diff options
Diffstat (limited to 'gnu/services')
-rw-r--r-- | gnu/services/base.scm | 119 | ||||
-rw-r--r-- | gnu/services/cuirass.scm | 6 | ||||
-rw-r--r-- | gnu/services/desktop.scm | 8 | ||||
-rw-r--r-- | gnu/services/dns.scm | 7 | ||||
-rw-r--r-- | gnu/services/games.scm | 3 | ||||
-rw-r--r-- | gnu/services/mail.scm | 51 | ||||
-rw-r--r-- | gnu/services/mcron.scm | 2 | ||||
-rw-r--r-- | gnu/services/ssh.scm | 10 | ||||
-rw-r--r-- | gnu/services/web.scm | 5 |
9 files changed, 156 insertions, 55 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 47c7d8bb27..b10f5cbaf1 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 David Craven <david@craven.ch> ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -1251,18 +1252,57 @@ the tty to run, among other things." (string-concatenate (map cache->config caches))))))) +(define (nscd-action-procedure nscd config option) + ;; XXX: This is duplicated from mcron; factorize. + #~(lambda (_ . args) + ;; Run 'nscd' in a pipe so we can explicitly redirect its output to + ;; 'current-output-port', which at this stage is bound to the client + ;; connection. + (let ((pipe (apply open-pipe* OPEN_READ #$nscd + "-f" #$config #$option args))) + (let loop () + (match (read-line pipe 'concat) + ((? eof-object?) + (catch 'system-error + (lambda () + (zero? (close-pipe pipe))) + (lambda args + ;; There's a race with the SIGCHLD handler, which could + ;; call 'waitpid' before 'close-pipe' above does. If we + ;; get ECHILD, that means we lost the race, but that's + ;; fine. + (or (= ECHILD (system-error-errno args)) + (apply throw args))))) + (line + (display line) + (loop))))))) + +(define (nscd-actions nscd config) + "Return Shepherd actions for NSCD." + ;; Make this functionality available as actions because that's a simple way + ;; to run the right 'nscd' binary with the right config file. + (list (shepherd-action + (name 'statistics) + (documentation "Display statistics about nscd usage.") + (procedure (nscd-action-procedure nscd config "--statistics"))) + (shepherd-action + (name 'invalidate) + (documentation + "Invalidate the given cache--e.g., 'hosts' for host name lookups.") + (procedure (nscd-action-procedure nscd config "--invalidate"))))) + (define (nscd-shepherd-service config) "Return a shepherd service for CONFIG, an <nscd-configuration> object." - (let ((nscd.conf (nscd.conf-file config)) + (let ((nscd (file-append (nscd-configuration-glibc config) + "/sbin/nscd")) + (nscd.conf (nscd.conf-file config)) (name-services (nscd-configuration-name-services config))) (list (shepherd-service (documentation "Run libc's name service cache daemon (nscd).") (provision '(nscd)) (requirement '(user-processes)) (start #~(make-forkexec-constructor - (list #$(file-append (nscd-configuration-glibc config) - "/sbin/nscd") - "-f" #$nscd.conf "--foreground") + (list #$nscd "-f" #$nscd.conf "--foreground") ;; Wait for the PID file. However, the PID file is ;; written before nscd is actually listening on its @@ -1276,7 +1316,12 @@ the tty to run, among other things." (string-append dir "/lib")) (list #$@name-services)) ":"))))) - (stop #~(make-kill-destructor)))))) + (stop #~(make-kill-destructor)) + (modules `((ice-9 popen) ;for the actions + (ice-9 rdelim) + (ice-9 match) + ,@%default-modules)) + (actions (nscd-actions nscd nscd.conf)))))) (define nscd-activation ;; Actions to take before starting nscd. @@ -1454,26 +1499,27 @@ starting at FIRST-UID, and under GID." 1+ 1)) -(define (hydra-key-authorization key guix) - "Return a gexp with code to register KEY, a file containing a 'guix archive' -public key, with GUIX." +(define (hydra-key-authorization keys guix) + "Return a gexp with code to register KEYS, a list of files containing 'guix +archive' public keys, with GUIX." #~(unless (file-exists? "/etc/guix/acl") - (let ((pid (primitive-fork))) - (case pid - ((0) - (let* ((key #$key) - (port (open-file key "r0b"))) - (format #t "registering public key '~a'...