let-values (((to-unload to-load)
+ (let-values (((to-unload to-restart)
(shepherd-service-upgrade services new-services)))
-   (m

bug#23170: [PATCH shepherd] Restart dependent services on service restart

[Carlo Zancanaro]

On Mon, Aug 27 2018, Ludovic Courtès wrote:
I see that you also reverted the patch that removed the 
‘EINTR-safe’ workaround.  Could you explain why that was 
necessary?  (It should not be necessary with current Guile 
versions.)


I'm not really sure of the details, but as I mentioned on IRC, 
that commit stopped me from being able to boot. I grafted a new 
version of the Shepherd and reconfigured my system, and when it 
came up my screen was filled with messages complaining that it 
couldn't create things in /dev because they already existed. I 
tested the commits since the previous release and that was the one 
that caused my problem.


I'd like to investigate further, but I have no idea what could be 
causing it. All I have to go on so far is that I think the udev 
service is getting respawned repeatedly, but I don't know why that 
commit would cause that problem. After reverting that commit I 
could successfully boot back into my system and everything is 
working properly again.


signature.asc
Description: PGP signature

bug#23170: [PATCH shepherd] Restart dependent services on service restart

[Carlo Zancanaro]

Hey Ludo’!


On 27 August 2018 7:08:34 am AEST, l...@gnu.org wrote:
>I forgot if this was already done, but perhaps you can add a bit in the manual 
>to insist that ‘restart’ is not quite the same as ‘stop’ + ‘start’.

I hadn't done that, but I have now. There aren't many mentions of restart in 
the manual, but I changed the one that seemed most relevant.

>Anyway, it all LGTM, thanks!

Pushed! Thanks for the review.

Carlo

bug#23170: [PATCH shepherd] Restart dependent services on service restart

[Carlo Zancanaro]

Hey Ludo’!


On 27 August 2018 7:08:34 am AEST, l...@gnu.org wrote:
>I forgot if this was already done, but perhaps you can add a bit in the manual 
>to insist that ‘restart’ is not quite the same as ‘stop’ + ‘start’.

I hadn't done that, but I have now. There aren't many mentions of restart in 
the manual, but I changed the one that seemed most relevant.

>Anyway, it all LGTM, thanks!

Pushed! Thanks for the review.

Carlo

bug#22039: [PATCH] 'guix system reconfigure' must start/restart/stop services

[Carlo Zancanaro]

When the next release of the Shepherd is made (including commit 
9ec5ce9a45441417a6ee4138cdcbf1b1f2b2) we should have the 
capability to resolve this ticket.


Attached is my proposed patch from the Guix side. I have tested it 
on my machine by grafting the Shepherd with the appropriate patch 
and it seems to work as expected.


I tested it by changing the substitute-urls in my guix-daemon 
configuration. The output of `ps aux | grep guix-daemon` after 
`guix system reconfigure` showed the substitute-urls were 
unchanged. After `herd restart guix-daemon` the updated 
substitute-urls appeared in `ps aux | grep guix-daemon`. I did not 
need to reboot my system.


One possible improvement would be to print out the services that 
need to be restarted to be upgraded.


From 162bd298563201ebf6eda87d46ae1b64671397da Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro 
Date: Sun, 26 Aug 2018 21:54:14 +1000
Subject: [PATCH] gnu: services: Load all services on reconfigure, not just
 stopped ones

* gnu/services/shepherd.scm (shepherd-service-upgrade): Remove checks for
running services.
---
 gnu/services/shepherd.scm | 25 +
 1 file changed, 5 insertions(+), 20 deletions(-)

diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index 4cd224984..efeb82c86 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016, 2018 Ludovic Courtès 
 ;;; Copyright © 2017 Clément Lassieur 
+;;; Copyright © 2018 Carlo Zancanaro 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -338,20 +339,6 @@ needs to be loaded."
 (shepherd-service-lookup-procedure target
shepherd-service-provision))
 
