aboutsummaryrefslogtreecommitdiff
path: root/gnu/services
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/services')
-rw-r--r--gnu/services/base.scm215
-rw-r--r--gnu/services/certbot.scm1
-rw-r--r--gnu/services/cuirass.scm105
-rw-r--r--gnu/services/cups.scm46
-rw-r--r--gnu/services/desktop.scm40
-rw-r--r--gnu/services/guix.scm212
-rw-r--r--gnu/services/mail.scm4
-rw-r--r--gnu/services/networking.scm285
-rw-r--r--gnu/services/pm.scm7
-rw-r--r--gnu/services/shepherd.scm77
-rw-r--r--gnu/services/virtualization.scm13
-rw-r--r--gnu/services/web.scm5
-rw-r--r--gnu/services/xorg.scm23
13 files changed, 764 insertions, 269 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 537d30add5..e75c56828e 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -8,6 +8,8 @@
;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com>
;;; Copyright © 2019 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2019 John Soo <jsoo1@asu.edu>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -40,9 +42,9 @@
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils crda eudev e2fsprogs fuse gpm kbd lvm2 rng-tools))
- #:use-module ((gnu packages base)
- #:select (canonical-package glibc glibc-utf8-locales))
#:use-module (gnu packages bash)
+ #:use-module ((gnu packages base)
+ #:select (canonical-package coreutils glibc glibc-utf8-locales))
#:use-module (gnu packages package-management)
#:use-module ((gnu packages gnupg) #:select (guile-gcrypt))
#:use-module (gnu packages linux)
@@ -571,7 +573,13 @@ file systems, as well as corresponding @file{/etc/fstab} entries.")))
(lambda (seed)
(call-with-output-file "/dev/urandom"
(lambda (urandom)
- (dump-port seed urandom))))))
+ (dump-port seed urandom)
+
+ ;; Writing SEED to URANDOM isn't enough: we must
+ ;; also tell the kernel to account for these
+ ;; extra bits of entropy.
+ (let ((bits (* 8 (stat:size (stat seed)))))
+ (add-to-entropy-count urandom bits)))))))
;; Try writing from /dev/hwrng into /dev/urandom.
;; It seems that the file /dev/hwrng always exists, even
@@ -588,7 +596,9 @@ file systems, as well as corresponding @file{/etc/fstab} entries.")))
(when buf
(call-with-output-file "/dev/urandom"
(lambda (urandom)
- (put-bytevector urandom buf)))))
+ (put-bytevector urandom buf)
+ (let ((bits (* 8 (bytevector-length buf))))
+ (add-to-entropy-count urandom bits))))))
;; Immediately refresh the seed in case the system doesn't
;; shut down cleanly.
@@ -801,10 +811,14 @@ to add @var{device} to the kernel's entropy pool. The service will fail if
(description
"Install the given fonts on the specified ttys (fonts are per
virtual console on GNU/Linux). The value of this service is a list of
-tty/font pairs like:
+tty/font pairs. The font can be the name of a font provided by the @code{kbd}
+package or any valid argument to @command{setfont}, as in this example:
@example
-'((\"tty1\" . \"LatGrkCyr-8x16\"))
+'((\"tty1\" . \"LatGrkCyr-8x16\")
+ (\"tty2\" . (file-append
+ font-tamzen
+ \"/share/kbd/consolefonts/TamzenForPowerline10x20.psf\")))
@end example\n")))
(define* (console-font-service tty #:optional (font "LatGrkCyr-8x16"))
@@ -933,36 +947,38 @@ the message of the day, among other things."
(define (default-serial-port)
"Return a gexp that determines a reasonable default serial port
to use as the tty. This is primarily useful for headless systems."
- #~(begin
- ;; console=device,options
- ;; device: can be tty0, ttyS0, lp0, ttyUSB0 (serial).
- ;; options: BBBBPNF. P n|o|e, N number of bits,
- ;; F flow control (r RTS)
- (let* ((not-comma (char-set-complement (char-set #\,)))
- (command (linux-command-line))
- (agetty-specs (find-long-options "agetty.tty" command))
- (console-specs (filter (lambda (spec)
- (and (string-prefix? "tty" spec)
- (not (or
- (string-prefix? "tty0" spec)
- (string-prefix? "tty1" spec)
- (string-prefix? "tty2" spec)
- (string-prefix? "tty3" spec)
- (string-prefix? "tty4" spec)
- (string-prefix? "tty5" spec)
- (string-prefix? "tty6" spec)
- (string-prefix? "tty7" spec)
- (string-prefix? "tty8" spec)
- (string-prefix? "tty9" spec)))))
- (find-long-options "console" command)))
- (specs (append agetty-specs console-specs)))
- (match specs
- (() #f)
- ((spec _ ...)
- ;; Extract device name from first spec.
- (match (string-tokenize spec not-comma)
- ((device-name _ ...)
- device-name)))))))
+ (with-imported-modules (source-module-closure
+ '((gnu build linux-boot))) ;for 'find-long-options'
+ #~(begin
+ ;; console=device,options
+ ;; device: can be tty0, ttyS0, lp0, ttyUSB0 (serial).
+ ;; options: BBBBPNF. P n|o|e, N number of bits,
+ ;; F flow control (r RTS)
+ (let* ((not-comma (char-set-complement (char-set #\,)))
+ (command (linux-command-line))
+ (agetty-specs (find-long-options "agetty.tty" command))
+ (console-specs (filter (lambda (spec)
+ (and (string-prefix? "tty" spec)
+ (not (or
+ (string-prefix? "tty0" spec)
+ (string-prefix? "tty1" spec)
+ (string-prefix? "tty2" spec)
+ (string-prefix? "tty3" spec)
+ (string-prefix? "tty4" spec)
+ (string-prefix? "tty5" spec)
+ (string-prefix? "tty6" spec)
+ (string-prefix? "tty7" spec)
+ (string-prefix? "tty8" spec)
+ (string-prefix? "tty9" spec)))))
+ (find-long-options "console" command)))
+ (specs (append agetty-specs console-specs)))
+ (match specs
+ (() #f)
+ ((spec _ ...)
+ ;; Extract device name from first spec.
+ (match (string-tokenize spec not-comma)
+ ((device-name _ ...)
+ device-name))))))))
(define agetty-shepherd-service
(match-lambda
@@ -1472,7 +1488,7 @@ information on the configuration file syntax."
