diff options
| author | Marius Bakke <marius@gnu.org> | 2022-07-22 01:09:14 +0200 |
|---|---|---|
| committer | Marius Bakke <marius@gnu.org> | 2022-07-22 01:09:14 +0200 |
| commit | 9044b086ddca64a62966a83cbf1b82d32dece89e (patch) | |
| tree | 2c7f910c9100b2f2a752d07fe0ec44be83fb7600 /gnu/services | |
| parent | 5dfc6ab1ab292b87ceea144aa661d0e64c834031 (diff) | |
| parent | abea091dbef2d44e6eb46bd2413bdf917e14d095 (diff) | |
| download | guix-9044b086ddca64a62966a83cbf1b82d32dece89e.tar.gz | |
Merge branch 'staging' into core-updates
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/base.scm | 59 | ||||
| -rw-r--r-- | gnu/services/docker.scm | 5 | ||||
| -rw-r--r-- | gnu/services/guix.scm | 14 | ||||
| -rw-r--r-- | gnu/services/networking.scm | 47 | ||||
| -rw-r--r-- | gnu/services/ssh.scm | 20 | ||||
| -rw-r--r-- | gnu/services/web.scm | 124 |
6 files changed, 217 insertions, 52 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index d58afb27e3..27eae75c46 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -300,27 +300,36 @@ system objects."))) ;; Return #f if successfully stopped. (sync) - (call-with-blocked-asyncs - (lambda () - (let ((null (%make-void-port "w"))) - ;; Close 'shepherd.log'. - (display "closing log\n") - ((@ (shepherd comm) stop-logging)) - - ;; Redirect the default output ports.. - (set-current-output-port null) - (set-current-error-port null) - - ;; Close /dev/console. - (for-each close-fdes '(0 1 2)) - - ;; At this point, there are no open files left, so the - ;; root file system can be re-mounted read-only. - (mount #f "/" #f - (logior MS_REMOUNT MS_RDONLY) - #:update-mtab? #f) - - #f))))) + (let ((null (%make-void-port "w"))) + ;; Close 'shepherd.log'. + (display "closing log\n") + ((@ (shepherd comm) stop-logging)) + + ;; Redirect the default output ports.. + (set-current-output-port null) + (set-current-error-port null) + + ;; Close /dev/console. + (for-each close-fdes '(0 1 2)) + + ;; At this point, there should be no open files left so the + ;; root file system can be re-mounted read-only. + (let loop ((n 10)) + (unless (catch 'system-error + (lambda () + (mount #f "/" #f + (logior MS_REMOUNT MS_RDONLY) + #:update-mtab? #f) + #t) + (const #f)) + (unless (zero? n) + ;; Yield to the other fibers. That gives logging fibers + ;; an opportunity to close log files so the 'mount' call + ;; doesn't fail with EBUSY. + ((@ (fibers) sleep) 1) + (loop (- n 1))))) + + #f))) (respawn? #f))) (define root-file-system-service-type @@ -2912,8 +2921,12 @@ to handle." (define %greetd-accounts (list (user-account (name "greeter") - (group "wheel") - (supplementary-groups '("users" "tty" "input" "video" "audio")) + (group "greeter") + ;; video group is required for graphical greeters. + (supplementary-groups '("video")) + (system? #t)) + (user-group + (name "greeter") (system? #t)))) (define %greetd-file-systems diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 846ebe8334..741bab5a8c 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -98,6 +98,8 @@ loop-back communications.") ;; For finding containerd-shim binary. #:environment-variables (list (string-append "PATH=" #$containerd "/bin")) + #:pid-file "/run/containerd/containerd.pid" + #:pid-file-timeout 300 #:log-file "/var/log/containerd.log")) (stop #~(make-kill-destructor))))) @@ -135,7 +137,8 @@ loop-back communications.") '("--userland-proxy=false")) (if #$enable-iptables? "--iptables" - "--iptables=false")) + "--iptables=false") + "--containerd" "/run/containerd/containerd.sock") #:environment-variables (list #$@environment-variables) #:pid-file "/var/run/docker.pid" diff --git a/gnu/services/guix.scm b/gnu/services/guix.scm index ad7b020b69..dac1e5841a 100644 --- a/gnu/services/guix.scm +++ b/gnu/services/guix.scm @@ -46,6 +46,7 @@ guix-build-coordinator-configuration-client-communication-uri-string guix-build-coordinator-configuration-allocation-strategy guix-build-coordinator-configuration-hooks + guix-build-coordinator-configuration-parallel-hooks guix-build-coordinator-configuration-guile guix-build-coordinator-service-type @@ -155,6 +156,8 @@ (default #~basic-build-allocation-strategy)) (hooks guix-build-coordinator-configuration-hooks (default '())) + (parallel-hooks guix-build-coordinator-configuration-parallel-hooks + (default '())) (guile guix-build-coordinator-configuration-guile (default guile-3.0-latest))) @@ -246,6 +249,7 @@ agent-communication-uri-string client-communication-uri-string (hooks '()) + (parallel-hooks '()) (guile guile-3.0)) (program-file "start-guix-build-coordinator" @@ -304,7 +308,11 @@ #:agent-communication-uri (string->uri #$agent-communication-uri-string) #:client-communication-uri (string->uri - #$client-communication-uri-string))))) + #$client-communication-uri-string) + #:parallel-hooks (list #$@(map (match-lambda + ((name . val) + #~(cons '#$name #$val))) + parallel-hooks)))))) #:guile guile)) (define (guix-build-coordinator-shepherd-services config) @@ -314,6 +322,7 @@ client-communication-uri-string allocation-strategy hooks + parallel-hooks guile) (list (shepherd-service @@ -331,6 +340,7 @@ #:client-communication-uri-string client-communication-uri-string #:hooks hooks + #:parallel-hooks parallel-hooks #:guile guile)) #:user #$user #:group #$group @@ -642,8 +652,6 @@ ca-certificates.crt file in the system profile." #:user #$user #:group #$group #:pid-file "/var/run/guix-data-service/pid" - ;; Allow time for migrations to run - #:pid-file-timeout 120 #:environment-variables `(,(string-append "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale") diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index a9560db66b..b555c46040 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -918,9 +918,7 @@ applications in communication. It is used by Jami, for example."))) (lambda (port) (display "\ ### These lines were generated from your system configuration: -User tor DataDirectory /var/lib/tor -PidFile /var/run/tor/tor.pid Log notice syslog\n" port) (when (eq? 'unix '#$socks-socket-type) (display "\ @@ -960,7 +958,25 @@ HiddenServicePort ~a ~a~%" "Return a <shepherd-service> running Tor." (match config (($ <tor-configuration> tor) - (let ((torrc (tor-configuration->torrc config))) + (let* ((torrc (tor-configuration->torrc config)) + (tor (least-authority-wrapper + (file-append tor "/bin/tor") + #:name "tor" + #:mappings (list (file-system-mapping + (source "/var/lib/tor") + (target source) + (writable? #t)) + (file-system-mapping + (source "/dev/log") ;for syslog + (target source)) + (file-system-mapping + (source "/var/run/tor") + (target source) + (writable? #t)) + (file-system-mapping + (source torrc) + (target source))) + #:namespaces (delq 'net %namespaces)))) (with-imported-modules (source-module-closure '((gnu build shepherd) (gnu system file-systems))) @@ -974,22 +990,15 @@ HiddenServicePort ~a ~a~%" (modules '((gnu build shepherd) (gnu system file-systems))) - (start #~(make-forkexec-constructor/container - (list #$(file-append tor "/bin/tor") "-f" #$torrc) - - #:log-file "/var/log/tor.log" - #:mappings (list (file-system-mapping - (source "/var/lib/tor") - (target source) - (writable? #t)) - (file-system-mapping - (source "/dev/log") ;for syslog - (target source)) - (file-system-mapping - (source "/var/run/tor") - (target source) - (writable? #t))) - #:pid-file "/var/run/tor/tor.pid")) + ;; XXX: #:pid-file won't work because the wrapped 'tor' + ;; program would print its PID within the user namespace + ;; instead of its actual PID outside. There's no inetd or + ;; systemd socket activation support either (there's + ;; 'sd_notify' though), so we're stuck with that. + (start #~(make-forkexec-constructor + (list #$tor "-f" #$torrc) + #:user "tor" #:group "tor" + #:log-file "/var/log/tor.log")) (stop #~(make-kill-destructor)) (documentation "Run the Tor anonymous network overlay.")))))))) diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 57d3ad218c..72e7183590 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -536,6 +536,15 @@ of user-name/file-like tuples." #~(and (defined? 'make-inetd-constructor) (not (string=? (@ (shepherd config) Version) "0.9.0")))) + (define ipv6-support? + ;; Expression that returns true if IPv6 support is available. + #~(catch 'system-error + (lambda () + (let ((sock (socket AF_INET6 SOCK_STREAM 0))) + (close-port sock) + #t)) + (const #f))) + (list (shepherd-service (documentation "OpenSSH server.") (requirement '(syslogd loopback)) @@ -544,12 +553,15 @@ of user-name/file-like tuples." (start #~(if #$inetd-style? (make-inetd-constructor (append #$openssh-command '("-i")) - (list (endpoint + (cons (endpoint (make-socket-address AF_INET INADDR_ANY #$port-number)) - (endpoint - (make-socket-address AF_INET6 IN6ADDR_ANY - #$port-number))) + (if #$ipv6-support? + (list + (endpoint + (make-socket-address AF_INET6 IN6ADDR_ANY + #$port-number))) + '())) #:max-connections #$max-connections) (make-forkexec-constructor #$openssh-command #:pid-file #$pid-file))) diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 4f06d4e0bb..f0c7e90cbf 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -9,7 +9,7 @@ ;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr> ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2019, 2020 Florian Pelz <pelzflorian@pelzflorian.de> -;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2020 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com> @@ -120,6 +120,7 @@ nginx-upstream-configuration? nginx-upstream-configuration-name nginx-upstream-configuration-servers + nginx-upstream-configuration-extra-content nginx-location-configuration nginx-location-configuration? @@ -204,6 +205,21 @@ tailon-service-type + anonip-configuration + anonip-configuration? + anonip-configuration-anonip + anonip-configuration-input + anonip-configuration-output + anonip-configuration-skip-private? + anonip-configuration-column + anonip-configuration-replacement + anonip-configuration-ipv4mask + anonip-configuration-ipv6mask + anonip-configuration-increment + anonip-configuration-delimiter + anonip-configuration-regex + anonip-service-type + varnish-configuration varnish-configuration? varnish-configuration-package @@ -517,7 +533,9 @@ nginx-upstream-configuration make-nginx-upstream-configuration nginx-upstream-configuration? (name nginx-upstream-configuration-name) - (servers nginx-upstream-configuration-servers)) + (servers nginx-upstream-configuration-servers) + (extra-content nginx-upstream-configuration-extra-content + (default '()))) (define-record-type* <nginx-location-configuration> nginx-location-configuration make-nginx-location-configuration @@ -643,6 +661,15 @@ of index files." (map (lambda (server) (simple-format #f " server ~A;\n" server)) (nginx-upstream-configuration-servers upstream)) + (let ((extra-content + (nginx-upstream-configuration-extra-content upstream))) + (if (and extra-content (not (null? extra-content))) + (cons + "\n" + (map (lambda (line) + (simple-format #f " ~A\n" line)) + (flatten extra-content))) + '())) " }\n")) (define (flatten . lst) @@ -1343,6 +1370,99 @@ files.") files)))))))) (default-value (tailon-configuration)))) + + +;;; +;;; Log anonymization +;;; + +(define-record-type* <anonip-configuration> + anonip-configuration make-anonip-configuration + anonip-configuration? + (anonip anonip-configuration-anonip ;file-like + (default anonip)) + (input anonip-configuration-input) ;string + (output anonip-configuration-output) ;string + (skip-private? anonip-configuration-skip-private? ;boolean + (default #f)) + (column anonip-configuration-column ;number + (default #f)) + (replacement anonip-configuration-replacement ;string + (default #f)) + (ipv4mask anonip-configuration-ipv4mask ;number + (default #f)) + (ipv6mask anonip-configuration-ipv6mask ;number + (default #f)) + (increment anonip-configuration-increment ;number + (default #f)) + (delimiter anonip-configuration-delimiter ;string + (default #f)) + (regex anonip-configuration-regex ;string + (default #f))) + +(define (anonip-activation config) + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (for-each + (lambda (directory) + (mkdir-p directory) + (chmod directory #o755)) + (list (dirname #$(anonip-configuration-input config)) + (dirname #$(anonip-configuration-output config))))))) + +(define (anonip-shepherd-service config) + (let ((input (anonip-configuration-input config)) + (output (anonip-configuration-output config)) + (optional + (lambda (accessor option) + (or (and=> (accessor config) + (lambda (value) + (list + (format #false "~a=~a" + option value)))) + (list))))) + (list (shepherd-service + (provision (list (symbol-append 'anonip- (string->symbol output)))) + (requirement '(user-processes)) + (documentation "Anonimyze the given log file location with anonip.") + (start #~(lambda _ + (unless (file-exists? #$input) + (mknod #$input 'fifo #o600 0)) + (let ((pid (fork+exec-command + (append + (list #$(file-append (anonip-configuration-anonip config) + "/bin/anonip") + (string-append "--input=" #$input) + (string-append "--output=" #$output)) + (if #$(anonip-configuration-skip-private? config) + '("--skip-private") (list)) + '#$(optional anonip-configuration-column "--column") + '#$(optional anonip-configuration-ipv4mask "--ipv4mask") + '#$(optional anonip-configuration-ipv6mask "--ipv6mask") + '#$(optional anonip-configuration-increment "--increment") + '#$(optional anonip-configuration-replacement "--replacement") + '#$(optional anonip-configuration-delimiter "--delimiter") + '#$(optional anonip-configuration-regex "--regex")) + ;; Run in a UTF-8 locale + #:environment-variables + (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales + "/lib/locale") + "LC_ALL=en_US.utf8")))) + pid))) + (stop #~(make-kill-destructor)))))) + +(define anonip-service-type + (service-type + (name 'anonip) + (extensions + (list (service-extension shepherd-root-service-type + anonip-shepherd-service) + (service-extension activation-service-type + anonip-activation))) + (description + "Provide web server log anonymization with @command{anonip}."))) + ;;; ;;; Varnish |