From 9e549ad1c3a576eed1fb095a2d14613bce83b9ee Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 22 Nov 2017 23:16:01 +0100 Subject: services: dicod: Run in a container. * gnu/services/dict.scm (dicod-shepherd-service): Add 'with-imported-modules' form and 'modules' field. Use 'make-forkexec-constructor/container' instead of 'make-forkexec-constructor'. --- gnu/services/dict.scm | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm index 69eadafd2e..c8403c0135 100644 --- a/gnu/services/dict.scm +++ b/gnu/services/dict.scm @@ -21,6 +21,7 @@ (define-module (gnu services dict) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix modules) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system shadow) @@ -144,14 +145,23 @@ database { (let ((dicod (file-append (dicod-configuration-dico config) "/bin/dicod")) (dicod.conf (dicod-configuration-file config))) - (list (shepherd-service - (provision '(dicod)) - (documentation "Run the dicod daemon.") - (start #~(make-forkexec-constructor - (list #$dicod "--foreground" - (string-append "--config=" #$dicod.conf)) - #:user "dicod" #:group "dicod")) - (stop #~(make-kill-destructor)))))) + (with-imported-modules (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(dicod)) + (documentation "Run the dicod daemon.") + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start #~(make-forkexec-constructor/container + (list #$dicod "--foreground" + (string-append "--config=" #$dicod.conf)) + #:user "dicod" #:group "dicod" + #:mappings (list (file-system-mapping + (source "/var/run/dicod") + (target source) + (writable? #t))))) + (stop #~(make-kill-destructor))))))) (define dicod-service-type (service-type -- cgit v1.2.3 From 5cc6dcd734fbf40371aaa6b2ebb825fb35397209 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Fri, 6 Oct 2017 02:01:07 +0200 Subject: services: prosody: Adapt to Prosody 0.10.0. * doc/guix.texi (Messaging Services): Add "mam" as a module example. Document 'prosodyctl check'. Replace 'prosodyctl cert request' with 'prosodyctl cert import'. Regenerate it. * gnu/services/messaging.scm (serialize-module-list): Remove "posix" from the default modules list because it is now automatically loaded. (ssl-configuration)[key, certificate]: Remove them because they are now automatically located. Fix their docstrings. (%default-modules-enabled): Add "carbons" and "blocklist". (prosody-configuration)[certificates]: Set default directory from which certificates/keys will be automatically located. --- doc/guix.texi | 28 +++++++++++++++++++--------- gnu/services/messaging.scm | 19 ++++++++++++++----- 2 files changed, 33 insertions(+), 14 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index f8188fbb16..a2f7d9e1d0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -13899,7 +13899,7 @@ record as in this example: @example (service prosody-service-type (prosody-configuration - (modules-enabled (cons "groups" %default-modules-enabled)) + (modules-enabled (cons "groups" "mam" %default-modules-enabled)) (int-components (list (int-component-configuration @@ -13920,10 +13920,15 @@ By default, Prosody does not need much configuration. Only one @code{virtualhosts} field is needed: it specifies the domain you wish Prosody to serve. -Prosodyctl will help you generate X.509 certificates and keys: +You can perform various sanity checks on the generated configuration +with the @code{prosodyctl check} command. + +Prosodyctl will also help you to import certificates from the +@code{letsencrypt} directory so that the @code{prosody} user can access +them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl cert request example.net +prosodyctl --root cert import /etc/letsencrypt/live @end example The available configuration parameters follow. Each parameter @@ -13962,6 +13967,13 @@ paths in order. See @url{http://prosody.im/doc/plugins_directory}. Defaults to @samp{()}. @end deftypevr +@deftypevr {@code{prosody-configuration} parameter} file-name certificates +Every virtual host and component needs a certificate so that clients and +servers can securely verify its identity. Prosody will automatically load +certificates/keys from the directory specified here. +Defaults to @samp{"/etc/prosody/certs"}. +@end deftypevr + @deftypevr {@code{prosody-configuration} parameter} string-list admins This is a list of accounts that are admins for the server. Note that you must create the accounts separately. See @url{http://prosody.im/doc/admins} and @@ -14014,14 +14026,12 @@ Available @code{ssl-configuration} fields are: This determines what handshake to use. @end deftypevr -@deftypevr {@code{ssl-configuration} parameter} file-name key -Path to your private key file, relative to @code{/etc/prosody}. -Defaults to @samp{"/etc/prosody/certs/key.pem"}. +@deftypevr {@code{ssl-configuration} parameter} maybe-file-name key +Path to your private key file. @end deftypevr -@deftypevr {@code{ssl-configuration} parameter} file-name certificate -Path to your certificate file, relative to @code{/etc/prosody}. -Defaults to @samp{"/etc/prosody/certs/cert.pem"}. +@deftypevr {@code{ssl-configuration} parameter} maybe-file-name certificate +Path to your certificate file. @end deftypevr @deftypevr {@code{ssl-configuration} parameter} file-name capath diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index 715d6181f5..526ad5a410 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -160,7 +160,7 @@ (define (module-list? val) (string-list? val)) (define (serialize-module-list field-name val) - (serialize-string-list field-name (cons "posix" val))) + (serialize-string-list field-name val)) (define-maybe module-list) (define (file-name? val) @@ -203,12 +203,12 @@ just joined the room.")) "This determines what handshake to use.") (key - (file-name "/etc/prosody/certs/key.pem") - "Path to your private key file, relative to @code{/etc/prosody}.") + (maybe-file-name 'disabled) + "Path to your private key file.") (certificate - (file-name "/etc/prosody/certs/cert.pem") - "Path to your certificate file, relative to @code{/etc/prosody}.") + (maybe-file-name 'disabled) + "Path to your certificate file.") (capath (file-name "/etc/ssl/certs") @@ -271,7 +271,9 @@ can create such a file with: "tls" "dialback" "disco" + "carbons" "private" + "blocklist" "vcard" "version" "uptime" @@ -321,6 +323,13 @@ can create such a file with: paths in order. See @url{http://prosody.im/doc/plugins_directory}." global) + (certificates + (file-name "/etc/prosody/certs") + "Every virtual host and component needs a certificate so that clients and +servers can securely verify its identity. Prosody will automatically load +certificates/keys from the directory specified here." + global) + (admins (string-list '()) "This is a list of accounts that are admins for the server. Note that you -- cgit v1.2.3 From f59de6bea9a2fc83df492eafbfb7f8bfc5148939 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Fri, 27 Oct 2017 00:20:01 +0200 Subject: services: prosody: Add support for http-external-url. * doc/guix.texi (Messaging Services): Update accordingly. * gnu/services/messaging.scm (prosody-configuration)[http-external-url]: New field. --- doc/guix.texi | 13 ++++++++++--- gnu/services/messaging.scm | 8 ++++++++ 2 files changed, 18 insertions(+), 3 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index a2f7d9e1d0..0e4116905c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14143,6 +14143,13 @@ File to write pid in. See @url{http://prosody.im/doc/modules/mod_posix}. Defaults to @samp{"/var/run/prosody/prosody.pid"}. @end deftypevr +@deftypevr {@code{prosody-configuration} parameter} maybe-string http-external-url +Some modules expose their own URL in various ways. This URL is built +from the protocol, host and port used. If Prosody sits behind a proxy, the +public URL will be @code{http-external-url} instead. See +@url{https://prosody.im/doc/http#external_url}. +@end deftypevr + @deftypevr {@code{prosody-configuration} parameter} virtualhost-configuration-list virtualhosts A host in Prosody is a domain on which user accounts can be created. For example if you want your users to have addresses like @@ -14159,7 +14166,7 @@ See @url{http://prosody.im/doc/configure#virtual_host_settings}. Available @code{virtualhost-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-external-url}, plus: @deftypevr {@code{virtualhost-configuration} parameter} string domain Domain you wish Prosody to serve. @end deftypevr @@ -14181,7 +14188,7 @@ Defaults to @samp{()}. Available @code{int-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-external-url}, plus: @deftypevr {@code{int-component-configuration} parameter} string hostname Hostname of the component. @end deftypevr @@ -14234,7 +14241,7 @@ Defaults to @samp{()}. Available @code{ext-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-external-url}, plus: @deftypevr {@code{ext-component-configuration} parameter} string component-secret Password which the component will use to log in. @end deftypevr diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index 526ad5a410..5a7b19605b 