(module "pam_limits.so")
(arguments '("conf=/etc/security/limits.conf")))))
(if (member (pam-service-name pam)
- '("login" "su" "slim"))
+ '("login" "su" "slim" "gdm-password"))
(pam-service
(inherit pam)
(session (cons pam-limits
@@ -1988,64 +2004,67 @@ item of @var{packages}."
(requirement '(root-file-system))
(documentation "Populate the /dev directory, dynamically.")
- (start #~(lambda ()
- (define udevd
- ;; 'udevd' from eudev.
- #$(file-append udev "/sbin/udevd"))
-
- (define (wait-for-udevd)
- ;; Wait until someone's listening on udevd's control
- ;; socket.
- (let ((sock (socket AF_UNIX SOCK_SEQPACKET 0)))
- (let try ()
- (catch 'system-error
- (lambda ()
- (connect sock PF_UNIX "/run/udev/control")
- (close-port sock))
- (lambda args
- (format #t "waiting for udevd...~%")
- (usleep 500000)
- (try))))))
-
- ;; Allow udev to find the modules.
- (setenv "LINUX_MODULE_DIRECTORY"
- "/run/booted-system/kernel/lib/modules")
-
- ;; The first one is for udev, the second one for eudev.
- (setenv "UDEV_CONFIG_FILE" #$udev.conf)
- (setenv "EUDEV_RULES_DIRECTORY"
- #$(file-append rules "/lib/udev/rules.d"))
-
- (let* ((kernel-release
- (utsname:release (uname)))
- (linux-module-directory
- (getenv "LINUX_MODULE_DIRECTORY"))
- (directory
- (string-append linux-module-directory "/"
- kernel-release))
- (old-umask (umask #o022)))
- ;; If we're in a container, DIRECTORY might not exist,
- ;; for instance because the host runs a different
- ;; kernel. In that case, skip it; we'll just miss a few
- ;; nodes like /dev/fuse.
- (when (file-exists? directory)
- (make-static-device-nodes directory))
- (umask old-umask))
-
- (let ((pid (fork+exec-command (list udevd))))
- ;; Wait until udevd is up and running. This appears to
- ;; be needed so that the events triggered below are
- ;; actually handled.
- (wait-for-udevd)
-
- ;; Trigger device node creation.
- (system* #$(file-append udev "/bin/udevadm")
- "trigger" "--action=add")
-
- ;; Wait for things to settle down.
- (system* #$(file-append udev "/bin/udevadm")
- "settle")
- pid)))
+ (start
+ (with-imported-modules (source-module-closure
+ '((gnu build linux-boot)))
+ #~(lambda ()
+ (define udevd
+ ;; 'udevd' from eudev.
+ #$(file-append udev "/sbin/udevd"))
+
+ (define (wait-for-udevd)
+ ;; Wait until someone's listening on udevd's control
+ ;; socket.
+ (let ((sock (socket AF_UNIX SOCK_SEQPACKET 0)))
+ (let try ()
+ (catch 'system-error
+ (lambda ()
+ (connect sock PF_UNIX "/run/udev/control")
+ (close-port sock))
+ (lambda args
+ (format #t "waiting for udevd...~%")
+ (usleep 500000)
+ (try))))))
+
+ ;; Allow udev to find the modules.
+ (setenv "LINUX_MODULE_DIRECTORY"
+ "/run/booted-system/kernel/lib/modules")
+
+ ;; The first one is for udev, the second one for eudev.
+ (setenv "UDEV_CONFIG_FILE" #$udev.conf)
+ (setenv "EUDEV_RULES_DIRECTORY"
+ #$(file-append rules "/lib/udev/rules.d"))
+
+ (let* ((kernel-release
+ (utsname:release (uname)))
+ (linux-module-directory
+ (getenv "LINUX_MODULE_DIRECTORY"))
+ (directory
+ (string-append linux-module-directory "/"
+ kernel-release))
+ (old-umask (umask #o022)))
+ ;; If we're in a container, DIRECTORY might not exist,
+ ;; for instance because the host runs a different
+ ;; kernel. In that case, skip it; we'll just miss a few
+ ;; nodes like /dev/fuse.
+ (when (file-exists? directory)
+ (make-static-device-nodes directory))
+ (umask old-umask))
+
+ (let ((pid (fork+exec-command (list udevd))))
+ ;; Wait until udevd is up and running. This appears to
+ ;; be needed so that the events triggered below are
+ ;; actually handled.
+ (wait-for-udevd)
+
+ ;; Trigger device node creation.
+ (system* #$(file-append udev "/bin/udevadm")
+ "trigger" "--action=add")
+
+ ;; Wait for things to settle down.
+ (system* #$(file-append udev "/bin/udevadm")
+ "settle")
+ pid))))
(stop #~(make-kill-destructor))
;; When halting the system, 'udev' is actually killed by
@@ -2053,7 +2072,7 @@ item of @var{packages}."
;; Thus, make sure it is not respawned.
(respawn? #f)
;; We need additional modules.
- (modules `((gnu build linux-boot)
+ (modules `((gnu build linux-boot) ;'make-static-device-nodes'
,@%default-modules))
(actions (list (shepherd-action
@@ -2420,6 +2439,8 @@ to handle."
(service special-files-service-type
`(("/bin/sh" ,(file-append (canonical-package bash)
- "/bin/sh"))))))
+ "/bin/sh"))
+ ("/usr/bin/env" ,(file-append (canonical-package coreutils)
+ "/bin/env"))))))
;;; base.scm ends here
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index ae34ad17bb..0d3be03383 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -99,6 +99,7 @@
"--manual"
(string-append "--preferred-challenges=" challenge)
"--cert-name" name
+ "--manual-public-ip-logging-ok"
"-d" (string-join domains ","))
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(if authentication-hook
diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm
index f92d33bf94..914a0d337f 100644
--- a/gnu/services/cuirass.scm
+++ b/gnu/services/cuirass.scm
@@ -3,7 +3,7 @@
;;; Copyright © 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
;;; Copyright © 2017 Jan Nieuwenhuizen <janneke@gnu.org>
-;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
;;;
;;; This file is part of GNU Guix.