~%" key) - (close-port (current-input-port)) - (dup port 0) - (execl #$(file-append guix "/bin/guix") - "guix" "archive" "--authorize") - (exit 1))) - (else - (let ((status (cdr (waitpid pid)))) - (unless (zero? status) - (format (current-error-port) "warning: \ -failed to register hydra.gnu.org public key: ~a~%" status)))))))) + (for-each (lambda (key) + (let ((pid (primitive-fork))) + (case pid + ((0) + (let* ((port (open-file key "r0b"))) + (format #t "registering public key '~a'...~%" key) + (close-port (current-input-port)) + (dup port 0) + (execl #$(file-append guix "/bin/guix") + "guix" "archive" "--authorize") + (primitive-exit 1))) + (else + (let ((status (cdr (waitpid pid)))) + (unless (zero? status) + (format (current-error-port) "warning: \ +failed to register public key '~a': ~a~%" key status))))))) + '(#$@keys)))) (define %default-authorized-guix-keys ;; List of authorized substitute keys. @@ -1558,7 +1604,15 @@ failed to register hydra.gnu.org public key: ~a~%" status)))))))) '()) #$@(if tmpdir (list (string-append "TMPDIR=" tmpdir)) - '())) + '()) + + ;; Make sure we run in a UTF-8 locale so that 'guix + ;; offload' correctly restores nars that contain UTF-8 + ;; file names such as 'nss-certs'. See + ;; <https://bugs.gnu.org/32942>. + (string-append "GUIX_LOCPATH=" + #$glibc-utf8-locales "/lib/locale") + "LC_ALL=en_US.utf8") #:log-file #$log-file)) (stop #~(make-kill-destructor)))))) @@ -1585,10 +1639,9 @@ failed to register hydra.gnu.org public key: ~a~%" status)))))))) ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs, ;; chown leads to an entire copy of the tree, which is a bad idea. - ;; Optionally authorize hydra.gnu.org's key. + ;; Optionally authorize substitute server keys. (if authorize-key? - #~(begin - #$@(map (cut hydra-key-authorization <> guix) keys)) + (hydra-key-authorization keys guix) #~#f)))) (define* (references-file item #:optional (name "references")) @@ -2040,6 +2093,8 @@ This service is not part of @var{%base-services}." (default (file-append shadow "/bin/login"))) (login-arguments kmscon-configuration-login-arguments (default '("-p"))) + (auto-login kmscon-configuration-auto-login + (default #f)) (hardware-acceleration? kmscon-configuration-hardware-acceleration? (default #f))) ; #t causes failure @@ -2051,14 +2106,20 @@ This service is not part of @var{%base-services}." (virtual-terminal (kmscon-configuration-virtual-terminal config)) (login-program (kmscon-configuration-login-program config)) (login-arguments (kmscon-configuration-login-arguments config)) + (auto-login (kmscon-configuration-auto-login config)) (hardware-acceleration? (kmscon-configuration-hardware-acceleration? config))) (define kmscon-command #~(list #$(file-append kmscon "/bin/kmscon") "--login" "--vt" #$virtual-terminal + "--no-switchvt" ;Prevent a switch to the virtual terminal. #$@(if hardware-acceleration? '("--hwaccel") '()) - "--" #$login-program #$@login-arguments)) + "--login" "--" + #$login-program #$@login-arguments + #$@(if auto-login + #~(#$auto-login) + #~()))) (shepherd-service (documentation "kmscon virtual terminal") diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index 496b2d06c8..36e90fc825 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org> -;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com> ;;; Copyright © 2017 Jan Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> @@ -54,6 +54,8 @@ (default "/var/log/cuirass.log")) (cache-directory cuirass-configuration-cache-directory ;string (dir-name) (default "/var/cache/cuirass")) + (ttl cuirass-configuration-ttl ;integer + (default (* 30 24 3600))) (user cuirass-configuration-user ;string (default "cuirass")) (group cuirass-configuration-group ;string @@ -86,6 +88,7 @@ (group (cuirass-configuration-group config)) (interval (cuirass-configuration-interval config)) (database (cuirass-configuration-database config)) + (ttl (cuirass-configuration-ttl config)) (port (cuirass-configuration-port config)) (host (cuirass-configuration-host config)) (specs (cuirass-configuration-specifications config)) @@ -102,6 +105,7 @@ "--specifications" #$(scheme-file "cuirass-specs.scm" specs) "--database" #$database + "--ttl" #$(string-append (number->string ttl) "s") "--port" #$(number->string port) "--listen" #$host "--interval" #$(number->string interval) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index e038f97683..47d1096c6d 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -672,7 +672,7 @@ include the @command{udisksctl} command, part of UDisks, and GNOME Disks." ("KillUserProcesses" (yesno elogind-kill-user-processes?)) ("KillOnlyUsers" (user-name-list elogind-kill-only-users)) ("KillExcludeUsers" (user-name-list elogind-kill-exclude-users)) - ("InhibitDelayMaxSecs" (non-negative-integer elogind-inhibit-delay-max-seconds)) + ("InhibitDelayMaxSec" (non-negative-integer elogind-inhibit-delay-max-seconds)) ("HandlePowerKey" (handle-action elogind-handle-power-key)) ("HandleSuspendKey" (handle-action elogind-handle-suspend-key)) ("HandleHibernateKey" (handle-action elogind-handle-hibernate-key)) @@ -682,16 +682,16 @@ include the @command{udisksctl} command, part of UDisks, and GNOME Disks." ("SuspendKeyIgnoreInhibited" (yesno elogind-suspend-key-ignore-inhibited?)) ("HibernateKeyIgnoreInhibited" (yesno elogind-hibernate-key-ignore-inhibited?)) ("LidSwitchIgnoreInhibited" (yesno elogind-lid-switch-ignore-inhibited?)) - ("HoldoffTimeoutSecs" (non-negative-integer elogind-holdoff-timeout-seconds)) + ("HoldoffTimeoutSec" (non-negative-integer elogind-holdoff-timeout-seconds)) ("IdleAction" (handle-action elogind-idle-action)) - ("IdleActionSeconds" (non-negative-integer elogind-idle-action-seconds)) + ("IdleActionSec" (non-negative-integer elogind-idle-action-seconds)) ("RuntimeDirectorySize" (identity (lambda (config) (match (elogind-runtime-directory-size-percent config) (#f (non-negative-integer (elogind-runtime-directory-size config))) (percent (string-append (non-negative-integer percent) "%")))))) - ("RemoveIpc" (yesno elogind-remove-ipc?)) + ("RemoveIPC" (yesno elogind-remove-ipc?)) "[Sleep]" ("SuspendState" (sleep-list elogind-suspend-state)) ("SuspendMode" (sleep-list elogind-suspend-mode)) diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm index 16bd039f59..1ef754b360 100644 --- a/gnu/services/dns.scm +++ b/gnu/services/dns.scm @@ -684,7 +684,8 @@ (string-delete #\? (symbol->string field-name))) (define (serialize-field field-name val) - (format #t "~a=~a\n" (uglify-field-name field-name) val)) + (when (not (member field-name '(group secret-file user))) + (format #t "~a=~a\n" (uglify-field-name field-name) val))) (define (serialize-boolean field-name val) (serialize-field field-name (if val "yes" "no"))) @@ -763,9 +764,9 @@ manually.") (use-modules (guix build utils) (ice-9 rdelim)) (let ((ddclient-user - #$(passwd:uid (getpw (ddclient-configuration-user config)))) + (passwd:uid (getpw #$(ddclient-configuration-user config)))) (ddclient-group - #$(passwd:gid (getpw (ddclient-configuration-group config)))) + (passwd:gid (getpw #$(ddclient-configuration-group config)))) (ddclient-secret-file #$(ddclient-configuration-secret-file config))) ;; 'ddclient' complains about ddclient.conf file permissions, which diff --git a/gnu/services/games.scm b/gnu/services/games.scm index b9d78e078d..b743f6a4b6 100644 --- a/gnu/services/games.scm +++ b/gnu/services/games.scm @@ -65,7 +65,8 @@ (modules '((gnu build shepherd))) (start #~(make-forkexec-constructor/container (list #$(file-append package "/bin/wesnothd") - "-p" #$(number->string port)))) + "-p" #$(number->string port)) + #:user "wesnothd" #:group "wesnothd")) (stop #~(make-kill-destructor))))))) (define wesnothd-service-type diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index 573efa0433..fcaedd038b 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com> -;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> +;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017 Carlo Zancanaro <carlo@zancanaro.id.au> ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; @@ -290,11 +290,21 @@ the section name.") "Listeners for the service. A listener is either an @code{unix-listener-configuration}, a @code{fifo-listener-configuration}, or an @code{inet-listener-configuration}.") + (client-limit + (non-negative-integer 0) + "Maximum number of simultaneous client connections per process. Once this +number of connections is received, the next incoming connection will prompt +Dovecot to spawn another process. If set to 0, @code{default-client-limit} is +used instead.") (service-count (non-negative-integer 1) "Number of connections to handle before starting a new process. Typically the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 is faster. <doc/wiki/LoginProcess.txt>.") + (process-limit + (non-negative-integer 0) + "Maximum number of processes that can exist for this service. If set to 0, +@code{default-process-limit} is used instead.") (process-min-avail (non-negative-integer 0) "Number of processes to always keep waiting for more connections.") @@ -475,6 +485,8 @@ complex, customize the address and port fields of the (list (service-configuration (kind "imap-login") + (client-limit 0) + (process-limit 0) (listeners (list (inet-listener-configuration (protocol "imap") (port 143) (ssl? #f)) @@ -487,24 +499,33 @@ complex, customize the address and port fields of the (inet-listener-configuration (protocol "pop3s") (port 995) (ssl? #t))))) (service-configuration (kind "lmtp") + (client-limit 1) + (process-limit 0) (listeners (list (unix-listener-configuration (path "lmtp") (mode "0666"))))) - (service-configuration (kind "imap")) - (service-configuration (kind "pop3")) - (service-configuration (kind "auth") - ;; In what could be taken to be a bug, the default value of 1 for - ;; service-count makes it so that a PAM auth worker can't fork off - ;; subprocesses for making blocking queries. The result is that nobody - ;; can log in -- very secure, but not very useful! If we simply omit - ;; the service-count, it will default to the value of - ;; auth-worker-max-count, which is 30, instead of defaulting to 1, which - ;; is the default for all other services. As a hack, bump this value to - ;; 30. - (service-count 30) + (service-configuration + (kind "imap") + (client-limit 1) + (process-limit 1024)) + (service-configuration + (kind "pop3") + (client-limit 1) + (process-limit 1024)) + (service-configuration + (kind "auth") + (service-count 0) + (client-limit 0) + (process-limit 1) (listeners (list (unix-listener-configuration (path "auth-userdb"))))) - (service-configuration (kind "auth-worker")) - (service-configuration (kind "dict") + (service-configuration + (kind "auth-worker") + (client-limit 1) + (process-limit 0)) + (service-configuration + (kind "dict") + (client-limit 1) + (process-limit 0) (listeners (list (unix-listener-configuration (path "dict"))))))) "List of services to enable. Available services include @samp{imap}, @samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and diff --git a/gnu/services/mcron.scm b/gnu/services/mcron.scm index 5757bf8cf6..120b663e3e 100644 --- a/gnu/services/mcron.scm +++ b/gnu/services/mcron.scm @@ -86,7 +86,7 @@ files." (lambda () (zero? (close-pipe pipe))) (lambda args - ;; There's with race between the SIGCHLD handler, which + ;; There's a race with the SIGCHLD handler, which ;; could call 'waitpid' before 'close-pipe' above does. If ;; we get ECHILD, that means we lost the race, but that's ;; fine. diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 056602248f..bb94c5f41a 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -518,7 +518,15 @@ of user-name/file-like tuples." (service-extension activation-service-type openssh-activation) (service-extension account-service-type - (const %openssh-accounts)))) + (const %openssh-accounts)) + + ;; Install OpenSSH in the system profile. That way, + ;; 'scp' is found when someone tries to copy to or from + ;; this machine. + (service-extension profile-service-type + (lambda (config) + (list (openssh-configuration-openssh + config)))))) (compose concatenate) (extend extend-openssh-authorized-keys) (default-value (openssh-configuration)))) diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 1edb1f4d34..fcf453c248 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -70,6 +70,11 @@ httpd-config-file-user httpd-config-file-group + <httpd-module> + httpd-module + httpd-module? + %default-httpd-modules + httpd-service-type <nginx-configuration> |