diff options
author | Efraim Flashner <efraim@flashner.co.il> | 2017-12-31 14:10:25 +0200 |
---|---|---|
committer | Efraim Flashner <efraim@flashner.co.il> | 2017-12-31 14:10:25 +0200 |
commit | 23de2e1d5f8f7548e6f73085de23d9964774edbf (patch) | |
tree | fab69d4bb55f275f14012a724b7cb14bd307b57f /gnu/services | |
parent | ec6ba5c1fe9308cbc18f06c99adcfe0d13396a18 (diff) | |
parent | 1c27f72fc2770d68243dd95b7c05adc3b2b02ea4 (diff) | |
download | guix-23de2e1d5f8f7548e6f73085de23d9964774edbf.tar.gz |
Merge remote-tracking branch 'origin/master' into core-updates
Diffstat (limited to 'gnu/services')
-rw-r--r-- | gnu/services/base.scm | 255 | ||||
-rw-r--r-- | gnu/services/desktop.scm | 33 | ||||
-rw-r--r-- | gnu/services/mail.scm | 30 | ||||
-rw-r--r-- | gnu/services/messaging.scm | 46 | ||||
-rw-r--r-- | gnu/services/networking.scm | 14 |
5 files changed, 219 insertions, 159 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index a3654fd4d3..f4681c804d 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -57,7 +57,7 @@ file-system-service-type user-unmount-service swap-service - user-processes-service + user-processes-service-type host-name-service console-keymap-service %default-console-font @@ -162,6 +162,129 @@ ;;; ;;; Code: + + +;;; +;;; User processes. +;;; + +(define %do-not-kill-file + ;; Name of the file listing PIDs of processes that must survive when halting + ;; the system. Typical example is user-space file systems. + "/etc/shepherd/do-not-kill") + +(define (user-processes-shepherd-service requirements) + "Return the 'user-processes' Shepherd service with dependencies on +REQUIREMENTS (a list of service names). + +This is a synchronization point used to make sure user processes and daemons +get started only after crucial initial services have been started---file +system mounts, etc. This is similar to the 'sysvinit' target in systemd." + (define grace-delay + ;; Delay after sending SIGTERM and before sending SIGKILL. + 4) + + (list (shepherd-service + (documentation "When stopped, terminate all user processes.") + (provision '(user-processes)) + (requirement requirements) + (start #~(const #t)) + (stop #~(lambda _ + (define (kill-except omit signal) + ;; Kill all the processes with SIGNAL except those listed + ;; in OMIT and the current process. + (let ((omit (cons (getpid) omit))) + (for-each (lambda (pid) + (unless (memv pid omit) + (false-if-exception + (kill pid signal)))) + (processes)))) + + (define omitted-pids + ;; List of PIDs that must not be killed. + (if (file-exists? #$%do-not-kill-file) + (map string->number + (call-with-input-file #$%do-not-kill-file + (compose string-tokenize + (@ (ice-9 rdelim) read-string)))) + '())) + + (define (now) + (car (gettimeofday))) + + (define (sleep* n) + ;; Really sleep N seconds. + ;; Work around <http://bugs.gnu.org/19581>. + (define start (now)) + (let loop ((elapsed 0)) + (when (> n elapsed) + (sleep (- n elapsed)) + (loop (- (now) start))))) + + (define lset= (@ (srfi srfi-1) lset=)) + + (display "sending all processes the TERM signal\n") + + (if (null? omitted-pids) + (begin + ;; Easy: terminate all of them. + (kill -1 SIGTERM) + (sleep* #$grace-delay) + (kill -1 SIGKILL)) + (begin + ;; Kill them all except OMITTED-PIDS. XXX: We would + ;; like to (kill -1 SIGSTOP) to get a fixed list of + ;; processes, like 'killall5' does, but that seems + ;; unreliable. + (kill-except omitted-pids SIGTERM) + (sleep* #$grace-delay) + (kill-except omitted-pids SIGKILL) + (delete-file #$%do-not-kill-file))) + + (let wait () + ;; Reap children, if any, so that we don't end up with + ;; zombies and enter an infinite loop. + (let reap-children () + (define result + (false-if-exception + (waitpid WAIT_ANY (if (null? omitted-pids) + 0 + WNOHANG)))) + + (when (and (pair? result) + (not (zero? (car result)))) + (reap-children))) + + (let ((pids (processes))) + (unless (lset= = pids (cons 1 