@@ -52,6 +52,8 @@
(default cuirass))
(log-file cuirass-configuration-log-file ;string
(default "/var/log/cuirass.log"))
+ (web-log-file cuirass-configuration-web-log-file ;string
+ (default "/var/log/cuirass-web.log"))
(cache-directory cuirass-configuration-cache-directory ;string (dir-name)
(default "/var/cache/cuirass"))
(ttl cuirass-configuration-ttl ;integer
@@ -79,49 +81,68 @@
(define (cuirass-shepherd-service config)
"Return a <shepherd-service> for the Cuirass service with CONFIG."
- (and
- (cuirass-configuration? config)
- (let ((cuirass (cuirass-configuration-cuirass config))
- (cache-directory (cuirass-configuration-cache-directory config))
- (log-file (cuirass-configuration-log-file config))
- (user (cuirass-configuration-user config))
- (group (cuirass-configuration-group config))
- (interval (cuirass-configuration-interval config))
- (database (cuirass-configuration-database config))
- (ttl (cuirass-configuration-ttl config))
- (port (cuirass-configuration-port config))
- (host (cuirass-configuration-host config))
- (specs (cuirass-configuration-specifications config))
- (use-substitutes? (cuirass-configuration-use-substitutes? config))
- (one-shot? (cuirass-configuration-one-shot? config))
- (fallback? (cuirass-configuration-fallback? config)))
- (list (shepherd-service
- (documentation "Run Cuirass.")
- (provision '(cuirass))
- (requirement '(guix-daemon networking))
- (start #~(make-forkexec-constructor
- (list (string-append #$cuirass "/bin/cuirass")
- "--cache-directory" #$cache-directory
- "--specifications"
- #$(scheme-file "cuirass-specs.scm" specs)
- "--database" #$database
- "--ttl" #$(string-append (number->string ttl) "s")
- "--port" #$(number->string port)
- "--listen" #$host
- "--interval" #$(number->string interval)
- #$@(if use-substitutes? '("--use-substitutes") '())
- #$@(if one-shot? '("--one-shot") '())
- #$@(if fallback? '("--fallback") '()))
+ (let ((cuirass (cuirass-configuration-cuirass config))
+ (cache-directory (cuirass-configuration-cache-directory config))
+ (web-log-file (cuirass-configuration-web-log-file config))
+ (log-file (cuirass-configuration-log-file config))
+ (user (cuirass-configuration-user config))
+ (group (cuirass-configuration-group config))
+ (interval (cuirass-configuration-interval config))
+ (database (cuirass-configuration-database config))
+ (ttl (cuirass-configuration-ttl config))
+ (port (cuirass-configuration-port config))
+ (host (cuirass-configuration-host config))
+ (specs (cuirass-configuration-specifications config))
+ (use-substitutes? (cuirass-configuration-use-substitutes? config))
+ (one-shot? (cuirass-configuration-one-shot? config))
+ (fallback? (cuirass-configuration-fallback? config)))
+ (list (shepherd-service
+ (documentation "Run Cuirass.")
+ (provision '(cuirass))
+ (requirement '(guix-daemon networking))
+ (start #~(make-forkexec-constructor
+ (list (string-append #$cuirass "/bin/cuirass")
+ "--cache-directory" #$cache-directory
+ "--specifications"
+ #$(scheme-file "cuirass-specs.scm" specs)
+ "--database" #$database
+ "--ttl" #$(string-append (number->string ttl) "s")
+ "--interval" #$(number->string interval)
+ #$@(if use-substitutes? '("--use-substitutes") '())
+ #$@(if one-shot? '("--one-shot") '())
+ #$@(if fallback? '("--fallback") '()))
- #:environment-variables
- (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt"
- (string-append "GIT_EXEC_PATH=" #$git
- "/libexec/git-core"))
+ #:environment-variables
+ (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt"
+ (string-append "GIT_EXEC_PATH=" #$git
+ "/libexec/git-core"))
- #:user #$user
- #:group #$group
- #:log-file #$log-file))
- (stop #~(make-kill-destructor)))))))
+ #:user #$user
+ #:group #$group
+ #:log-file #$log-file))
+ (stop #~(make-kill-destructor)))
+ (shepherd-service
+ (documentation "Run Cuirass web interface.")
+ (provision '(cuirass-web))
+ (requirement '(guix-daemon networking))
+ (start #~(make-forkexec-constructor
+ (list (string-append #$cuirass "/bin/cuirass")
+ "--cache-directory" #$cache-directory
+ "--specifications"
+ #$(scheme-file "cuirass-specs.scm" specs)
+ "--database" #$database
+ "--ttl" #$(string-append (number->string ttl) "s")
+ "--web"
+ "--port" #$(number->string port)
+ "--listen" #$host
+ "--interval" #$(number->string interval)
+ #$@(if use-substitutes? '("--use-substitutes") '())
+ #$@(if fallback? '("--fallback") '()))
+
+ #:user #$user
+ #:group #$group
+ #:log-file #$web-log-file))
+ (stop #~(make-kill-destructor))))))
(define (cuirass-account config)
"Return the user accounts and user groups for CONFIG."
diff --git a/gnu/services/cups.scm b/gnu/services/cups.scm
index 9d21b6e70c..c3c6d2f1be 100644
--- a/gnu/services/cups.scm
+++ b/gnu/services/cups.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
+;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -82,6 +83,14 @@
(define (serialize-multiline-string-list field-name val)
(for-each (lambda (str) (serialize-field field-name str)) val))
+(define (comma-separated-string-list? val)
+ (and (list? val)
+ (and-map (lambda (x)
+ (and (string? x) (not (string-index x #\,))))
+ val)))
+(define (serialize-comma-separated-string-list field-name val)
+ (serialize-field field-name (string-join val ",")))
+
(define (space-separated-string-list? val)
(and (list? val)
(and-map (lambda (x)
@@ -130,7 +139,7 @@
(define-enumerated-field-type default-encryption
(Never IfRequested Required))
(define-enumerated-field-type error-policy
- (abort-job retry-job retry-this-job stop-printer))
+ (abort-job retry-job retry-current-job stop-printer))
(define-enumerated-field-type log-level
(none emerg alert crit error warn notice info debug debug2))
(define-enumerated-field-type log-time-format
@@ -170,7 +179,10 @@
(define (ssl-options? x)
(and (list? x)
- (and-map (lambda (elt) (memq elt '(AllowRC4 AllowSSL3))) x)))
+ (and-map (lambda (elt) (memq elt '(AllowRC4
+ AllowSSL3
+ DenyCBC
+ DenyTLS1.0))) x)))
(define (serialize-ssl-options field-name val)
(serialize-field field-name
(match val
@@ -446,7 +458,10 @@ or state files.")