-  (define lookup-live
-(shepherd-service-lookup-procedure live
-   live-service-provision))
-
-  (define (running? service)
-(and=> (lookup-live (shepherd-service-canonical-name service))
-   live-service-running))
-
-  (define (stopped service)
-(match (lookup-live (shepherd-service-canonical-name service))
-  (#f #f)
-  (service (and (not (live-service-running service))
-service
-
   (define live-service-dependents
 (shepherd-service-back-edges live
  #:provision live-service-provision
@@ -363,14 +350,12 @@ needs to be loaded."
   (_  #f)))
 
   (define to-load
-;; Only load services that are either new or currently stopped.
-(remove running? target))
+;; Load all of the new services.
+target)
 
   (define to-unload
-;; Unload services that are (1) no longer required, or (2) are in TO-LOAD.
-(remove essential?
-(append (filter obsolete? live)
-(filter-map stopped to-load
+;; Unload services that are no longer required.
+(remove essential? (filter obsolete? live)))
 
   (values to-unload to-load))
 
-- 
2.18.0



signature.asc
Description: PGP signature

bug#23170: [PATCH shepherd] Restart dependent services on service restart

[Carlo Zancanaro]

On Sun, Aug 26 2018, Ludovic Courtès wrote:
I wonder if there are cases where one might want to restart a 
service without restarting its dependent services.  We can 
probably ignore it for now, but perhaps we’ll need to add a flag 
or a separate action later.


Thoughts?


I think this is best served by 'herd stop', followed by 'herd 
start'. This patch just special-cases the 'restart' action, so 
manually stopping then starting a service will behave as the old 
restart used to.


For clarity, should we do an explicit “herd stop test1” followed 
by “herd start test1”?  I know it’s currently equivalent under 
the hood, but it might be slightly clearer.  WDYT?


Hopefully the above also answers this, too. I did consider whether 
it was worth adding a test for 'herd stop' to make sure it still 
stops dependent services, and 'herd start' to make sure it doesn't 
start dependent services, but in the end I decided not to. I'm 
happy to send through another patch to test these cases, though, 
if you think it would be worthwhile.


Carlo


signature.asc
Description: PGP signature

bug#23170: [PATCH shepherd] Restart dependent services on service restart

[Carlo Zancanaro]

I've written a patch to fix this. It's not super smart, but it 
should do the job.


It currently targets the branch after my patch in #32408[1], but 
it's technically an independent change.


[1]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32408

From 50dd3ef4888b04ea3b869da893b23ad69fad8971 Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro 
Date: Sat, 25 Aug 2018 20:32:11 +1000
Subject: [PATCH] service: Restart dependent services on service restart

* modules/shepherd/service.scm (required-by?): New procedure.
(stop): Return a list of canonical-names for stopped dependent services,
including transitive dependencies.
(action)[restart]: Start services based on the return value of stop.
(fold-services): New procedure.
* tests/restart.sh: New file.
* Makefile.am (TESTS): Add tests/restart.sh.
---
 Makefile.am  |  1 +
 modules/shepherd/service.scm | 90 ++--
 tests/restart.sh | 77 ++
 3 files changed, 133 insertions(+), 35 deletions(-)
 create mode 100644 tests/restart.sh

diff --git a/Makefile.am b/Makefile.am
index 4322d7f..d9e21e9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -187,6 +187,7 @@ TESTS =		\
   tests/replacement.sh\
   tests/respawn.sh\
   tests/respawn-throttling.sh			\
+  tests/restart.sh\
   tests/misbehaved-client.sh			\
   tests/no-home.sh\
   tests/pid-file.sh\
diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
index 006309c..510a5ea 100644
--- a/modules/shepherd/service.scm
+++ b/modules/shepherd/service.scm
@@ -358,61 +358,72 @@ NEW-SERVICE."
 (for-each remove-service (provided-by old-service))
 (register-services new-service)))
 