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -436,6 +436,14 @@ by the GuixSD Prosody Service. See @url{http://prosody.im/doc/logging}." "File to write pid in. See @url{http://prosody.im/doc/modules/mod_posix}." global) + (http-external-url + (maybe-string 'disabled) + "Some modules expose their own URL in various ways. This URL is built +from the protocol, host and port used. If Prosody sits behind a proxy, the +public URL will be @code{http-external-url} instead. See +@url{https://prosody.im/doc/http#external_url}." + common) + (virtualhosts (virtualhost-configuration-list (list (virtualhost-configuration -- cgit v1.2.3 From 1f6f1a07c84c6a0c69803c8e9703237ace7abf77 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sat, 28 Oct 2017 01:33:57 +0200 Subject: services: prosody: Add support for http-max-content-size. * doc/guix.texi (Messaging Services): Update accordingly. * gnu/services/messaging.scm (prosody-configuration)[http-max-content-size]: New field. --- doc/guix.texi | 10 +++++++--- gnu/services/messaging.scm | 5 +++++ 2 files changed, 12 insertions(+), 3 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 0e4116905c..627a549c90 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14143,6 +14143,10 @@ File to write pid in. See @url{http://prosody.im/doc/modules/mod_posix}. Defaults to @samp{"/var/run/prosody/prosody.pid"}. @end deftypevr +@deftypevr {@code{prosody-configuration} parameter} maybe-non-negative-integer http-max-content-size +Maximum allowed size of the HTTP body (in bytes). +@end deftypevr + @deftypevr {@code{prosody-configuration} parameter} maybe-string http-external-url Some modules expose their own URL in various ways. This URL is built from the protocol, host and port used. If Prosody sits behind a proxy, the @@ -14166,7 +14170,7 @@ See @url{http://prosody.im/doc/configure#virtual_host_settings}. Available @code{virtualhost-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-external-url}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, plus: @deftypevr {@code{virtualhost-configuration} parameter} string domain Domain you wish Prosody to serve. @end deftypevr @@ -14188,7 +14192,7 @@ Defaults to @samp{()}. Available @code{int-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-external-url}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, plus: @deftypevr {@code{int-component-configuration} parameter} string hostname Hostname of the component. @end deftypevr @@ -14241,7 +14245,7 @@ Defaults to @samp{()}. Available @code{ext-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-external-url}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, plus: @deftypevr {@code{ext-component-configuration} parameter} string component-secret Password which the component will use to log in. @end deftypevr diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index 5a7b19605b..f348ca1a38 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -436,6 +436,11 @@ by the GuixSD Prosody Service. See @url{http://prosody.im/doc/logging}." "File to write pid in. See @url{http://prosody.im/doc/modules/mod_posix}." global) + (http-max-content-size + (maybe-non-negative-integer 'disabled) + "Maximum allowed size of the HTTP body (in bytes)." + common) + (http-external-url (maybe-string 'disabled) "Some modules expose their own URL in various ways. This URL is built -- cgit v1.2.3 From 274b9500d1d204a06a610da304a61d5b27bcce3e Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Fri, 27 Oct 2017 22:12:41 +0200 Subject: services: prosody: Allow to add raw content to the config file. * doc/guix.texi (Messaging Services): Update accordingly. * gnu/services/messaging.scm (prosody-configuration)[raw-content]: New field. (raw-content?, serialize-raw-content): New procedures. --- doc/guix.texi | 10 +++++++--- gnu/services/messaging.scm | 13 ++++++++++++- 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 627a549c90..51fc40d7c1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14170,7 +14170,7 @@ See @url{http://prosody.im/doc/configure#virtual_host_settings}. Available @code{virtualhost-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: @deftypevr {@code{virtualhost-configuration} parameter} string domain Domain you wish Prosody to serve. @end deftypevr @@ -14192,7 +14192,7 @@ Defaults to @samp{()}. Available @code{int-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: @deftypevr {@code{int-component-configuration} parameter} string hostname Hostname of the component. @end deftypevr @@ -14245,7 +14245,7 @@ Defaults to @samp{()}. Available @code{ext-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: @deftypevr {@code{ext-component-configuration} parameter} string component-secret Password which the component will use to log in. @end deftypevr @@ -14265,6 +14265,10 @@ Interface Prosody listens on for component connections. Defaults to @samp{"127.0.0.1"}. @end deftypevr +@deftypevr {@code{prosody-configuration} parameter} maybe-raw-content raw-content +Raw content that will be added to the configuration file. +@end deftypevr + It could be that you just want to get a @code{prosody.cfg.lua} up and running. In that case, you can pass an @code{opaque-prosody-configuration} record as the value of diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index f348ca1a38..b66d6ddb96 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -176,6 +176,12 @@ (serialize-string-list field-name val)) (define-maybe file-name) +(define (raw-content? val) + (not (eq? val 'disabled))) +(define (serialize-raw-content field-name val) + (format #t "~a" val)) +(define-maybe raw-content) + (define-configuration mod-muc-configuration (name (string "Prosody Chatrooms") @@ -533,7 +539,12 @@ See also @url{http://prosody.im/doc/modules/mod_muc}." (hostname (string (configuration-missing-field 'ext-component 'hostname)) "Hostname of the component." - ext-component))) + ext-component) + + (raw-content + (maybe-raw-content 'disabled) + "Raw content that will be added to the configuration file." + common))) ;; Serialize Virtualhost line first. (define (serialize-virtualhost-configuration config) -- cgit v1.2.3 From e30038dae14d7cfb6372c44e9f4dfc96c205c29e Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Fri, 24 Nov 2017 22:20:32 +0100 Subject: services: prosody: Add support for disable-sasl-mechanisms. * doc/guix.texi (Messaging Services): Update accordingly. * gnu/services/messaging.scm (prosody-configuration)[disable-sasl-mechanisms]: New field. --- doc/guix.texi | 11 ++++++++--- gnu/services/messaging.scm | 6 ++++++ 2 files changed, 14 insertions(+), 3 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 51fc40d7c1..2a68256823 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14093,6 +14093,11 @@ See @url{http://prosody.im/doc/modules/mod_tls}. Defaults to @samp{#f}. @end deftypevr +@deftypevr {@code{prosody-configuration} parameter} string-list disable-sasl-mechanisms +Set of mechanisms that will never be offered. See +@url{https://prosody.im/doc/modules/mod_saslauth}. +@end deftypevr + @deftypevr {@code{prosody-configuration} parameter} boolean s2s-require-encryption? Whether to force all server-to-server connections to be encrypted or not. See @url{http://prosody.im/doc/modules/mod_tls}. @@ -14170,7 +14175,7 @@ See @url{http://prosody.im/doc/configure#virtual_host_settings}. Available @code{virtualhost-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: @deftypevr {@code{virtualhost-configuration} parameter} string domain Domain you wish Prosody to serve. @end deftypevr @@ -14192,7 +14197,7 @@ Defaults to @samp{()}. Available @code{int-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: @deftypevr {@code{int-component-configuration} parameter} string hostname Hostname of the component. @end deftypevr @@ -14245,7 +14250,7 @@ Defaults to @samp{()}. Available @code{ext-component-configuration} fields are: -all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{disable-sasl-mechanisms}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, @code{http-max-content-size}, @code{http-external-url}, @code{raw-content}, plus: @deftypevr {@code{ext-component-configuration} parameter} string component-secret Password which the component will use to log in. @end deftypevr diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index b66d6ddb96..c75c715850 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -391,6 +391,12 @@ using them. See @url{http://prosody.im/doc/advanced_ssl_config}." See @url{http://prosody.im/doc/modules/mod_tls}." common) + (disable-sasl-mechanisms + (string-list '("DIGEST-MD5")) + "Set of mechanisms that will never be offered. See +@url{https://prosody.im/doc/modules/mod_saslauth}." + common) + (s2s-require-encryption? (boolean #f) "Whether to force all server-to-server connections to be encrypted or not. -- cgit v1.2.3 From 5823396404bf8fc04cf0d392980bf463323014b1 Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Fri, 24 Nov 2017 23:08:14 +0000 Subject: services: desktop: Create /var/run/udisks2 for the udisks service. * gnu/services/desktop.scm (%udisks-activation): New variable. (udisks-service-type)[extensions]: Extend the activation service type with %udisks-activation. --- gnu/services/desktop.scm | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'gnu/services') diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 4b5100c27a..ec33e1d5ec 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -507,6 +507,15 @@ site} for more information." (udisks udisks-configuration-udisks (default udisks))) +(define %udisks-activation + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + + (let ((run-dir "/var/run/udisks2")) + (mkdir-p run-dir) + (chmod run-dir #o700))))) + (define udisks-service-type (let ((udisks-package (lambda (config) (list (udisks-configuration-udisks config))))) @@ -518,6 +527,8 @@ site} for more information." udisks-package) (service-extension udev-service-type udisks-package) + (service-extension activation-service-type + (const %udisks-activation)) ;; Profile 'udisksctl' & co. in the system profile. (service-extension profile-service-type -- cgit v1.2.3 From 19ff1f2687ab5ceeee6335dce2794590d0f4aa27 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Fri, 24 Nov 2017 22:55:28 +0100 Subject: services: configuration: Show default values of list types. * doc/guix.texi (Messaging Services): Regenerate it. * gnu/services/configuration.scm (show-default?): Check VAL rather than DEFAULT. * gnu/services/messaging.scm (show-default?): Check VAL rather than DEFAULT. (prosody-configuration)[modules-enabled]: Remove default value from docstring. --- doc/guix.texi | 7 +++++-- gnu/services/configuration.scm | 3 ++- gnu/services/messaging.scm | 6 +++--- 3 files changed, 10 insertions(+), 6 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 2a68256823..17a8f4df47 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -13991,8 +13991,9 @@ Defaults to @samp{#f}. @deftypevr {@code{prosody-configuration} parameter} module-list modules-enabled This is the list of modules Prosody will load on startup. It looks for @code{mod_modulename.lua} in the plugins folder, so make sure that exists too. -Documentation on modules can be found at: @url{http://prosody.im/doc/modules}. -Defaults to @samp{%default-modules-enabled}. +Documentation on modules can be found at: +@url{http://prosody.im/doc/modules}. +Defaults to @samp{("roster" "saslauth" "tls" "dialback" "disco" "carbons" "private" "blocklist" "vcard" "version" "uptime" "time" "ping" "pep" "register" "admin_adhoc")}. @end deftypevr @deftypevr {@code{prosody-configuration} parameter} string-list modules-disabled @@ -14096,6 +14097,7 @@ Defaults to @samp{#f}. @deftypevr {@code{prosody-configuration} parameter} string-list disable-sasl-mechanisms Set of mechanisms that will never be offered. See @url{https://prosody.im/doc/modules/mod_saslauth}. +Defaults to @samp{("DIGEST-MD5")}. @end deftypevr @deftypevr {@code{prosody-configuration} parameter} boolean s2s-require-encryption? @@ -14263,6 +14265,7 @@ Hostname of the component. @deftypevr {@code{prosody-configuration} parameter} non-negative-integer-list component-ports Port(s) Prosody listens on for component connections. +Defaults to @samp{(5347)}. @end deftypevr @deftypevr {@code{prosody-configuration} parameter} string component-interface diff --git a/gnu/services/configuration.scm b/gnu/services/configuration.scm index 0a2219e743..c45340f02f 100644 --- a/gnu/services/configuration.scm +++ b/gnu/services/configuration.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 Andy Wingo ;;; Copyright © 2017 Mathieu Othacehe +;;; Copyright © 2017 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; @@ -165,7 +166,7 @@ (configuration-field-default-value-thunk f) (lambda _ '%invalid)))) (define (show-default? val) - (or (string? default) (number? default) (boolean? default) + (or (string? val) (number? val) (boolean? val) (and (symbol? val) (not (eq? val '%invalid))) (and (list? val) (and-map show-default? val)))) `(deftypevr (% (category diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index c75c715850..d57a7562a2 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -354,8 +354,8 @@ Example: @code{(admins '(\"user1@@example.com\" \"user2@@example.net\"))}" (module-list %default-modules-enabled) "This is the list of modules Prosody will load on startup. It looks for @code{mod_modulename.lua} in the plugins folder, so make sure that exists too. -Documentation on modules can be found at: @url{http://prosody.im/doc/modules}. -Defaults to @samp{%default-modules-enabled}." +Documentation on modules can be found at: +@url{http://prosody.im/doc/modules}." common) (modules-disabled @@ -722,7 +722,7 @@ See also @url{http://prosody.im/doc/modules/mod_muc}." (display c)) str)))) (define (show-default? val) - (or (string? default) (number? default) (boolean? default) + (or (string? val) (number? val) (boolean? val) (and (list? val) (and-map show-default? val)))) (format #t "@deftypevr {@code{~a} parameter} ~a ~a\n~a\n" configuration-name field-type field-name field-docs) -- cgit v1.2.3 From d344f5a528791cc8ee46b4506ff4ec49489108ee Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 25 Nov 2017 18:28:08 +0100 Subject: services: xorg: Allow users to specify a list of modules. * gnu/services/xorg.scm (%default-xorg-fonts): New variable. (xorg-configuration-file): Add #:modules and #:fonts. Rewrite to return a 'computed-file' that honors MODULES and FONTS. (xorg-wrapper): Pass #:modules to 'xorg-configuration-file'. (xorg-start-command): Add #:fonts. Pass #:fonts and #:modules to 'xorg-configuration-file'. * doc/guix.texi (X Window): Adjust documentation of 'xorg-start-command' and 'xorg-configuration-file'. --- doc/guix.texi | 26 ++++--- gnu/services/xorg.scm | 185 ++++++++++++++++++++++++++++++++------------------ 2 files changed, 136 insertions(+), 75 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 17a8f4df47..4a32cdff5d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11142,31 +11142,41 @@ The G-Expression denoting the default SLiM theme and its name. @end defvr @deffn {Scheme Procedure} xorg-start-command [#:guile] @ - [#:configuration-file #f] [#:xorg-server @var{xorg-server}] -Return a derivation that builds a @var{guile} script to start the X server -from @var{xorg-server}. @var{configuration-file} is the server configuration -file or a derivation that builds it; when omitted, the result of -@code{xorg-configuration-file} is used. + [#:modules %default-xorg-modules] @ + [#:fonts %default-xorg-fonts] @ + [#:configuration-file (xorg-configuration-file @dots{})] @ + [#:xorg-server @var{xorg-server}] +Return a @code{startx} script in which @var{modules}, a list of X module +packages, and @var{fonts}, a list of X font directories, are available. See +@code{xorg-wrapper} for more details on the arguments. The result should be +used in place of @code{startx}. Usually the X server is started by a login manager. @end deffn @deffn {Scheme Procedure} xorg-configuration-file @ + [#:modules %default-xorg-modules] @ + [#:fonts %default-xorg-fonts] @ [#:drivers '()] [#:resolutions '()] [#:extra-config '()] Return a configuration file for the Xorg server containing search paths for all the common drivers. +@var{modules} must be a list of @dfn{module packages} loaded by the Xorg +server---e.g., @code{xf86-video-vesa}, @code{xf86-input-keyboard}, and so on. +@var{fonts} must be a list of font directories to add to the server's +@dfn{font path}. + @var{drivers} must be either the empty list, in which case Xorg chooses a graphics driver automatically, or a list of driver names that will be tried in -this order---e.g., @code{(\"modesetting\" \"vesa\")}. +this order---e.g., @code{("modesetting" "vesa")}. Likewise, when @var{resolutions} is the empty list, Xorg chooses an appropriate screen resolution; otherwise, it must be a list of resolutions---e.g., @code{((1024 768) (640 480))}. Last, @var{extra-config} is a list of strings or objects appended to the -@code{text-file*} argument list. It is used to pass extra text to be added -verbatim to the configuration file. +configuration file. It is used to pass extra text to be +added verbatim to the configuration file. @end deffn @deffn {Scheme Procedure} screen-locker-service @var{package} [@var{name}] diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index c5a1a0d423..c712793875 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Andy Wingo -;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2015 Sou Bunnbu ;;; ;;; This file is part of GNU Guix. @@ -45,6 +45,7 @@ #:use-module (ice-9 match) #:export (xorg-configuration-file %default-xorg-modules + %default-xorg-fonts xorg-wrapper xorg-start-command xinitrc @@ -70,11 +71,50 @@ ;;; ;;; Code: -(define* (xorg-configuration-file #:key (drivers '()) (resolutions '()) +(define %default-xorg-modules + ;; Default list of modules loaded by the server. Note that the order + ;; matters since it determines which driver is going to be used when there's + ;; a choice. + (list xf86-video-vesa + xf86-video-fbdev + xf86-video-ati + xf86-video-cirrus + xf86-video-intel + xf86-video-mach64 + xf86-video-nouveau + xf86-video-nv + xf86-video-sis + + ;; Libinput is the new thing and is recommended over evdev/synaptics: + ;; . + xf86-input-libinput + + xf86-input-evdev + xf86-input-keyboard + xf86-input-mouse + xf86-input-synaptics)) + +(define %default-xorg-fonts + ;; Default list of fonts available to the X server. + (list (file-append font-alias "/share/fonts/X11/75dpi") + (file-append font-alias "/share/fonts/X11/100dpi") + (file-append font-alias "/share/fonts/X11/misc") + (file-append font-alias "/share/fonts/X11/cyrillic") + (file-append font-adobe75dpi "/share/fonts/X11/75dpi"))) + +(define* (xorg-configuration-file #:key + (modules %default-xorg-modules) + (fonts %default-xorg-fonts) + (drivers '()) (resolutions '()) (extra-config '())) "Return a configuration file for the Xorg server containing search paths for all the common drivers. +@var{modules} must be a list of @dfn{module packages} loaded by the Xorg +server---e.g., @code{xf86-video-vesa}, @code{xf86-input-keyboard}, and so on. +@var{fonts} must be a list of font directories to add to the server's +@dfn{font path}. + @var{drivers} must be either the empty list, in which case Xorg chooses a graphics driver automatically, or a list of driver names that will be tried in this order---e.g., @code{(\"modesetting\" \"vesa\")}. @@ -84,17 +124,32 @@ appropriate screen resolution; otherwise, it must be a list of resolutions---e.g., @code{((1024 768) (640 480))}. Last, @var{extra-config} is a list of strings or objects appended to the -@code{mixed-text-file} argument list. It is used to pass extra text to be +configuration file. It is used to pass extra text to be added verbatim to the configuration file." - (define (device-section driver) - (string-append " + (define all-modules + ;; 'xorg-server' provides 'fbdevhw.so' etc. + (append modules (list xorg-server))) + + (define build + #~(begin + (use-modules (ice-9 match) + (srfi srfi-1) + (srfi srfi-26)) + + (call-with-output-file #$output + (lambda (port) + (define drivers + '#$drivers) + + (define (device-section driver) + (string-append " Section \"Device\" Identifier \"device-" driver "\" Driver \"" driver "\" EndSection")) - (define (screen-section driver resolutions) - (string-append " + (define (screen-section driver resolutions) + (string-append " Section \"Screen\" Identifier \"screen-" driver "\" Device \"device-" driver "\" @@ -108,65 +163,56 @@ Section \"Screen\" EndSubSection EndSection")) - (apply mixed-text-file "xserver.conf" " -Section \"Files\" - FontPath \"" font-alias "/share/fonts/X11/75dpi\" - FontPath \"" font-alias "/share/fonts/X11/100dpi\" - FontPath \"" font-alias "/share/fonts/X11/misc\" - FontPath \"" font-alias "/share/fonts/X11/cyrillic\" - FontPath \"" font-adobe75dpi "/share/fonts/X11/75dpi\" - ModulePath \"" xf86-video-vesa "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-fbdev "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-ati "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-cirrus "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-intel "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-mach64 "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-nouveau "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-nv "/lib/xorg/modules/drivers\" - ModulePath \"" xf86-video-sis "/lib/xorg/modules/drivers\" - - # Libinput is the new thing and is recommended over evdev/synaptics - # by those who know: - # . - ModulePath \"" xf86-input-libinput "/lib/xorg/modules/input\" - - ModulePath \"" xf86-input-evdev "/lib/xorg/modules/input\" - ModulePath \"" xf86-input-keyboard "/lib/xorg/modules/input\" - ModulePath \"" xf86-input-mouse "/lib/xorg/modules/input\" - ModulePath \"" xf86-input-synaptics "/lib/xorg/modules/input\" - ModulePath \"" xorg-server "/lib/xorg/modules\" - ModulePath \"" xorg-server "/lib/xorg/modules/drivers\" - ModulePath \"" xorg-server "/lib/xorg/modules/extensions\" - ModulePath \"" xorg-server "/lib/xorg/modules/multimedia\" -EndSection - + (define (expand modules) + ;; Append to MODULES the relevant /lib/xorg/modules + ;; sub-directories. + (append-map (lambda (module) + (filter-map (lambda (directory) + (let ((full (string-append module + directory))) + (and (file-exists? full) + full))) + '("/lib/xorg/modules/drivers" + "/lib/xorg/modules/input" + "/lib/xorg/modules/multimedia" + "/lib/xorg/modules/extensions"))) + modules)) + + (display "Section \"Files\"\n" port) + (for-each (lambda (font) + (format port " FontPath \"~a\"~%" font)) + '#$fonts) + (for-each (lambda (module) + (format port + " ModulePath \"~a\"~%" + module)) + (append (expand '#$all-modules) + + ;; For fbdevhw.so and so on. + (list #$(file-append xorg-server + "/lib/xorg/modules")))) + (display "EndSection\n" port) + (display " Section \"ServerFlags\" Option \"AllowMouseOpenFail\" \"on\" -EndSection -" - (string-join (map device-section drivers) "\n") "\n" - (string-join (map (cut screen-section <> resolutions) - drivers) - "\n") +EndSection\n" port) - "\n" - extra-config)) + (display (string-join (map device-section drivers) "\n") + port) + (newline port) + (display (string-join + (map (cut screen-section <> '#$resolutions) + drivers) + "\n") + port) + (newline port) + + (for-each (lambda (config) + (display config port)) + '#$extra-config))))) + + (computed-file "xserver.conf" build)) -(define %default-xorg-modules - (list xf86-video-vesa - xf86-video-fbdev - xf86-video-ati - xf86-video-cirrus - xf86-video-intel - xf86-video-mach64 - xf86-video-nouveau - xf86-video-nv - xf86-video-sis - xf86-input-libinput - xf86-input-evdev - xf86-input-keyboard - xf86-input-mouse - xf86-input-synaptics)) (define (xorg-configuration-directory modules) "Return a directory that contains the @code{.conf} files for X.org that @@ -196,8 +242,9 @@ in @var{modules}." (define* (xorg-wrapper #:key (guile (canonical-package guile-2.0)) - (configuration-file (xorg-configuration-file)) (modules %default-xorg-modules) + (configuration-file (xorg-configuration-file + #:modules modules)) (xorg-server xorg-server)) "Return a derivation that builds a @var{guile} script to start the X server from @var{xorg-server}. @var{configuration-file} is the server configuration @@ -221,12 +268,16 @@ in place of @code{/usr/bin/X}." (define* (xorg-start-command #:key (guile (canonical-package guile-2.0)) - (configuration-file (xorg-configuration-file)) (modules %default-xorg-modules) + (fonts %default-xorg-fonts) + (configuration-file + (xorg-configuration-file #:modules modules + #:fonts fonts)) (xorg-server xorg-server)) - "Return a derivation that builds a @code{startx} script in which a number of -X modules are available. See @code{xorg-wrapper} for more details on the -arguments. The result should be used in place of @code{startx}." + "Return a @code{startx} script in which @var{modules}, a list of X module +packages, and @var{fonts}, a list of X font directories, are available. See +@code{xorg-wrapper} for more details on the arguments. The result should be +used in place of @code{startx}." (define X (xorg-wrapper #:guile guile #:configuration-file configuration-file -- cgit v1.2.3 From 94b9abd9429932a7d5c9f855c7333ebb55d5c726 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 28 Nov 2017 11:02:29 +0100 Subject: services: slim: Remove unused 'bash' configuration field. * gnu/services/xorg.scm ()[bash]: Remove. (slim-service): Adjust accordingly. --- gnu/services/xorg.scm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index c712793875..e7b9d9adc5 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -364,8 +364,6 @@ which should be passed to this script as the first argument. If not, the (default xauth)) (shepherd slim-configuration-shepherd (default shepherd)) - (bash slim-configuration-bash - (default bash)) (auto-login-session slim-configuration-auto-login-session) (startx slim-configuration-startx)) @@ -449,7 +447,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" (default-user "") (theme %default-slim-theme) (theme-name %default-slim-theme-name) - (xauth xauth) (shepherd shepherd) (bash bash) + (xauth xauth) (shepherd shepherd) (auto-login-session (file-append windowmaker "/bin/wmaker")) (startx (xorg-start-command))) @@ -484,7 +482,7 @@ theme." (allow-empty-passwords? allow-empty-passwords?) (auto-login? auto-login?) (default-user default-user) (theme theme) (theme-name theme-name) - (xauth xauth) (shepherd shepherd) (bash bash) + (xauth xauth) (shepherd shepherd) (auto-login-session auto-login-session) (startx startx)))) -- cgit v1.2.3 From b37f86d7a31c654e894faf47c233503231b2c6eb Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 28 Nov 2017 11:10:08 +0100 Subject: services: xorg: Document 'slim-configuration' and deprecate 'slim-service'. * gnu/services/xorg.scm (): Provide default values for all fields. (slim-service-type)[default-value]: New field. * doc/guix.texi (X Window): Remove 'slim-service' documentation. Document 'slim-service-type' and 'slim-configuration'. * gnu/services/desktop.scm (%desktop-services): Use 'slim-service-type'. --- doc/guix.texi | 96 ++++++++++++++++++++++++++++++------------------ gnu/services/desktop.scm | 2 +- gnu/services/xorg.scm | 39 +++++++++++++++----- 3 files changed, 91 insertions(+), 46 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 4a32cdff5d..c3b97cea1f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11001,6 +11001,65 @@ Xorg---is provided by the @code{(gnu services xorg)} module. Note that there is no @code{xorg-service} procedure. Instead, the X server is started by the @dfn{login manager}, currently SLiM. +@defvr {Scheme Variable} slim-service-type +This is the type for the SLiM graphical login manager for X11. + +@cindex session types (X11) +@cindex X11 session types +SLiM looks for @dfn{session types} described by the @file{.desktop} files in +@file{/run/current-system/profile/share/xsessions} and allows users to +choose a session from the log-in screen using @kbd{F1}. Packages such +as @code{xfce}, @code{sawfish}, and @code{ratpoison} provide +@file{.desktop} files; adding them to the system-wide set of packages +automatically makes them available at the log-in screen. + +In addition, @file{~/.xsession} files are honored. When available, +@file{~/.xsession} must be an executable that starts a window manager +and/or other X clients. +@end defvr + +@deftp {Data Type} slim-configuration +Data type representing the configuration of @code{slim-service-type}. + +@table @asis +@item @code{allow-empty-passwords?} (default: @code{#t}) +Whether to allow logins with empty passwords. + +@item @code{auto-login?} (default: @code{#f}) +@itemx @code{default-user} (default: @code{""}) +When @code{auto-login?} is false, SLiM presents a log-in screen. + +When @code{auto-login?} is true, SLiM logs in directly as +@code{default-user}. + +@item @code{theme} (default: @code{%default-slim-theme}) +@itemx @code{theme-name} (default: @code{%default-slim-theme-name}) +The graphical theme to use and its name. + +@item @code{auto-login-session} (default: @code{windowmaker}) +The default session to use when none is specified. + +@item @code{startx} (default: @code{(xorg-start-command)}) +The command used to start the X11 graphical server. + +@item @code{xauth} (default: @code{xauth}) +The XAuth package to use. + +@item @code{shepherd} (default: @code{shepherd}) +The Shepherd package used when invoking @command{halt} and +@command{reboot}. + +@item @code{slim} (default: @code{slim}) +The SLiM package to use. +@end table +@end deftp + +@defvr {Scheme Variable} %default-theme +@defvrx {Scheme Variable} %default-theme-name +The default SLiM theme and its name. +@end defvr + + @deftp {Data Type} sddm-configuration This is the data type representing the sddm service configuration. @@ -11094,6 +11153,7 @@ Relogin after logout. @end deftp @cindex login manager +@cindex X11 login @deffn {Scheme Procedure} sddm-service config Return a service that spawns the SDDM graphical login manager for config of type @code{}. @@ -11105,42 +11165,6 @@ type @code{}. @end example @end deffn -@deffn {Scheme Procedure} slim-service [#:allow-empty-passwords? #f] @ - [#:auto-login? #f] [#:default-user ""] [#:startx] @ - [#:theme @var{%default-slim-theme}] @ - [#:theme-name @var{%default-slim-theme-name}] -Return a service that spawns the SLiM graphical login manager, which in -turn starts the X display server with @var{startx}, a command as returned by -@code{xorg-start-command}. - -@cindex X session - -SLiM automatically looks for session types described by the @file{.desktop} -files in @file{/run/current-system/profile/share/xsessions} and allows users -to choose a session from the log-in screen using @kbd{F1}. Packages such as -@var{xfce}, @var{sawfish}, and @var{ratpoison} provide @file{.desktop} files; -adding them to the system-wide set of packages automatically makes them -available at the log-in screen. - -In addition, @file{~/.xsession} files are honored. When available, -@file{~/.xsession} must be an executable that starts a window manager -and/or other X clients. - -When @var{allow-empty-passwords?} is true, allow logins with an empty -password. When @var{auto-login?} is true, log in automatically as -@var{default-user}. - -If @var{theme} is @code{#f}, use the default log-in theme; otherwise -@var{theme} must be a gexp denoting the name of a directory containing the -theme to use. In that case, @var{theme-name} specifies the name of the -theme. -@end deffn - -@defvr {Scheme Variable} %default-theme -@defvrx {Scheme Variable} %default-theme-name -The G-Expression denoting the default SLiM theme and its name. -@end defvr - @deffn {Scheme Procedure} xorg-start-command [#:guile] @ [#:modules %default-xorg-modules] @ [#:fonts %default-xorg-fonts] @ diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index ec33e1d5ec..78530b3454 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -854,7 +854,7 @@ with the administrator's password." (define %desktop-services ;; List of services typically useful for a "desktop" use case. - (cons* (slim-service) + (cons* (service slim-service-type) ;; Screen lockers are a pretty useful thing and these are small. (screen-locker-service slock) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index e7b9d9adc5..c1955e0b65 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -52,7 +52,20 @@ %default-slim-theme %default-slim-theme-name + slim-configuration + slim-configuration? + slim-configuration-slim + slim-configuration-allow-empty-passwords? + slim-configuration-auto-login? + slim-configuration-default-user + slim-configuration-theme + slim-configuration-theme-name + slim-configuration-xauth + slim-configuration-shepherd + slim-configuration-auto-login-session + slim-configuration-startx + slim-service-type slim-service @@ -355,17 +368,24 @@ which should be passed to this script as the first argument. If not, the slim-configuration? (slim slim-configuration-slim (default slim)) - (allow-empty-passwords? slim-configuration-allow-empty-passwords?) - (auto-login? slim-configuration-auto-login?) - (default-user slim-configuration-default-user) - (theme slim-configuration-theme) - (theme-name slim-configuration-theme-name) + (allow-empty-passwords? slim-configuration-allow-empty-passwords? + (default #t)) + (auto-login? slim-configuration-auto-login? + (default #f)) + (default-user slim-configuration-default-user + (default "")) + (theme slim-configuration-theme + (default %default-slim-theme)) + (theme-name slim-configuration-theme-name + (default %default-slim-theme-name)) (xauth slim-configuration-xauth (default xauth)) (shepherd slim-configuration-shepherd (default shepherd)) - (auto-login-session slim-configuration-auto-login-session) - (startx slim-configuration-startx)) + (auto-login-session slim-configuration-auto-login-session + (default (file-append windowmaker "/bin/wmaker"))) + (startx slim-configuration-startx + (default (xorg-start-command)))) (define (slim-pam-service config) "Return a PAM service for @command{slim}." @@ -440,9 +460,10 @@ reboot_cmd " shepherd "/sbin/reboot\n" ;; Unconditionally add xterm to the system profile, to ;; avoid bad surprises. (service-extension profile-service-type - (const (list xterm))))))) + (const (list xterm))))) + (default-value (slim-configuration)))) -(define* (slim-service #:key (slim slim) +(define* (slim-service #:key (slim slim) ;deprecated (allow-empty-passwords? #t) auto-login? (default-user "") (theme %default-slim-theme) -- cgit v1.2.3 From 65c0f43649b455db94f1e8b0a244a889cb961b25 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 25 Nov 2017 23:19:31 +0100 Subject: services: xorg: Remove WindowMaker as a default fallback. * gnu/services/xorg.scm (xinitrc)[builder](system-profile) (user-profile): New variables. (xsession-command, find-session): New procedures. When FALLBACK-SESSION is #f, find a valid session at run time. * doc/guix.texi (X Window): Adjust accordingly, and insist that one or more window managers must be installed. --- doc/guix.texi | 24 ++++++++++++++++--- gnu/services/xorg.scm | 65 ++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 77 insertions(+), 12 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index c3b97cea1f..05042cb205 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -10996,10 +10996,17 @@ Package object of the Open vSwitch. @cindex X11 @cindex X Window System +@cindex login manager Support for the X Window graphical display system---specifically Xorg---is provided by the @code{(gnu services xorg)} module. Note that there is no @code{xorg-service} procedure. Instead, the X server is -started by the @dfn{login manager}, currently SLiM. +started by the @dfn{login manager}, by default SLiM. + +@cindex window manager +To use X11, you must install at least one @dfn{window manager}---for +example the @code{windowmaker} or @code{openbox} packages---preferably +by adding it to the @code{packages} field of your operating system +definition (@pxref{operating-system Reference, system-wide packages}). @defvr {Scheme Variable} slim-service-type This is the type for the SLiM graphical login manager for X11. @@ -11036,8 +11043,19 @@ When @code{auto-login?