(user
(string "lp")
"Specifies the user name or ID that is used when running external
-programs."))
+programs.")
+ (set-env
+ (string "variable value")
+ "Set the specified environment variable to be passed to child processes."))
(define (serialize-files-configuration field-name val)
#f)
@@ -485,6 +500,11 @@ requests.")
(boolean #f)
"Specifies whether to purge job history data automatically when it is no
longer required for quotas.")
+ (browse-dns-sd-sub-types
+ (comma-separated-string-list (list "_cups"))
+ "Specifies a list of DNS-SD sub-types to advertise for each shared printer.
+For example, @samp{\"_cups\" \"_print\"} will tell network clients that both
+CUPS sharing and IPP Everywhere are supported.")
(browse-local-protocols
(browse-local-protocols 'dnssd)
"Specifies which protocols to use for local printer sharing.")
@@ -534,7 +554,7 @@ typically within a few milliseconds.")
(error-policy 'stop-printer)
"Specifies what to do when an error occurs. Possible values are
@code{abort-job}, which will discard the failed print job; @code{retry-job},
-which will retry the job at a later time; @code{retry-this-job}, which retries
+which will retry the job at a later time; @code{retry-current-job}, which retries
the failed job immediately; and @code{stop-printer}, which stops the
printer.")
(filter-limit
@@ -794,9 +814,6 @@ reports @code{CUPS 2.0}. @code{Minimal} reports @code{CUPS 2.0.0}. @code{OS}
reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is the output of the
@code{uname} command. @code{Full} reports @code{CUPS 2.0.0 (@var{uname})
IPP/2.0}.")
- (set-env
- (string "variable value")
- "Set the specified environment variable to be passed to child processes.")
(ssl-listen
(multiline-string-list '())
"Listens on the specified interfaces for encrypted connections. Valid
@@ -805,12 +822,15 @@ an IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to indicate
all addresses.")
(ssl-options
(ssl-options '())
- "Sets encryption options.
-By default, CUPS only supports encryption using TLS v1.0 or higher using known
-secure cipher suites. The @code{AllowRC4} option enables the 128-bit RC4
-cipher suites, which are required for some older clients that do not implement
-newer ones. The @code{AllowSSL3} option enables SSL v3.0, which is required
-for some older clients that do not support TLS v1.0.")
+ "Sets encryption options. By default, CUPS only supports encryption
+using TLS v1.0 or higher using known secure cipher suites. Security is
+reduced when @code{Allow} options are used, and enhanced when @code{Deny}
+options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher
+suites, which are required for some older clients. The @code{AllowSSL3} option
+enables SSL v3.0, which is required for some older clients that do not support
+TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The
+@code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
+protocol version to TLS v1.1.")
#;
(ssl-port
(non-negative-integer 631)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 343d507c14..a32756e040 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -963,23 +963,29 @@ with the administrator's password."
(match-record enlightenment-desktop-configuration
<enlightenment-desktop-configuration>
(enlightenment)
- (list (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_sys")
- (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_backlight")
- ;; TODO: Move this binary to a screen-locker service.
- (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_ckpasswd")
- (file-append enlightenment
- (string-append
- "/lib/enlightenment/modules/cpufreq/"
- (match (string-tokenize (%current-system)
- (char-set-complement (char-set #\-)))
- ((arch "linux") (string-append "linux-gnu-" arch))
- ((arch "gnu") (string-append "gnu-" arch)))
- "-"
- (version-major+minor (package-version enlightenment))
- "/freqset")))))
+ (let ((module-arch (match (string-tokenize (%current-system)
+ (char-set-complement (char-set #\-)))
+ ((arch "linux") (string-append "linux-gnu-" arch))
+ ((arch "gnu") (string-append "gnu-" arch)))))
+ (list (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_sys")
+ (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_backlight")
+ ;; TODO: Move this binary to a screen-locker service.
+ (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_ckpasswd")
+ (file-append enlightenment
+ (string-append
+ "/lib/enlightenment/modules/cpufreq/"
+ module-arch "-"
+ (package-version enlightenment)
+ "/freqset"))
+ (file-append enlightenment
+ (string-append
+ "/lib/enlightenment/modules/sysinfo/"
+ module-arch "-"
+ (package-version enlightenment)
+ "/cpuclock_sysfs"))))))
(define enlightenment-desktop-service-type
(service-type
diff --git a/gnu/services/guix.scm b/gnu/services/guix.scm
new file mode 100644
index 0000000000..0f0fad39b0
--- /dev/null
+++ b/gnu/services/guix.scm
@@ -0,0 +1,212 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2019 Christopher Baines <mail@cbaines.net>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services guix)
+ #:use-module (ice-9 match)
+ #:use-module (guix gexp)
+ #:use-module (guix records)
+ #:use-module ((gnu packages base)
+ #:select (glibc-utf8-locales))
+ #:use-module (gnu packages admin)
+ #:use-module (gnu packages web)
+ #:use-module (gnu services)
+ #:use-module (gnu services base)
+ #:use-module (gnu services admin)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu services getmail)
+ #:use-module (gnu system shadow)
+ #:export (<guix-data-service-configuration>
+ guix-data-service-configuration
+ guix-data-service-configuration?
+ guix-data-service-package
+ guix-data-service-user
+ guix-data-service-group
+ guix-data-service-port
+ guix-data-service-host
+ guix-data-service-getmail-idle-mailboxes
+ guix-data-service-commits-getmail-retriever-configuration
+
+ guix-data-service-type))
+
+;;;; Commentary:
+;;;
+;;; This module implements a service that to run instances of the Guix Data
+;;; Service, which provides data about Guix over time.
+;;;
+;;;; Code:
+
+(define-record-type* <guix-data-service-configuration>
+ guix-data-service-configuration make-guix-data-service-configuration
+ guix-data-service-configuration?
+ (package guix-data-service-package
+ (default guix-data-service))
+ (user guix-data-service-configuration-user
+ (default "guix-data-service"))
+ (group guix-data-service-configuration-group
+ (default "guix-data-service"))
+ (port guix-data-service-port
+ (default 8765))
+ (host guix-data-service-host
+ (default "127.0.0.1"))
+ (getmail-idle-mailboxes
+ guix-data-service-getmail-idle-mailboxes
+ (default #f))
+ (commits-getmail-retriever-configuration
+ guix-data-service-commits-getmail-retriever-configuration
+ (default #f)))
+
+(define (guix-data-service-profile-packages config)
+ "Return the guix-data-service package, this will populate the
+ca-certificates.crt file in the system profile."