omitted-pids)) + (format #t "waiting for process termination\ + (processes left: ~s)~%" + pids) + (sleep* 2) + (wait)))) + + (display "all processes have been terminated\n") + #f)) + (respawn? #f)))) + +(define user-processes-service-type + (service-type + (name 'user-processes) + (extensions (list (service-extension shepherd-root-service-type + user-processes-shepherd-service))) + (compose concatenate) + (extend append) + + ;; The value is the list of Shepherd services 'user-processes' depends on. + ;; Extensions can add new services to this list. + (default-value '()) + + (description "The @code{user-processes} service is responsible for +terminating all the processes so that the root file system can be re-mounted +read-only, just before rebooting/halting. Processes still running after a few +seconds after @code{SIGTERM} has been sent are terminated with +@code{SIGKILL}."))) + ;;; ;;; File systems. @@ -349,7 +472,11 @@ FILE-SYSTEM." (list (service-extension shepherd-root-service-type file-system-shepherd-services) (service-extension fstab-service-type - identity))) + identity) + + ;; Have 'user-processes' depend on 'file-systems'. + (service-extension user-processes-service-type + (const '(file-systems))))) (compose concatenate) (extend append) (description @@ -389,111 +516,6 @@ file systems, as well as corresponding @file{/etc/fstab} entries."))) in KNOWN-MOUNT-POINTS when it is stopped." (service user-unmount-service-type known-mount-points)) -(define %do-not-kill-file - ;; Name of the file listing PIDs of processes that must survive when halting - ;; the system. Typical example is user-space file systems. - "/etc/shepherd/do-not-kill") - -(define user-processes-service-type - (shepherd-service-type - 'user-processes - (lambda (grace-delay) - (shepherd-service - (documentation "When stopped, terminate all user processes.") - (provision '(user-processes)) - (requirement '(file-systems)) - (start #~(const #t)) - (stop #~(lambda _ - (define (kill-except omit signal) - ;; Kill all the processes with SIGNAL except those listed - ;; in OMIT and the current process. - (let ((omit (cons (getpid) omit))) - (for-each (lambda (pid) - (unless (memv pid omit) - (false-if-exception - (kill pid signal)))) - (processes)))) - - (define omitted-pids - ;; List of PIDs that must not be killed. - (if (file-exists? #$%do-not-kill-file) - (map string->number - (call-with-input-file #$%do-not-kill-file - (compose string-tokenize - (@ (ice-9 rdelim) read-string)))) - '())) - - (define (now) - (car (gettimeofday))) - - (define (sleep* n) - ;; Really sleep N seconds. - ;; Work around <http://bugs.gnu.org/19581>. - (define start (now)) - (let loop ((elapsed 0)) - (when (> n elapsed) - (sleep (- n elapsed)) - (loop (- (now) start))))) - - (define lset= (@ (srfi srfi-1) lset=)) - - (display "sending all processes the TERM signal\n") - - (if (null? omitted-pids) - (begin - ;; Easy: terminate all of them. - (kill -1 SIGTERM) - (sleep* #$grace-delay) - (kill -1 SIGKILL)) - (begin - ;; Kill them all except OMITTED-PIDS. XXX: We would - ;; like to (kill -1 SIGSTOP) to get a fixed list of - ;; processes, like 'killall5' does, but that seems - ;; unreliable. - (kill-except omitted-pids SIGTERM) - (sleep* #$grace-delay) - (kill-except omitted-pids SIGKILL) - (delete-file #$%do-not-kill-file))) - - (let wait () - ;; Reap children, if any, so that we don't end up with - ;; zombies and enter an infinite loop. - (let reap-children () - (define result - (false-if-exception - (waitpid WAIT_ANY (if (null? omitted-pids) - 0 - WNOHANG)))) - - (when (and (pair? result) - (not (zero? (car result)))) - (reap-children))) - - (let ((pids (processes))) - (unless (lset= = pids (cons 1 omitted-pids)) - (format #t "waiting for process termination\ - (processes left: ~s)~%" - pids) - (sleep* 2) - (wait)))) - - (display "all processes have been terminated\n") - #f)) - (respawn? #f))))) - -(define* (user-processes-service #:key (grace-delay 4)) - "Return the service that is responsible for terminating all the processes so -that the root file system can be re-mounted read-only, just before -rebooting/halting. Processes still running GRACE-DELAY seconds after SIGTERM -has been sent are terminated with SIGKILL. - -The returned service will depend on 'file-systems', meaning that it is -considered started after all the auto-mount file systems have been mounted. - -All the services that spawn processes must depend on this one so that they are -stopped before 'kill' is called." - (service user-processes-service-type grace-delay)) - ;;; ;;; Preserve entropy to seed /dev/urandom on boot. @@ -507,7 +529,10 @@ stopped before 'kill' is called." (list (shepherd-service (documentation "Preserve entropy across reboots for /dev/urandom.") (provision '(urandom-seed)) - (requirement '(user-processes)) + + ;; Depend on udev so that /dev/hwrng is available. + (requirement '(file-systems udev)) + (start #~(lambda _ ;; On boot, write random seed into /dev/urandom. (when (file-exists? #$%random-seed-file) @@ -568,13 +593,20 @@ stopped before 'kill' is called." (service-type (name 'urandom-seed) (extensions (list (service-extension shepherd-root-service-type - urandom-seed-shepherd-service))) + urandom-seed-shepherd-service) + + ;; Have 'user-processes' depend on 'urandom-seed'. + ;; This ensures that user processes and daemons don't + ;; start until we have seeded the PRNG. + (service-extension user-processes-service-type + (const '(urandom-seed))))) + (default-value #f) (description "Seed the @file{/dev/urandom} pseudo-random number generator (RNG) with the value recorded when the system was last shut down."))) -(define (urandom-seed-service) +(define (urandom-seed-service) ;deprecated (service urandom-seed-service-type #f)) @@ -1954,9 +1986,10 @@ This service is not part of @var{%base-services}." (service static-networking-service-type (list (static-networking (interface "lo") (ip "127.0.0.1") + (requirement '()) (provision '(loopback))))) (syslog-service) - (urandom-seed-service) + (service urandom-seed-service-type) (guix-service) (nscd-service) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 78530b3454..64b999caba 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2016 Sou Bunnbu <iyzsong@gmail.com> ;;; Copyright © 2017 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2017 ng0 <ng0@infotropique.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -42,6 +43,7 @@ #:use-module (gnu packages suckless) #:use-module (gnu packages linux) #:use-module (gnu packages libusb) + #:use-module (gnu packages mate) #:use-module (guix records) #:use-module (guix packages) #:use-module (guix store) @@ -82,6 +84,11 @@ gnome-desktop-service gnome-desktop-service-type + mate-desktop-configuration + mate-desktop-configuration? + mate-desktop-service + mate-desktop-service-type + xfce-desktop-configuration xfce-desktop-configuration? xfce-desktop-service @@ -817,6 +824,32 @@ rules." and extends polkit with the actions from @code{gnome-settings-daemon}." (service gnome-desktop-service-type config)) +;; MATE Desktop service. +;; TODO: Add mate-screensaver. + +(define-record-type* <mate-desktop-configuration> mate-desktop-configuration + make-mate-desktop-configuration + mate-desktop-configuration + (mate-package mate-package (default mate))) + +(define mate-desktop-service-type + (service-type + (name 'mate-desktop) + (extensions + (list (service-extension polkit-service-type + (compose list + (package-direct-input-selector + "mate-settings-daemon") + mate-package)) + (service-extension profile-service-type + (compose list + mate-package)))))) + +(define* (mate-desktop-service #:key (config (mate-desktop-configuration))) + "Return a service that adds the @code{mate} package to the system profile, +and extends polkit with the actions from @code{mate-settings-daemon}." + (service mate-desktop-service-type config)) + ;;; ;;; XFCE desktop service. diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index 6305f06f85..ab90942739 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com> ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017 Carlo Zancanaro <carlo@zancanaro.id.au> +;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;; @@ -745,12 +746,6 @@ allowed too, like 10.0.0.10-10.0.0.30.") "How long to redirect users to a specific server after it no longer has any connections.") - (director-doveadm-port - (non-negative-integer 0) - "TCP/IP port that accepts doveadm connections (instead of director -connections) If you enable this, you'll also need to add -@samp{inet-listener} for the port.") - (director-username-hash (string "%Lu") "How the username is translated before being hashed. Useful values @@ -831,7 +826,7 @@ string.") string, %$ contains the data we want to log.") (mail-log-prefix - (string "\"%s(%u): \"") + (string "\"%s(%u)<%{pid}><%{session}>: \"") "Log prefix for mail processes. See doc/wiki/Variables.txt for list of possible variables you can use.") @@ -1145,7 +1140,7 @@ files. If an index file already exists it's still read, just not updated.") (mdbox-rotate-size - (non-negative-integer #e2e6) + (non-negative-integer #e10e6) "Maximum dbox file size until it's rotated.") (mdbox-rotate-interval @@ -1262,18 +1257,12 @@ it, set @samp{auth-ssl-require-client-cert? #t} in auth section.") x500UniqueIdentifier are the usual choices. You'll also need to set @samp{auth-ssl-username-from-cert? #t}.") - (ssl-parameters-regenerate - (hours 168) - "How often to regenerate the SSL parameters file. Generation is -quite CPU intensive operation. The value is in hours, 0 disables -regeneration entirely.") - - (ssl-protocols - (string "!SSLv2") - "SSL protocols to use.") + (ssl-min-protocol + (string "TLSv1") + "Minimum SSL protocol version to accept.") (ssl-cipher-list - (string "ALL:!LOW:!SSLv2:!EXP:!aNULL") + (string "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH") "SSL ciphers to use.") (ssl-crypto-device @@ -1356,14 +1345,15 @@ get \"Too long argument\" or \"IMAP command line too large\" errors often.") (imap-logout-format - (string "in=%i out=%o") + (string "in=%i out=%o deleted=%{deleted} expunged=%{expunged} trashed=%{trashed} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes}") "IMAP logout format string: @table @code @item %i total number of bytes read from client @item %o total number of bytes sent to client. -@end table") +@end table +See @file{doc/wiki/Variables.txt} for a list of all the variables you can use.") (imap-capability (string "") diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index d57a7562a2..a9820ed21f 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -320,13 +320,13 @@ can create such a file with: (data-path (file-name "/var/lib/prosody") "Location of the Prosody data storage directory. See -@url{http://prosody.im/doc/configure}." +@url{https://prosody.im/doc/configure}." global) (plugin-paths (file-name-list '()) "Additional plugin directories. They are searched in all the specified -paths in order. See @url{http://prosody.im/doc/plugins_directory}." +paths in order. See @url{https://prosody.im/doc/plugins_directory}." global) (certificates @@ -339,15 +339,15 @@ certificates/keys from the directory specified here." (admins (string-list '()) "This is a list of accounts that are admins for the server. Note that you -must create the accounts separately. See @url{http://prosody.im/doc/admins} and -@url{http://prosody.im/doc/creating_accounts}. +must create the accounts separately. See @url{https://prosody.im/doc/admins} and +@url{https://prosody.im/doc/creating_accounts}. Example: @code{(admins '(\"user1@@example.com\" \"user2@@example.net\"))}" common) (use-libevent? (boolean #f) "Enable use of libevent for better performance under