} is true, SLiM logs in directly as @itemx @code{theme-name} (default: @code{%default-slim-theme-name}) The graphical theme to use and its name. -@item @code{auto-login-session} (default: @code{windowmaker}) -The default session to use when none is specified. +@item @code{auto-login-session} (default: @code{#f}) +If true, this must be the name of the executable to start as the default +session---e.g., @code{(file-append windowmaker "/bin/windowmaker")}. + +If false, a session described by one of the available @file{.desktop} +files in @code{/run/current-system/profile} and @code{~/.guix-profile} +will be used. + +@quotation Note +You must install at least one window manager in the system profile or in +your user profile. Failing to do that, if @code{auto-login-session} is +false, you will be unable to log in. +@end quotation @item @code{startx} (default: @code{(xorg-start-command)}) The command used to start the X11 graphical server. diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index c1955e0b65..0da3397da3 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -309,10 +309,15 @@ used in place of @code{startx}." fallback-session) "Return a system-wide xinitrc script that starts the specified X session, which should be passed to this script as the first argument. If not, the -@var{fallback-session} will be used." +@var{fallback-session} will be used or, if @var{fallback-session} is false, a +desktop session from the system or user profile will be used." (define builder #~(begin - (use-modules (ice-9 match)) + (use-modules (ice-9 match) + (ice-9 regex) + (ice-9 ftw) + (srfi srfi-1) + (srfi srfi-26)) (define (close-all-fdes) ;; Close all the open file descriptors except 0 to 2. @@ -336,16 +341,59 @@ which should be passed to this script as the first argument. If not, the (execl shell shell "--login" "-c" (string-join (cons command args))))) + (define system-profile + "/run/current-system/profile") + + (define user-profile + (and=> (getpw (getuid)) + (lambda (pw) + (string-append (passwd:dir pw) "/.guix-profile")))) + + (define (xsession-command desktop-file) + ;; Read from DESKTOP-FILE its X session command and return it as a + ;; list. + (define exec-regexp + (make-regexp "^[[:blank:]]*Exec=(.*)$")) + + (call-with-input-file desktop-file + (lambda (port) + (let loop () + (match (read-line port) + ((? eof-object?) #f) + ((= (cut regexp-exec exec-regexp <>) result) + (if result + (string-tokenize (match:substring result 1)) + (loop)))))))) + + (define (find-session profile) + ;; Return an X session command from PROFILE or #f if none was found. + (let ((directory (string-append profile "/share/xsessions"))) + (match (scandir directory + (cut string-suffix? ".desktop" <>)) + ((or () #f) + #f) + ((sessions ...) + (any xsession-command + (map (cut string-append directory "/" <>) + sessions)))))) + (let* ((home (getenv "HOME")) (xsession-file (string-append home "/.xsession")) (session (match (command-line) - ((_) (list #$fallback-session)) - ((_ x ..1) x)))) + ((_) + #$(if fallback-session + #~(list #$fallback-session) + #f)) + ((_ x ..1) + x)))) (if (file-exists? xsession-file) ;; Run ~/.xsession when it exists. (apply exec-from-login-shell xsession-file session) - ;; Otherwise, start the specified session. - (apply exec-from-login-shell session))))) + ;; Otherwise, start the specified session or a fallback. + (apply exec-from-login-shell + (or session + (find-session user-profile) + (find-session system-profile))))))) (program-file "xinitrc" builder)) @@ -383,7 +431,7 @@ which should be passed to this script as the first argument. If not, the (shepherd slim-configuration-shepherd (default shepherd)) (auto-login-session slim-configuration-auto-login-session - (default (file-append windowmaker "/bin/wmaker"))) + (default #f)) (startx slim-configuration-startx (default (xorg-start-command)))) @@ -469,8 +517,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" (theme %default-slim-theme) (theme-name %default-slim-theme-name) (xauth xauth) (shepherd shepherd) - (auto-login-session (file-append windowmaker - "/bin/wmaker")) + (auto-login-session #f) (startx (xorg-start-command))) "Return a service that spawns the SLiM graphical login manager, which in turn starts the X display server with @var{startx}, a command as returned by -- cgit v1.2.3 From 1115f140179b8fafb5a0f7c91a22dfdb7d6b21cc Mon Sep 17 00:00:00 2001 From: Andy Wingo Date: Thu, 27 Apr 2017 14:09:16 +0200 Subject: services: Add certbot service. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/certbot.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add new file. * doc/guix.texi (Certificate Services): New section. Signed-off-by: Ludovic Courtès --- doc/guix.texi | 84 ++++++++++++++++++++++++++++++- gnu/local.mk | 1 + gnu/services/certbot.scm | 128 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 212 insertions(+), 1 deletion(-) create mode 100644 gnu/services/certbot.scm (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 05042cb205..704a726dbc 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -41,7 +41,8 @@ Copyright @copyright{} 2017 Marius Bakke@* Copyright @copyright{} 2017 Hartmut Goebel@* Copyright @copyright{} 2017 Maxim Cournoyer@* Copyright @copyright{} 2017 Tobias Geerinckx-Rice@* -Copyright @copyright{} 2017 George Clemmer +Copyright @copyright{} 2017 George Clemmer@* +Copyright @copyright{} 2017 Andy Wingo Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -235,6 +236,7 @@ Services * Monitoring Services:: Monitoring services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* Certificate Services:: TLS certificates via Let's Encrypt. * DNS Services:: DNS daemons. * VPN Services:: VPN daemons. * Network File System:: NFS related services. @@ -9393,6 +9395,7 @@ declaration. * Monitoring Services:: Monitoring services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* Certificate Services:: TLS certificates via Let's Encrypt. * DNS Services:: DNS daemons. * VPN Services:: VPN daemons. * Network File System:: NFS related services. @@ -15090,6 +15093,84 @@ capability also has to be configured on the front-end as well. @end table @end deftp +@node Certificate Services +@subsubsection Certificate Services + +@cindex Web +@cindex HTTP, HTTPS +@cindex Let's Encrypt +@cindex TLS certificates +The @code{(gnu services certbot)} module provides a service to +automatically obtain a valid TLS certificate from the Let's Encrypt +certificate authority. These certificates can then be used to serve +content securely over HTTPS or other TLS-based protocols, with the +knowledge that the client will be able to verify the server's +authenticity. + +@url{https://letsencrypt.org/, Let's Encrypt} provides the +@code{certbot} tool to automate the certification process. This tool +first securely generates a key on the server. It then makes a request +to the Let's Encrypt certificate authority (CA) to sign the key. The CA +checks that the request originates from the host in question by using a +challenge-response protocol, requiring the server to provide its +response over HTTP. If that protocol completes successfully, the CA +signs the key, resulting in a certificate. That certificate is valid +for a limited period of time, and therefore to continue to provide TLS +services, the server needs to periodically ask the CA to renew its +signature. + +The certbot service automates this process: the initial key +generation, the initial certification request to the Let's Encrypt +service, the web server challenge/response integration, writing the +certificate to disk, and the automated periodic renewals. + +@defvr {Scheme Variable} certbot-service-type +A service type for the @code{certbot} Let's Encrypt client. +@end defvr + +@deftp {Data Type} certbot-configuration +Data type representing the configuration of the @code{certbot} serice. +This type has the following parameters: + +@table @asis +@item @code{package} (default: @code{certbot}) +The certbot package to use. + +@item @code{webroot} (default: @code{/var/www}) +The directory from which to serve the Let's Encrypt challenge/response +files. + +@item @code{hosts} (default: @code{()}) +A list of hosts for which to generate certificates and request +signatures. + +@item @code{default-location} (default: @i{see below}) +The default @code{nginx-location-configuration}. Because @code{certbot} +needs to be able to serve challenges and responses, it needs to be able +to run a web server. It does so by extending the @code{nginx} web +service with an @code{nginx-server-configuration} listening on the +@var{hosts} on port 80, and which has a +@code{nginx-location-configuration} for the @code{/.well-known/} URI +path subspace used by Let's Encrypt. @xref{Web Services}, for more on +these nginx configuration data types. + +Requests to other URL paths will be matched by the +@code{default-location}, which if present is added to all +@code{nginx-server-configuration}s. + +By default, the @code{default-location} will issue a redirect from +@code{http://@var{host}/...