+ (list
+ (guix-data-service-package config)))
+
+(define (guix-data-service-shepherd-services config)
+ (match-record config <guix-data-service-configuration>
+ (package user group port host)
+ (list
+ (shepherd-service
+ (documentation "Guix Data Service web server")
+ (provision '(guix-data-service))
+ (requirement '(postgres networking))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append package
+ "/bin/guix-data-service")
+ "--pid-file=/var/run/guix-data-service/pid"
+ #$(string-append "--port=" (number->string port))
+ #$(string-append "--host=" host)
+ ;; Perform any database migrations when the
+ ;; service is started
+ "--update-database")
+
+ #:user #$user
+ #:group #$group
+ #:pid-file "/var/run/guix-data-service/pid"
+ ;; Allow time for migrations to run
+ #:pid-file-timeout 60
+ #:environment-variables
+ `(,(string-append
+ "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale")
+ "LC_ALL=en_US.utf8")
+ #:log-file "/var/log/guix-data-service/web.log"))
+ (stop #~(make-kill-destructor)))
+
+ (shepherd-service
+ (documentation "Guix Data Service process jobs")
+ (provision '(guix-data-service-process-jobs))
+ (requirement '(postgres
+ networking
+ ;; Require guix-data-service, as that the database
+ ;; migrations are handled through this service
+ guix-data-service))
+ (start #~(make-forkexec-constructor
+ (list
+ #$(file-append package
+ "/bin/guix-data-service-process-jobs"))
+ #:user #$user
+ #:group #$group
+ #:environment-variables
+ `("HOME=/var/lib/guix-data-service"
+ "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt"
+ ,(string-append
+ "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale")
+ "LC_ALL=en_US.utf8")
+ #:log-file "/var/log/guix-data-service/process-jobs.log"))
+ (stop #~(make-kill-destructor))))))
+
+(define (guix-data-service-activation config)
+ #~(begin
+ (use-modules (guix build utils))
+
+ (define %user (getpw "guix-data-service"))
+
+ (chmod "/var/lib/guix-data-service" #o755)
+
+ (mkdir-p "/var/log/guix-data-service")
+
+ ;; Allow writing the PID file
+ (mkdir-p "/var/run/guix-data-service")
+ (chown "/var/run/guix-data-service"
+ (passwd:uid %user)
+ (passwd:gid %user))))
+
+(define (guix-data-service-account config)
+ (match-record config <guix-data-service-configuration>
+ (user group)
+ (list (user-group
+ (name group)
+ (system? #t))
+ (user-account
+ (name user)
+ (group group)
+ (system? #t)
+ (comment "Guix Data Service user")
+ (home-directory "/var/lib/guix-data-service")
+ (shell (file-append shadow "/sbin/nologin"))))))
+
+(define (guix-data-service-getmail-configuration config)
+ (match config
+ (($ <guix-data-service-configuration> package user group
+ port host
+ #f #f)
+ '())
+ (($ <guix-data-service-configuration> package user group
+ port host
+ getmail-idle-mailboxes
+ commits-getmail-retriever-configuration)
+ (list
+ (getmail-configuration
+ (name 'guix-data-service)
+ (user user)
+ (group group)
+ (directory "/var/lib/getmail/guix-data-service")
+ (rcfile
+ (getmail-configuration-file
+ (retriever commits-getmail-retriever-configuration)
+ (destination
+ (getmail-destination-configuration
+ (type "MDA_external")
+ (path (file-append
+ package
+ "/bin/guix-data-service-process-branch-updated-email"))))
+ (options
+ (getmail-options-configuration
+ (read-all #f)
+ (delivered-to #f)
+ (received #f)))))
+ (idle getmail-idle-mailboxes))))))
+
+(define guix-data-service-type
+ (service-type
+ (name 'guix-data-service)
+ (extensions
+ (list
+ (service-extension profile-service-type
+ guix-data-service-profile-packages)
+ (service-extension shepherd-root-service-type
+ guix-data-service-shepherd-services)
+ (service-extension activation-service-type
+ guix-data-service-activation)
+ (service-extension account-service-type
+ guix-data-service-account)
+ (service-extension getmail-service-type
+ guix-data-service-getmail-configuration)))
+ (default-value
+ (guix-data-service-configuration))
+ (description
+ "Run an instance of the Guix Data Service.")))
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index 3de0b4c2f3..2606aa9e3e 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -137,7 +137,7 @@
(define (free-form-fields? val)
(match val
(() #t)
- ((((? symbol?) . (? string)) . val) (free-form-fields? val))
+ ((((? symbol?) . (? string?)) . val) (free-form-fields? val))
(_ #f)))
(define (serialize-free-form-fields field-name val)
(for-each (match-lambda ((k . v) (serialize-field k v))) val))
@@ -145,7 +145,7 @@
(define (free-form-args? val)
(match val
(() #t)
- ((((? symbol?) . (? string)) . val) (free-form-args? val))
+ ((((? symbol?) . (? string?)) . val) (free-form-args? val))
(_ #f)))
(define (serialize-free-form-args field-name val)
(serialize-field field-name
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 376b4ccc4e..dd63009116 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -11,6 +11,7 @@
;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2019 Florian Pelz <pelzflorian@pelzflorian.de>
;;; Copyright © 2019 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2019 Sou Bunnbu <iyzsong@member.fsf.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -51,6 +52,7 @@
#:use-module (guix records)
#:use-module (guix modules)
#:use-module (guix deprecation)
+ #:use-module (rnrs enums)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-26)
@@ -72,13 +74,22 @@
dhcpd-configuration-pid-file
dhcpd-configuration-interfaces
- %ntp-servers
-
ntp-configuration
ntp-configuration?
+ ntp-configuration-ntp
+ ntp-configuration-servers
+ ntp-allow-large-adjustment?