high load. See -@url{http://prosody.im/doc/libevent}." +@url{https://prosody.im/doc/libevent}." common) (modules-enabled @@ -355,7 +355,7 @@ Example: @code{(admins '(\"user1@@example.com\" \"user2@@example.net\"))}" "This is the list of modules Prosody will load on startup. It looks for @code{mod_modulename.lua} in the plugins folder, so make sure that exists too. Documentation on modules can be found at: -@url{http://prosody.im/doc/modules}." +@url{https://prosody.im/doc/modules}." common) (modules-disabled @@ -368,13 +368,13 @@ should you want to disable them then add them to this list." (file-name "/var/lib/prosody/sharedgroups.txt") "Path to a text file where the shared groups are defined. If this path is empty then @samp{mod_groups} does nothing. See -@url{http://prosody.im/doc/modules/mod_groups}." +@url{https://prosody.im/doc/modules/mod_groups}." common) (allow-registration? (boolean #f) "Disable account creation by default, for security. See -@url{http://prosody.im/doc/creating_accounts}." +@url{https://prosody.im/doc/creating_accounts}." common) (ssl @@ -382,13 +382,13 @@ empty then @samp{mod_groups} does nothing. See "These are the SSL/TLS-related settings. Most of them are disabled so to use Prosody's defaults. If you do not completely understand these options, do not add them to your config, it is easy to lower the security of your server -using them. See @url{http://prosody.im/doc/advanced_ssl_config}." +using them. See @url{https://prosody.im/doc/advanced_ssl_config}." common) (c2s-require-encryption? (boolean #f) "Whether to force all client-to-server connections to be encrypted or not. -See @url{http://prosody.im/doc/modules/mod_tls}." +See @url{https://prosody.im/doc/modules/mod_tls}." common) (disable-sasl-mechanisms @@ -400,7 +400,7 @@ See @url{http://prosody.im/doc/modules/mod_tls}." (s2s-require-encryption? (boolean #f) "Whether to force all server-to-server connections to be encrypted or not. -See @url{http://prosody.im/doc/modules/mod_tls}." +See @url{https://prosody.im/doc/modules/mod_tls}." common) (s2s-secure-auth? @@ -408,7 +408,7 @@ See @url{http://prosody.im/doc/modules/mod_tls}." "Whether to require encryption and certificate authentication. This provides ideal security, but requires servers you communicate with to support encryption AND present valid, trusted certificates. See -@url{http://prosody.im/doc/s2s#security}." +@url{https://prosody.im/doc/s2s#security}." common) (s2s-insecure-domains @@ -416,14 +416,14 @@ encryption AND present valid, trusted certificates. See "Many servers don't support encryption or have invalid or self-signed certificates. You can list domains here that will not be required to authenticate using certificates. They will be authenticated using DNS. See -@url{http://prosody.im/doc/s2s#security}." +@url{https://prosody.im/doc/s2s#security}." common) (s2s-secure-domains (string-list '()) "Even if you leave @code{s2s-secure-auth?} disabled, you can still require valid certificates for some domains by specifying a list here. See -@url{http://prosody.im/doc/s2s#security}." +@url{https://prosody.im/doc/s2s#security}." common) (authentication @@ -431,21 +431,21 @@ valid certificates for some domains by specifying a list here. See "Select the authentication backend to use. The default provider stores passwords in plaintext and uses Prosody's configured data storage to store the authentication data. If you do not trust your server please see -@url{http://prosody.im/doc/modules/mod_auth_internal_hashed} for information +@url{https://prosody.im/doc/modules/mod_auth_internal_hashed} for information about using the hashed backend. See also -@url{http://prosody.im/doc/authentication}" +@url{https://prosody.im/doc/authentication}" common) ;; TODO: Handle more complicated log structures. (log (maybe-string "*syslog") "Set logging options. Advanced logging configuration is not yet supported -by the GuixSD Prosody Service. See @url{http://prosody.im/doc/logging}." +by the GuixSD Prosody Service. See @url{https://prosody.im/doc/logging}." common) (pidfile (file-name "/var/run/prosody/prosody.pid") - "File to write pid in. See @url{http://prosody.im/doc/modules/mod_posix}." + "File to write pid in. See @url{https://prosody.im/doc/modules/mod_posix}." global) (http-max-content-size @@ -476,7 +476,7 @@ instance can serve many domains, each one defined as a VirtualHost entry in Prosody's configuration. Conversely a server that hosts a single domain would have just one VirtualHost entry. -See @url{http://prosody.im/doc/configure#virtual_host_settings}." +See @url{https://prosody.im/doc/configure#virtual_host_settings}." global) (int-components @@ -490,14 +490,14 @@ Internal components are implemented with Prosody-specific plugins. To add an internal component, you simply fill the hostname field, and the plugin you wish to use for the component. -See @url{http://prosody.im/doc/components}." +See @url{https://prosody.im/doc/components}." global) (ext-components (ext-component-configuration-list '()) "External components use XEP-0114, which most standalone components support. To add an external component, you simply fill the hostname field. See -@url{http://prosody.im/doc/components}." +@url{https://prosody.im/doc/components}." global) (component-secret @@ -536,10 +536,10 @@ support. To add an external component, you simply fill the hostname field. See hosted chatrooms/conferences for XMPP users. General information on setting up and using multi-user chatrooms can be found -in the \"Chatrooms\" documentation (@url{http://prosody.im/doc/chatrooms}), +in the \"Chatrooms\" documentation (@url{https://prosody.im/doc/chatrooms}), which you should read if you are new to XMPP chatrooms. -See also @url{http://prosody.im/doc/modules/mod_muc}." +See also @url{https://prosody.im/doc/modules/mod_muc}." int-component) (hostname diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index b0c23aafc7..c3ba0787c0 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2016 John Darrington <jmd@gnu.org> ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be> +;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -51,6 +52,7 @@ static-networking-ip static-networking-netmask static-networking-gateway + static-networking-requirement static-networking-service static-networking-service-type @@ -145,22 +147,21 @@ fe80::1%lo0 apps.facebook.com\n") (default #f)) (provision static-networking-provision (default #f)) + (requirement static-networking-requirement + (default '())) (name-servers static-networking-name-servers ;FIXME: doesn't belong here (default '()))) (define static-networking-shepherd-service (match-lambda (($ <static-networking> interface ip netmask gateway provision - name-servers) + requirement name-servers) (let ((loopback? (and provision (memq 'loopback provision)))) (shepherd-service - ;; Unless we're providing the loopback interface, wait for udev to be up - ;; and running so that INTERFACE is actually usable. - (requirement (if loopback? '() '(udev))) - (documentation "Bring up the networking interface using a static IP address.") + (requirement requirement) (provision (or provision (list (symbol-append 'networking- (string->symbol interface))))) @@ -263,6 +264,8 @@ network interface."))) (define* (static-networking-service interface ip #:key netmask gateway provision + ;; Most interfaces require udev to be usable. + (requirement '(udev)) (name-servers '())) "Return a service that starts @var{interface} with address @var{ip}. If @var{netmask} is true, use it as the network mask. If @var{gateway} is true, @@ -277,6 +280,7 @@ to handle." (list (static-networking (interface interface) (ip ip) (netmask netmask) (gateway gateway) (provision provision) + (requirement requirement) (name-servers name-servers))))) (define dhcp-client-service-type |