Status Update November 2021 —

Status Update November 2021

by Joshua Branson — December 01, 2021

It has been a fun November! You may have noticed that this blog lost the https connectivity for a few days! As a reminder, Guix system renews certificates for domains via

sudo /var/lib/certbot/renew-certificates

The above script is called automatically, but I figured that a good start would be to manually try to run this script and see what happens. So I sshed into the server to give it a try. I got this error message:

Certbot failed to authenticate some domains (authenticator: webroot).
 The Certificate Authority reported these problems:
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for
   - check that a DNS record exists for this domain

  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for
  - check that a DNS record exists for this domain

To fix it I just removed the subdomains “”, and “”, from the config file for this website.

Then re-running certbot totally worked. While we are talking about certbot. I am glad that guix has support for it. They use the python acme client, which certainly works, but I have recently discovered that the OpenBSD folks have made their own acme client. It looks like their client might be dependent on their httpd daemon, which is potentially why Guix System doesn’t use it. Anywho…

In other news, I have still been working on my opensmtpd service using guix records. I made the decision to tweak the records that I am using for my opensmtpd service. Before I had set up the configuration to follow nckx’s advice from #guix irc channel:

" I think Guix services ought to faithfully wrap the native syntax whenever
possible (implement alternative simple APIs on top of that — fine)."

To follow this advice, I avoided trying to develop something like this:

(service email-service-type
     (domains (list "" ""))
     (use-letsencrypt #t)))

Instead I originally tried this type of service configuration, where I had several lists of records of includes, tables, pkis, etc. Other records like the filters, which may have tables, would refer to the table record via a string. This could cause issues where the user mispelled the table name.

(service opensmtpd-service
    (includes ...)
    (tables ...)
    (pkis ...)
    (filters ...)
    (listen-on ...)
    (actions ...)
    (matches ...)))

I also thought of other annoyances. Why would have a list of actions, and then have the match record have a fieldname action that accepts a string of the action name. It would be more robust if instead it accepted an <opensmtpd-action-configuration> record. Well when you start to think like this, the resulting example config may turn into:

(service opensmtpd-service-type
           (list (opensmtpd-listen-on
                  (interface "eth0")
                     (opensmtpd-filter-phase ...)
                     (opensmtpd-filter-phase ...))))
                  (hostnames (opensmtpd-table-configuration
                              (values "" "")))
                   (opensmtpd-ca-configuration ...))
                    (opensmtpd-pki-configuration ...)
                    (opensmtpd-pki-configuration ...))))))
                 (opensmtpd-table ...)))
               (opensmtpd-match-options-configuration ...)))
                 (opensmtpd-maildir-configuration ...))
                (alias (opensmtpd-table ...))))))))))

I believe this change will fix various mispelling errors and should make the service more robust.

Tweaking the datastructure has helped me to find other things that could be simpler. One example is the <opensmtpd-action> record. I used to have the datastructure be the <opensmtpd-action>, which included a fieldname that has as its value either a <opensmtpd-local-delivery-configuration> or a <opensmtpd-relay-configuration> like this:

                                      / \
                                     /   \
                                    /     \
                                   /       \
                                  /         \
<opensmtpd-local-delivery-configuration>   <opensmtpd-relay-configuration>

It is actually simpler to delete the <opensmtpd-action> record, and replace it with two records: <opensmtpd-local-delivery-action> and <opensmtpd-relay-configuration-action>

Of course when you tweak datastructures, then you have to deal with tweaking the code to work with the new datastructures. That is interesting. Most of the TODO items I have for this project are in my file.

Thanks for reading!