+
+ %ntp-servers
+ ntp-server
+ ntp-server-type
+ ntp-server-address
+ ntp-server-options
+
ntp-service
ntp-service-type
+ %openntpd-servers
openntpd-configuration
openntpd-configuration?
openntpd-service-type
@@ -134,7 +145,14 @@
iptables-configuration-iptables
iptables-configuration-ipv4-rules
iptables-configuration-ipv6-rules
- iptables-service-type))
+ iptables-service-type
+
+ nftables-service-type
+ nftables-configuration
+ nftables-configuration?
+ nftables-configuration-package
+ nftables-configuration-ruleset
+ %default-nftables-ruleset))
;;; Commentary:
;;;
@@ -292,30 +310,86 @@ Protocol (DHCP) client, on all the non-loopback network interfaces."
(list (service-extension shepherd-root-service-type dhcpd-shepherd-service)
(service-extension activation-service-type dhcpd-activation)))))
-(define %ntp-servers
- ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
- ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
- ;; for this NTP pool "zone".
- '("0.guix.pool.ntp.org"
- "1.guix.pool.ntp.org"
- "2.guix.pool.ntp.org"
- "3.guix.pool.ntp.org"))
-
;;;
;;; NTP.
;;;
-;; TODO: Export.
+(define ntp-server-types (make-enumeration
+ '(pool
+ server
+ peer
+ broadcast
+ manycastclient)))
+
+(define-record-type* <ntp-server>
+ ntp-server make-ntp-server
+ ntp-server?
+ ;; The type can be one of the symbols of the NTP-SERVER-TYPE? enumeration.
+ (type ntp-server-type
+ (default 'server))
+ (address ntp-server-address) ; a string
+ ;; The list of options can contain single option names or tuples in the form
+ ;; '(name value).
+ (options ntp-server-options
+ (default '())))
+
+(define (ntp-server->string ntp-server)
+ ;; Serialize the NTP server object as a string, ready to use in the NTP
+ ;; configuration file.
+ (define (flatten lst)
+ (reverse
+ (let loop ((x lst)
+ (res '()))
+ (if (list? x)
+ (fold loop res x)
+ (cons (format #f "~s" x) res)))))
+
+ (match ntp-server
+ (($ <ntp-server> type address options)
+ ;; XXX: It'd be neater if fields were validated at the syntax level (for
+ ;; static ones at least). Perhaps the Guix record type could support a
+ ;; predicate property on a field?
+ (unless (enum-set-member? type ntp-server-types)
+ (error "Invalid NTP server type" type))
+ (string-join (cons* (symbol->string type)
+ address
+ (flatten options))))))
+
+(define %ntp-servers
+ ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
+ ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
+ ;; for this NTP pool "zone".
+ (list
+ (ntp-server
+ (type 'pool)
+ (address "0.guix.pool.ntp.org")
+ (options '("iburst"))))) ;as recommended in the ntpd manual
+
(define-record-type* <ntp-configuration>
ntp-configuration make-ntp-configuration
ntp-configuration?
(ntp ntp-configuration-ntp
(default ntp))
- (servers ntp-configuration-servers
+ (servers %ntp-configuration-servers ;list of <ntp-server> objects
(default %ntp-servers))
(allow-large-adjustment? ntp-allow-large-adjustment?
- (default #f)))
+ (default #t))) ;as recommended in the ntpd manual
+
+(define (ntp-configuration-servers ntp-configuration)
+ ;; A wrapper to support the deprecated form of this field.
+ (let ((ntp-servers (%ntp-configuration-servers ntp-configuration)))
+ (match ntp-servers
+ (((? string?) (? string?) ...)
+ (format (current-error-port) "warning: Defining NTP servers as strings is \
+deprecated. Please use <ntp-server> records instead.\n")
+ (map (lambda (addr)
+ (ntp-server
+ (type 'server)
+ (address addr)
+ (options '()))) ntp-servers))
+ ((($ <ntp-server>) ($ <ntp-server>) ...)
+ ntp-servers))))
(define ntp-shepherd-service
(match-lambda
@@ -324,18 +398,21 @@ Protocol (DHCP) client, on all the non-loopback network interfaces."
;; TODO: Add authentication support.
(define config
(string-append "driftfile /var/run/ntpd/ntp.drift\n"
- (string-join (map (cut string-append "server " <>)
- servers)
+ (string-join (map ntp-server->string servers)
"\n")
"
# Disable status queries as a workaround for CVE-2013-5211:
# <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
+restrict default kod nomodify notrap nopeer noquery limited
+restrict -6 default kod nomodify notrap nopeer noquery limited
# Yet, allow use of the local 'ntpq'.
restrict 127.0.0.1
-restrict -6 ::1\n"))
+restrict -6 ::1
+
+# This is required to use servers from a pool directive when using the 'nopeer'
+# option by default, as documented in the 'ntp.conf' manual.
+restrict source notrap nomodify noquery\n"))
(define ntpd.conf
(plain-file "ntpd.conf" config))
@@ -409,6 +486,9 @@ make an initial adjustment of more than 1,000 seconds."
;;; OpenNTPD.
;;;
+(define %openntpd-servers
+ (map ntp-server-address %ntp-servers))
+
(define-record-type* <openntpd-configuration>
openntpd-configuration make-openntpd-configuration
openntpd-configuration?
@@ -422,9 +502,9 @@ make an initial adjustment of more than 1,000 seconds."
(sensor openntpd-sensor
(default '()))
(server openntpd-server
- (default %ntp-servers))
- (servers openntpd-servers
(default '()))
+ (servers openntpd-servers
+ (default %openntpd-servers))
(constraint-from openntpd-constraint-from
(default '()))
(constraints-from openntpd-constraints-from
@@ -432,45 +512,58 @@ make an initial adjustment of more than 1,000 seconds."
(allow-large-adjustment? openntpd-allow-large-adjustment?
(default #f))) ; upstream default
-(define (openntpd-shepherd-service config)
+(define (openntpd-configuration->string config)
+
+ (define (quote-field? name)
+ (member name '("constraints from")))
+
(match-record config <openntpd-configuration>
- (openntpd listen-on query-from sensor server servers constraint-from
- constraints-from allow-large-adjustment?)
- (let ()
- (define config
- (string-join
- (filter-map
- (lambda (field value)
- (string-join
- (map (cut string-append field <> "\n")
- value)))
- '("listen on " "query from " "sensor " "server " "servers "
- "constraint from ")
- (list listen-on query-from sensor server servers constraint-from))
- ;; The 'constraints from' field needs to be enclosed in double quotes.