} to @code{https://@var{host}/...}, leaving +you to define what to serve on your site via @code{https}. + +Pass @code{#f} to not issue a default location. +@end table +@end deftp + +The public key and its signatures will be written to +@code{/etc/letsencrypt/live/@var{host}/fullchain.pem}, for each +@var{host} in the configuration. The private key is written to +@code{/etc/letsencrypt/live/@var{host}/privkey.pem}. + @node DNS Services @subsubsection DNS Services @@ -15494,6 +15575,7 @@ The list of knot-zone-configuration used by this configuration. @end table @end deftp + @node VPN Services @subsubsection VPN Services @cindex VPN (virtual private network) diff --git a/gnu/local.mk b/gnu/local.mk index f94bdaa3df..b361f1a4bc 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -444,6 +444,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/audio.scm \ %D%/services/avahi.scm \ %D%/services/base.scm \ + %D%/services/certbot.scm \ %D%/services/configuration.scm \ %D%/services/cuirass.scm \ %D%/services/cups.scm \ diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm new file mode 100644 index 0000000000..c11c9a66bd --- /dev/null +++ b/gnu/services/certbot.scm @@ -0,0 +1,128 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2016 ng0 +;;; Copyright © 2016 Sou Bunnbu +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services certbot) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services shepherd) + #:use-module (gnu services mcron) + #:use-module (gnu services web) + #:use-module (gnu system shadow) + #:use-module (gnu packages tls) + #:use-module (guix records) + #:use-module (guix gexp) + #:use-module (srfi srfi-1) + #:use-module (ice-9 match) + #:export (certbot-service-type + certbot-configuration + certbot-configuration?)) + +;;; Commentary: +;;; +;;; Automatically obtaining TLS certificates from Let's Encrypt. +;;; +;;; Code: + + +(define-record-type* + certbot-configuration make-certbot-configuration + certbot-configuration? + (package certbot-configuration-package + (default certbot)) + (webroot certbot-configuration-webroot + (default "/var/www")) + (hosts certbot-configuration-hosts + (default '())) + (default-location certbot-configuration-default-location + (default + (nginx-location-configuration + (uri "/") + (body + (list "return 301 https://$host$request_uri;")))))) + +(define certbot-renewal-jobs + (match-lambda + (($ package webroot hosts default-location) + (match hosts + ;; Avoid pinging certbot if we have no hosts. + (() '()) + (_ + (list + ;; Attempt to renew the certificates twice a week. + #~(job (lambda (now) + (next-day-from (next-hour-from now '(3)) + '(2 5))) + (string-append #$package "/bin/certbot renew" + (string-concatenate + (map (lambda (host) + (string-append " -d " host)) + #$hosts)))))))))) + +(define certbot-activation + (match-lambda + (($ package webroot hosts default-location) + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$webroot) + (for-each + (lambda (host) + (unless (file-exists? (in-vicinity "/etc/letsencrypt/live" host)) + (unless (zero? (system* + (string-append #$certbot "/bin/certbot") + "certonly" "--webroot" "-w" #$webroot + "-d" host)) + (error "failed to acquire cert for host" host)))) + '#$hosts)))))) + +(define certbot-nginx-server-configurations + (match-lambda + (($ package webroot hosts default-location) + (map + (lambda (host) + (nginx-server-configuration + (http-port 80) + (https-port #f) + (ssl-certificate #f) + (ssl-certificate-key #f) + (server-name (list host)) + (locations + (filter identity + (list + (nginx-location-configuration + (uri "/.well-known") + (body (list (list "root " webroot ";")))) + default-location))))) + hosts)))) + +(define certbot-service-type + (service-type (name 'certbot) + (extensions + (list (service-extension nginx-service-type + certbot-nginx-server-configurations) + (service-extension activation-service-type + certbot-activation) + (service-extension mcron-service-type + certbot-renewal-jobs))) + (compose concatenate) + (extend (lambda (config additional-hosts) + (certbot-configuration + (inherit config) + (hosts (append (certbot-configuration-hosts config) + additional-hosts))))))) -- cgit v1.2.3 From 410349347a7f38b7052d7574a629dd2660d018e0 Mon Sep 17 00:00:00 2001 From: Andy Wingo Date: Thu, 27 Apr 2017 15:02:19 +0200 Subject: services: Add Git HTTP(S) service support. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * doc/guix.texi (Version Control Services): Add documentation on the HTTP backend for git. * gnu/services/version-control.scm (): New data type. (git-http-nginx-location-configuration): New helper function. Signed-off-by: Ludovic Courtès --- doc/guix.texi | 81 +++++++++++++++++++++++++++++++++++++++- gnu/services/version-control.scm | 52 +++++++++++++++++++++++++- 2 files changed, 131 insertions(+), 2 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index f90bb3dfbe..777ca2738b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17436,7 +17436,11 @@ Defaults to @samp{3} @subsubsection Version Control Services The @code{(gnu services version-control)} module provides a service to -allow remote access to local Git repositories. +allow remote access to local Git repositories. There are two options: +the @code{git-daemon-service}, which provides access to repositories via +the @code{git://} unsecured TCP-based protocol, or extending the +@code{nginx} web server to proxy some requests to +@code{git-http-backend}. @deffn {Scheme Procedure} git-daemon-service [#:config (git-daemon-configuration)] @@ -17493,6 +17497,81 @@ Extra options will be passed to @code{git daemon}, please run @end table @end deftp +The @code{git://} protocol lacks authentication. When you pull from a +repository fetched via @code{git://}, you don't know that the data you +receive was modified is really coming from the specified host, and you +have your connection is subject to eavesdropping. It's better to use an +authenticated and encrypted transport, such as @code{https}. Although Git allows you +to serve repositories using unsophisticated file-based web servers, +there is a faster protocol implemented by the @code{git-http-backend} +program. This program is the back-end of a proper Git web service. It +is designed to sit behind a FastCGI proxy. @xref{Web Services}, for more +on running the necessary @code{fcgiwrap} daemon. + +Guix has a separate configuration data type for serving Git repositories +over HTTP. + +@deftp {Data Type} git-http-configuration +Data type representing the configuration for @code{git-http-service}. + +@table @asis +@item @code{package} (default: @var{git}) +Package object of the Git distributed version control system. + +@item @code{git-root} (default: @file{/srv/git}) +Directory containing the Git repositories to expose to the world. + +@item @code{export-all?} (default: @var{#f}) +Whether to expose access for all Git repositories in @var{git-root}, +even if they do not have the @file{git-daemon-export-ok} file. + +@item @code{uri-path} (default: @file{/git/}) +Path prefix for Git access. With the default @code{/git/} prefix, this +will map @code{http://@var{server}/git/@var{repo}.git} to +@code{/srv/git/@var{repo}.git}. Requests whose URI paths do not begin +with this prefix are not passed on to this Git instance. + +@item @code{fcgiwrap-socket} (default: @code{127.0.0.1:9000}) +The socket on which the @code{fcgiwrap} daemon is listening. @xref{Web +Services}. +@end table +@end deftp + +There is no @code{git-http-service-type}, currently; instead you can +create an @code{nginx-location-configuration} from a +@code{git-http-configuration} and then add that location to a web +server. + +@deffn {Scheme Procedure} git-http-nginx-location-configuration @ + [config=(git-http-configuration)] +Compute an @code{nginx-location-configuration} that corresponds to the +given Git http configuration. An example nginx service definition to +serve the default @file{/srv/git} over HTTPS might be: + +@example +(service nginx-service-type + (nginx-configuration + (server-blocks + (list + (nginx-server-configuration + (http-port #f) + (server-name "git.my-host.org") + (ssl-certificate + "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + (ssl-certificate-key + "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + (locations + (list + (git-http-nginx-location-configuration + (git-http-configuration (uri-path "/")))))))))) +@end example + +This example assumes that you are using Let's Encrypt to get your TLS +certificate. @xref{Certificate Services}. The default @code{certbot} +service will redirect all HTTP traffic on @code{git.my-host.org} to +HTTPS. You will also need to add an @code{fcgiwrap} proxy to your +system services. @xref{Web Services}. +@end deffn @node Miscellaneous Services @subsubsection Miscellaneous Services diff --git a/gnu/services/version-control.scm b/gnu/services/version-control.scm index e39f4411fd..388038e7bc 100644 --- a/gnu/services/version-control.scm +++ b/gnu/services/version-control.scm @@ -55,7 +55,11 @@ %cgit-configuration-nginx cgit-configuration-nginx-config - cgit-service-type)) + cgit-service-type + + git-http-configuration + git-http-configuration? + git-http-nginx-location-configuration)) ;;; Commentary: ;;; @@ -256,3 +260,49 @@ access to exported repositories under @file{/srv/git}." (service-extension nginx-service-type cgit-configuration-nginx-config))) (default-value (cgit-configuration)))) + + +;;; +;;; HTTP access. Add the result of calling +;;; git-http-nginx-location-configuration to an nginx-server-configuration's +;;; "locations" field. +;;; + +(define-record-type* + git-http-configuration + make-git-http-configuration + git-http-configuration? + (package git-http-configuration-package ;package + (default git)) + (git-root git-http-configuration-git-root ;string + (default "/srv/git")) + (export-all? git-http-configuration-export-all? ;boolean + (default #f)) + (uri-path git-http-configuration-uri-path ;string + (default "/git/")) + (fcgiwrap-socket git-http-configuration-fcgiwrap-socket ;string + (default "127.0.0.1:9000"))) + +(define* (git-http-nginx-location-configuration #:optional + (config + (git-http-configuration))) + (match config + (($ package git-root export-all? + uri-path fcgiwrap-socket) + (nginx-location-configuration + (uri (string-append "~ /" (string-trim-both uri-path #\/) "(/.*)")) + (body + (list + (list "fastcgi_pass " fcgiwrap-socket ";") + (list "fastcgi_param SCRIPT_FILENAME " + package "/libexec/git-core/git-http-backend" + ";") + "fastcgi_param QUERY_STRING $query_string;" + "fastcgi_param REQUEST_METHOD $request_method;" + "fastcgi_param CONTENT_TYPE $content_type;" + "fastcgi_param CONTENT_LENGTH $content_length;" + (if export-all? + "fastcgi_param GIT_HTTP_EXPORT_ALL \"\";" + "") + (list "fastcgi_param GIT_PROJECT_ROOT " git-root ";") + "fastcgi_param PATH_INFO $1;")))))) -- cgit v1.2.3 From a222b734b38f93b014b21e4d538002a5fec71b8a Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 28 Nov 2017 23:24:17 +0100 Subject: services: cgit, git-daemon: Add description and default value. * gnu/services/version-control.scm (git-daemon-service-type) [description, default-value]: New fields. (cgit-service-type)[default-value]: New field. * po/packages/POTFILES.in: Add version-control.scm. --- gnu/services/version-control.scm | 11 +++++++++-- po/packages/POTFILES.in | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/version-control.scm b/gnu/services/version-control.scm index 388038e7bc..fce2ce1c25 100644 --- a/gnu/services/version-control.scm +++ b/gnu/services/version-control.scm @@ -156,7 +156,11 @@ (service-extension account-service-type (const %git-daemon-accounts)) (service-extension activation-service-type - git-daemon-activation))))) + git-daemon-activation))) + (description + "Expose Git respositories over the insecure @code{git://} TCP-based +protocol.") + (default-value (git-daemon-configuration)))) (define* (git-daemon-service #:key (config (git-daemon-configuration))) "Return a service that runs @command{git daemon}, a simple TCP server to @@ -259,7 +263,10 @@ access to exported repositories under @file{/srv/git}." cgit-activation) (service-extension nginx-service-type cgit-configuration-nginx-config))) - (default-value (cgit-configuration)))) + (default-value (cgit-configuration)) + (description + "Run the Cgit web interface, which allows users to browse Git +repositories."))) ;;; diff --git a/po/packages/POTFILES.in b/po/packages/POTFILES.in index cfc542f50e..83a13c1dab 100644 --- a/po/packages/POTFILES.in +++ b/po/packages/POTFILES.in @@ -59,3 +59,4 @@ gnu/packages/wordnet.scm gnu/packages/xiph.scm gnu/services/base.scm gnu/services/networking.scm +gnu/services/version-control.scm -- cgit v1.2.3 From 3af03e5967cf49ed1a4382dad7d75daa95ec5217 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 28 Nov 2017 23:31:48 +0100 Subject: services: certbot: Add default value and description. * gnu/services/certbot.scm (certbot-service-type) [default-value, description]: New fields. * po/packages/POTFILES.in: Add it. --- gnu/services/certbot.scm | 7 ++++++- po/packages/POTFILES.in | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index c11c9a66bd..dc072ea8da 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -125,4 +125,9 @@ (certbot-configuration (inherit config) (hosts (append (certbot-configuration-hosts config) - additional-hosts))))))) + additional-hosts))))) + (default-value (certbot-configuration)) + (description + "Automatically renew @url{https://letsencrypt.org, Let's +Encrypt} HTTPS certificates by adjusting the nginx web server configuration +and periodically invoking @command{certbot}."))) diff --git a/po/packages/POTFILES.in b/po/packages/POTFILES.in index 83a13c1dab..9a178edfa6 100644 --- a/po/packages/POTFILES.in +++ b/po/packages/POTFILES.in @@ -58,5 +58,6 @@ gnu/packages/web.scm gnu/packages/wordnet.scm gnu/packages/xiph.scm gnu/services/base.scm +gnu/services/certbot.scm gnu/services/networking.scm gnu/services/version-control.scm -- cgit v1.2.3 From 4afc903a8c1b9cb19c0341b5cd2ea80a34974f25 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 1 Dec 2017 15:25:15 +0100 Subject: services: xorg: Add 'font-misc-misc' to the default font set. Fixes . Reported by John Darrington . * gnu/services/xorg.scm (%default-xorg-fonts): Add FONT-MISC-MISC. --- gnu/services/xorg.scm | 2 ++ 1 file changed, 2 insertions(+) (limited to 'gnu/services') diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 0da3397da3..8f285b29a3 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -113,6 +113,8 @@ (file-append font-alias "/share/fonts/X11/100dpi") (file-append font-alias "/share/fonts/X11/misc") (file-append font-alias "/share/fonts/X11/cyrillic") + (file-append font-misc-misc ;default fonts for xterm + "/share/fonts/X11/misc") (file-append font-adobe75dpi "/share/fonts/X11/75dpi"))) (define* (xorg-configuration-file #:key -- cgit v1.2.3 From 617e87bff13c38d01d9d16ac9f96b0078e2813fe Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 4 Dec 2017 09:59:11 +0100 Subject: services: xorg: Properly handle the case where ~/.xession is used. Fixes a regression introduced in 65c0f43649b455db94f1e8b0a244a889cb961b25 in the case where users provide ~/.xsession and SESSION is #f. * gnu/services/xorg.scm (xinitrc): In the XSESSION-FILE case, check whether SESSION is #f. --- gnu/services/xorg.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8f285b29a3..cef0d60b59 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -390,7 +390,8 @@ desktop session from the system or user profile will be used." x)))) (if (file-exists? xsession-file) ;; Run ~/.xsession when it exists. - (apply exec-from-login-shell xsession-file session) + (apply exec-from-login-shell xsession-file + (or session '())) ;; Otherwise, start the specified session or a fallback. (apply exec-from-login-shell (or session -- cgit v1.2.3 From be5622e7f1b2f4e4567214b209bfd153dfd59013 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 4 Dec 2017 17:57:37 +0100 Subject: maint: Add 'berlin.guixsd.org.pub'. * bayfront.guixsd.org.pub: Rename to... * berlin.guixsd.org.pub: ... this. * Makefile.am (dist_pkgdata_DATA): Adjust accordingly. * gnu/services/base.scm (%default-authorized-guix-keys): Likewise. --- Makefile.am | 2 +- bayfront.guixsd.org.pub | 6 ------ berlin.guixsd.org.pub | 6 ++++++ gnu/services/base.scm | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 bayfront.guixsd.org.pub create mode 100644 berlin.guixsd.org.pub (limited to 'gnu/services') diff --git a/Makefile.am b/Makefile.am index 7cc46d4ac2..ddbf7a7984 100644 --- a/Makefile.am +++ b/Makefile.am @@ -416,7 +416,7 @@ check-system: $(GOBJECTS) $(BOOTSTRAP_GUILE_TARBALLS) # Public key used to sign substitutes from hydra.gnu.org & co. dist_pkgdata_DATA = \ hydra.gnu.org.pub \ - bayfront.guixsd.org.pub + berlin.guixsd.org.pub # Bash completion file. dist_bashcompletion_DATA = etc/completion/bash/guix diff --git a/bayfront.guixsd.org.pub b/bayfront.guixsd.org.pub deleted file mode 100644 index f156a37b08..0000000000 --- a/bayfront.guixsd.org.pub +++ /dev/null @@ -1,6 +0,0 @@ -(public-key - (ecc - (curve Ed25519) - (q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#) - ) - ) diff --git a/berlin.guixsd.org.pub b/berlin.guixsd.org.pub new file mode 100644 index 0000000000..f156a37b08 --- /dev/null +++ b/berlin.guixsd.org.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#) + ) + ) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 06b2a7d2d8..11f55c588c 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1345,7 +1345,7 @@ failed to register hydra.gnu.org public key: ~a~%" status)))))))) (define %default-authorized-guix-keys ;; List of authorized substitute keys. (list (file-append guix "/share/guix/hydra.gnu.org.pub") - (file-append guix "/share/guix/bayfront.guixsd.org.pub"))) + (file-append guix "/share/guix/berlin.guixsd.org.pub"))) (define-record-type* guix-configuration make-guix-configuration -- cgit v1.2.3