+(define (required-by? service dependent)
+  "Returns #t if DEPENDENT directly requires SERVICE in order to run.  Returns
+#f otherwise."
+  (and (find (lambda (dependency)
+   (memq dependency (provided-by service)))
+ (required-by dependent))
+   #t))
+
 ;; Stop the service, including services that depend on it.  If the
 ;; latter fails, continue anyway.  Return `#f' if it could be stopped.
-(define-method (stop (obj ) . args)
+(define-method (stop (service ) . args)
+  "Stop SERVICE, and any services which depend on it.  Returns a list of
+canonical names for all of the services which have been stopped (including
+transitive dependent services).  This method will print a warning if SERVICE
+is not already running, and will return SERVICE's canonical name in a list."
   ;; Block asyncs so the SIGCHLD handler doesn't execute concurrently.
-  ;; Notably, that makes sure the handler processes the SIGCHLD for OBJ's
-  ;; process once we're done; otherwise, it could end up respawning OBJ.
+  ;; Notably, that makes sure the handler processes the SIGCHLD for SERVICE's
+  ;; process once we're done; otherwise, it could end up respawning SERVICE.
   (call-with-blocked-asyncs
(lambda ()
- (if (not (running? obj))
- (local-output "Service ~a is not running." (canonical-name obj))
- (if (slot-ref obj 'stop-delay?)
+ (if (not (running? service))
+ (begin
+   (local-output "Service ~a is not running." (canonical-name service))
+   (list (canonical-name service)))
+ (if (slot-ref service 'stop-delay?)
  (begin
-   (slot-set! obj 'waiting-for-termination? #t)
+   (slot-set! service 'waiting-for-termination? #t)
(local-output "Service ~a pending to be stopped."
- (canonical-name obj)))
- (begin
-   ;; Stop services that depend on it.
-   (for-each-service
-(lambda (serv)
-  (and (running? serv)
-   (for-each (lambda (sym)
-   (and (memq sym (provided-by obj))
-(stop serv)))
- (required-by serv)
-
+ (canonical-name service))
+   (list (canonical-name service)))
+ (let ((name (canonical-name service))
+   (stopped-dependents (fold-services (lambda (other acc)
+(if (and (running? other)
+ (required-by? service other))
+(append (stop other) acc)
+acc))
+  '(
;; Stop the service itself.
(catch #t
  (lambda ()
-   (apply (slot-ref obj 'stop)
-  (slot-ref obj 'running)
+   (apply (slot-ref service 'stop)
+  (slot-ref service 'running)
 

bug#31303: substitute: guix substitute: error: TLS error in procedure 'handshake'

[Carlo Zancanaro]

Hey George,

On Sat, Apr 28 2018, George myglc2 Clemmer wrote:
g1@sysi17 ~ [env]$ guix environment 
--substitute-urls=https://g1.local:8080


The guix substitute command only runs a normal http server, so you 
have to use http://, not https://. I think the other servers you 
mention are behind proxies which handle the SSL part and forward 
the requests on to the substitute process.


Does it work if you run this instead?

 guix environment --substitute-urls=http://g1.local:8080

Carlo


signature.asc
Description: PGP signature

bug#30312: documentation: misleading EFI partitioning instructions

[Carlo Zancanaro]

On Wed, Jan 31 2018, Ricardo Wurmus wrote:
Finally, it is not clear where the efi partition should be 
mounted.
Should it be /mnt/boot/efi?  If so, should the configuration 
file
specify “/mnt/boot/efi” as the target?  Or should it be 
“/boot/efi”?


An example would be useful here.


We have an example in the manual at "(guix) Using the 
Configuration System" with the following sections:


 ;; Use the UEFI variant of GRUB with the EFI System
 ;; Partition mounted on /boot/efi.
 (bootloader (bootloader-configuration
   (bootloader grub-efi-bootloader)
   (target "/boot/efi")))

 ;; Assume the target root file system is labelled "my-root",
 ;; and the EFI System Partition has UUID 1234-ABCD.
 (file-systems (cons* (file-system
(device "my-root")
(title 'label)
(mount-point "/")
(type "ext4"))
  (file-system
(device (uuid "1234-ABCD" 'fat))
(title 'uuid)
(mount-point "/boot/efi")
(type "vfat"))
  %base-file-systems))

I know that's a completely different section where you're talking 
about, but maybe it can be referenced/copied in the installation 
section. I think we should mount the efi partition at /boot/efi 
during installation, to match the way things will be when we boot 
into the installed system.


Carlo


signature.asc
Description: PGP signature