- (string-join
- (map (cut string-append "constraints from \"" <> "\"\n")
- constraints-from))))
-
- (define ntpd.conf
- (plain-file "ntpd.conf" config))
-
- (list (shepherd-service
- (provision '(ntpd))
- (documentation "Run the Network Time Protocol (NTP) daemon.")
- (requirement '(user-processes networking))
- (start #~(make-forkexec-constructor
- (list (string-append #$openntpd "/sbin/ntpd")
- "-f" #$ntpd.conf
- "-d" ;; don't daemonize
- #$@(if allow-large-adjustment?
- '("-s")
- '()))
- ;; When ntpd is daemonized it repeatedly tries to respawn
- ;; while running, leading shepherd to disable it. To
- ;; prevent spamming stderr, redirect output to logfile.
- #:log-file "/var/log/ntpd"))
- (stop #~(make-kill-destructor)))))))
+ (listen-on query-from sensor server servers constraint-from
+ constraints-from)
+ (string-append
+ (string-join
+ (concatenate
+ (filter-map (lambda (field values)
+ (match values
+ (() #f) ;discard entry with filter-map
+ ((val ...) ;validate value type
+ (map (lambda (value)
+ (if (quote-field? field)
+ (format #f "~a \"~a\"" field value)
+ (format #f "~a ~a" field value)))
+ values))))
+ ;; The entry names.
+ '("listen on" "query from" "sensor" "server" "servers"
+ "constraint from" "constraints from")
+ ;; The corresponding entry values.
+ (list listen-on query-from sensor server servers
+ constraint-from constraints-from)))
+ "\n")
+ "\n"))) ;add a trailing newline
+
+(define (openntpd-shepherd-service config)
+ (let ((openntpd (openntpd-configuration-openntpd config))
+ (allow-large-adjustment? (openntpd-allow-large-adjustment? config)))
+
+ (define ntpd.conf
+ (plain-file "ntpd.conf" (openntpd-configuration->string config)))
+
+ (list (shepherd-service
+ (provision '(ntpd))
+ (documentation "Run the Network Time Protocol (NTP) daemon.")
+ (requirement '(user-processes networking))
+ (start #~(make-forkexec-constructor
+ (list (string-append #$openntpd "/sbin/ntpd")
+ "-f" #$ntpd.conf
+ "-d" ;; don't daemonize
+ #$@(if allow-large-adjustment?
+ '("-s")
+ '()))
+ ;; When ntpd is daemonized it repeatedly tries to respawn
+ ;; while running, leading shepherd to disable it. To
+ ;; prevent spamming stderr, redirect output to logfile.
+ #:log-file "/var/log/ntpd"))
+ (stop #~(make-kill-destructor))))))
(define (openntpd-service-activation config)
"Return the activation gexp for CONFIG."
@@ -1330,4 +1423,76 @@ COMMIT
(list (service-extension shepherd-root-service-type
(compose list iptables-shepherd-service))))))
+;;;
+;;; nftables
+;;;
+
+(define %default-nftables-ruleset
+ (plain-file "nftables.conf"
+ "# A simple and safe firewall
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+
+ # early drop of invalid connections
+ ct state invalid drop
+
+ # allow established/related connections
+ ct state { established, related } accept
+
+ # allow from loopback
+ iifname lo accept
+
+ # allow icmp
+ ip protocol icmp accept
+ ip6 nexthdr icmpv6 accept
+
+ # allow ssh
+ tcp dport ssh accept
+
+ # reject everything else
+ reject with icmpx type port-unreachable
+ }
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+ chain output {
+ type filter hook output priority 0; policy accept;
+ }
+}
+"))
+
+(define-record-type* <nftables-configuration>
+ nftables-configuration
+ make-nftables-configuration
+ nftables-configuration?
+ (package nftables-configuration-package
+ (default nftables))
+ (ruleset nftables-configuration-ruleset ; file-like object
+ (default %default-nftables-ruleset)))
+
+(define nftables-shepherd-service
+ (match-lambda
+ (($ <nftables-configuration> package ruleset)
+ (let ((nft (file-append package "/sbin/nft")))
+ (shepherd-service
+ (documentation "Packet filtering and classification")
+ (provision '(nftables))
+ (start #~(lambda _
+ (invoke #$nft "--file" #$ruleset)))
+ (stop #~(lambda _
+ (invoke #$nft "flush" "ruleset"))))))))
+
+(define nftables-service-type
+ (service-type
+ (name 'nftables)
+ (description
+ "Run @command{nft}, setting up the specified ruleset.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list nftables-shepherd-service))
+ (service-extension profile-service-type
+ (compose list nftables-configuration-package))))
+ (default-value (nftables-configuration))))
+
;;; networking.scm ends here
diff --git a/gnu/services/pm.scm b/gnu/services/pm.scm
index 3817bd09de..1e01b5059d 100644
--- a/gnu/services/pm.scm
+++ b/gnu/services/pm.scm
@@ -401,7 +401,8 @@ shutdown on system startup."))
(compose list tlp-configuration-tlp))
(service-extension activation-service-type
tlp-activation)))
- (default-value (tlp-configuration))))
+ (default-value (tlp-configuration))
+ (description "Run TLP, a power management tool.")))
(define (generate-tlp-documentation)
(generate-documentation
@@ -441,4 +442,6 @@ shutdown on system startup."))
(name 'thermald)
(extensions (list (service-extension shepherd-root-service-type
thermald-shepherd-service)))
- (default-value (thermald-configuration))))
+ (default-value (thermald-configuration))
+ (description "Run thermald, a CPU frequency scaling service that helps
+prevent overheating.")))
diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index 45c67e04eb..08bb33039c 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -255,6 +255,22 @@ stored."
#~(#$name #$doc #$proc)))
(shepherd-service-actions service))))))))
+(define (scm->go file)
+ "Compile FILE, which contains code to be loaded by shepherd's config file,
+and return the resulting '.go' file."
+ (with-extensions (list shepherd)
+ (computed-file (string-append (basename (scheme-file-name file) ".scm")
+ ".go")
+ #~(begin
+ (use-modules (system base compile))
+
+ ;; Do the same as the Shepherd's 'load-in-user-module'.
+ (let ((env (make-fresh-user-module)))
+ (module-use! env (resolve-interface '(oop goops)))
+ (module-use! env (resolve-interface '(shepherd service)))
+ (compile-file #$file #:output-file #$output
+ #:env env))))))
+
(define (shepherd-configuration-file services)
"Return the shepherd configuration file for SERVICES."
(assert-valid-graph services)
@@ -269,36 +285,37 @@ stored."
;; than a kernel panic.
(call-with-error-handling
(lambda ()
- (apply register-services (map primitive-load '#$files))
-
- ;; guix-daemon 0.6 aborts if 'PATH' is undefined, so work around
- ;; it.
- (setenv "PATH" "/run/current-system/profile/bin")
-
- (format #t "starting services...~%")
- (for-each (lambda (service)
- ;; In the Shepherd 0.3 the 'start' method can raise
- ;; '&action-runtime-error' if it fails, so protect
- ;; against it. (XXX: 'action-runtime-error?' is not
- ;; exported is 0.3, hence 'service-error?'.)
- (guard (c ((service-error? c)
- (format (current-error-port)
- "failed to start service '~a'~%"
- service)))
- (start service)))
- '#$(append-map shepherd-service-provision
- (filter shepherd-service-auto-start?
- services)))
-
- ;; Hang up stdin. At this point, we assume that 'start' methods
- ;; that required user interaction on the console (e.g.,
- ;; 'cryptsetup open' invocations, post-fsck emergency REPL) have
- ;; completed. User interaction becomes impossible after this
- ;; call; this avoids situations where services wrongfully lead
- ;; PID 1 to read from stdin (the console), which users may not
- ;; have access to (see <https://bugs.gnu.org/23697>).
- (redirect-port (open-input-file "/dev/null")
- (current-input-port))))))
+ (apply register-services
+ (map load-compiled '#$(map scm->go files)))))
+
+ ;; guix-daemon 0.6 aborts if 'PATH' is undefined, so work around
+ ;; it.
+ (setenv "PATH" "/run/current-system/profile/bin")
+
+ (format #t "starting services...~%")
+ (for-each (lambda (service)
+ ;; In the Shepherd 0.3 the 'start' method can raise
+ ;; '&action-runtime-error' if it fails, so protect
+ ;; against it. (XXX: 'action-runtime-error?' is not
+ ;; exported is 0.3, hence 'service-error?'.)
+ (guard (c ((service-error? c)
+ (format (current-error-port)
+ "failed to start service '~a'~%"
+ service)))
+ (start service)))
+ '#$(append-map shepherd-service-provision
+ (filter shepherd-service-auto-start?
+ services)))
+
+ ;; Hang up stdin. At this point, we assume that 'start' methods
+ ;; that required user interaction on the console (e.g.,
+ ;; 'cryptsetup open' invocations, post-fsck emergency REPL) have
+ ;; completed. User interaction becomes impossible after this
+ ;; call; this avoids situations where services wrongfully lead
+ ;; PID 1 to read from stdin (the console), which users may not
+ ;; have access to (see <https://bugs.gnu.org/23697>).
+ (redirect-port (open-input-file "/dev/null")
+ (current-input-port))))
(scheme-file "shepherd.conf" config)))
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 705ed84d06..bc8ac9b40a 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -313,7 +313,7 @@ be logged:
Multiple filters can be defined in a single filters statement, they just
need to be separated by spaces.")
(log-outputs
- (string "3:stderr")
+ (string "3:syslog:libvirtd")
"Logging outputs.
An output is one of the places to save logging information
@@ -432,7 +432,10 @@ potential infinite waits blocking libvirt."))
(provision '(libvirtd))
(start #~(make-forkexec-constructor
(list (string-append #$libvirt "/sbin/libvirtd")
- "-f" #$config-file)))
+ "-f" #$config-file)
+ #:environment-variables
+ ;; For finding qemu binaries.
+ '("PATH=/run/current-system/profile/bin")))
(stop #~(make-kill-destructor))))))
(define libvirt-service-type
@@ -442,8 +445,10 @@ potential infinite waits blocking libvirt."))
(service-extension polkit-service-type
(compose list libvirt-configuration-libvirt))
(service-extension profile-service-type
- (compose list
- libvirt-configuration-libvirt))
+ (lambda (config)
+ (list
+ (libvirt-configuration-libvirt config)
+ qemu)))
(service-extension activation-service-type
%libvirt-activation)
(service-extension shepherd-root-service-type
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 35efddb0ae..899be1c168 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -438,7 +438,7 @@
addresses-and-ports
contents)
`(,(string-append
- "<VirtualHost " addresses-and-ports ">\n")
+ "\n<VirtualHost " addresses-and-ports ">\n")
,@contents
"\n</VirtualHost>\n"))
((? string? x)
@@ -682,7 +682,8 @@ of index files."
(system* (string-append #$nginx "/sbin/nginx")
"-c" #$(or file
(default-nginx-config config))
- "-t"))))
+ "-p" #$run-directory
+ "-t"))))
(define (nginx-shepherd-service config)
(match-record config
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 06d72b5f60..1d55e388a1 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -773,6 +773,27 @@ the GNOME desktop environment.")
(home-directory "/var/lib/gdm")
(shell (file-append shadow "/sbin/nologin")))))
+(define %gdm-activation
+ ;; Ensure /var/lib/gdm is owned by the "gdm" user. This is normally the
+ ;; case but could be wrong if the "gdm" user was created, then removed, and
+ ;; then recreated under a different UID/GID: <https://bugs.gnu.org/37423>.
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (let* ((gdm (getpwnam "gdm"))
+ (uid (passwd:uid gdm))
+ (gid (passwd:gid gdm))
+ (st (stat "/var/lib/gdm" #f)))
+ ;; Recurse into /var/lib/gdm only if it has wrong ownership.
+ (when (and st
+ (or (not (= uid (stat:uid st)))
+ (not (= gid (stat:gid st)))))
+ (for-each (lambda (file)
+ (chown file uid gid))
+ (find-files "/var/lib/gdm"
+ #:directories? #t)))))))
+
(define dbus-daemon-wrapper
(program-file
"gdm-dbus-wrapper"
@@ -915,6 +936,8 @@ the GNOME desktop environment.")
(extensions
(list (service-extension shepherd-root-service-type
gdm-shepherd-service)
+ (service-extension activation-service-type
+ (const %gdm-activation))
(service-extension account-service-type
(const %gdm-accounts))
(service-extension pam-root-service-type
generated by cgit v1.2.3 (git 2.45.0) at 2024-12-02 10:02:27 +0000