diff options
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/base.scm | 22 | ||||
| -rw-r--r-- | gnu/services/configuration.scm | 5 | ||||
| -rw-r--r-- | gnu/services/desktop.scm | 4 | ||||
| -rw-r--r-- | gnu/services/ganeti.scm | 23 | ||||
| -rw-r--r-- | gnu/services/guix.scm | 48 | ||||
| -rw-r--r-- | gnu/services/ldap.scm | 317 | ||||
| -rw-r--r-- | gnu/services/mail.scm | 120 | ||||
| -rw-r--r-- | gnu/services/monitoring.scm | 5 | ||||
| -rw-r--r-- | gnu/services/nix.scm | 11 | ||||
| -rw-r--r-- | gnu/services/security.scm | 26 | ||||
| -rw-r--r-- | gnu/services/vpn.scm | 15 |
11 files changed, 477 insertions, 119 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index ba59e46155..6993e1f174 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -61,7 +61,8 @@ util-linux xfsprogs)) #:use-module (gnu packages bash) #:use-module ((gnu packages base) - #:select (coreutils glibc glibc-utf8-locales tar)) + #:select (coreutils glibc glibc-utf8-locales tar + canonical-package)) #:use-module ((gnu packages compression) #:select (gzip)) #:autoload (gnu packages guile-xyz) (guile-netlink) #:autoload (gnu packages hurd) (hurd) @@ -71,6 +72,7 @@ #:select (dosfstools)) #:use-module ((gnu packages file-systems) #:select (bcachefs-tools exfat-utils jfsutils zfs)) + #:use-module (gnu packages fonts) #:use-module (gnu packages terminals) #:use-module ((gnu packages wm) #:select (sway)) #:use-module ((gnu build file-systems) @@ -1211,7 +1213,13 @@ the tty to run, among other things." (name-services nscd-configuration-name-services ;list of file-like (default '())) (glibc nscd-configuration-glibc ;file-like - (default glibc))) + (default (let-system (system target) + ;; Unless we're cross-compiling, arrange to use nscd + ;; from 'glibc-final' instead of pulling in a second + ;; glibc copy. + (if target + glibc + (canonical-package glibc)))))) (define-record-type* <nscd-cache> nscd-cache make-nscd-cache nscd-cache? @@ -2482,7 +2490,15 @@ notably to select, copy, and paste text. The default options use the (documentation "kmscon virtual terminal") (requirement '(user-processes udev dbus-system)) (provision (list (symbol-append 'term- (string->symbol virtual-terminal)))) - (start #~(make-forkexec-constructor #$kmscon-command)) + (start #~(make-forkexec-constructor + #$kmscon-command + + ;; The installer needs to be able to display glyphs from + ;; various scripts, so give it access to unifont. + ;; TODO: Make this configurable. + #:environment-variables + (list (string-append "XDG_DATA_DIRS=" + #$font-gnu-unifont "/share")))) (stop #~(make-kill-destructor))))) (description "Start the @command{kmscon} virtual terminal emulator for the Linux @dfn{kernel mode setting} (KMS)."))) diff --git a/gnu/services/configuration.scm b/gnu/services/configuration.scm index 10cb933ed1..6b0291dc00 100644 --- a/gnu/services/configuration.scm +++ b/gnu/services/configuration.scm @@ -473,9 +473,6 @@ applied on the fields and values of FIELDS using the COMBINE is a procedure that takes one or more arguments and combines all the alist entries into one value, @code{string-append} or -@code{append} are usually good candidates for this. - -See the @code{serialize-alist} procedure in `@code{(gnu home services -version-control}' for an example usage.)}" +@code{append} are usually good candidates for this." (apply combine (map (generic-serialize-alist-entry serialize-field) fields))) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index ac29e8d38a..9fd77642a1 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -838,9 +838,7 @@ Bluetooth devices and provides a number of D-Bus interfaces."))) "Return a service that runs the @command{bluetoothd} daemon, which manages all the Bluetooth devices and provides a number of D-Bus interfaces. When AUTO-ENABLE? is true, the bluetooth controller is powered automatically at -boot. - -Users need to be in the @code{lp} group to access the D-Bus service. +boot, which can be useful when using a bluetooth keyboard or mouse. " (service bluetooth-service-type (bluetooth-configuration diff --git a/gnu/services/ganeti.scm b/gnu/services/ganeti.scm index d9770b1a29..f4fec3833e 100644 --- a/gnu/services/ganeti.scm +++ b/gnu/services/ganeti.scm @@ -683,7 +683,8 @@ information to OS install scripts or instances."))) #~(#$schedule)) ((? list?) #~('#$schedule))) - #$(ganeti-watcher-command config)))))) + #$(ganeti-watcher-command config) + "ganeti-watcher"))))) (define ganeti-watcher-service-type (service-type (name 'ganeti-watcher) @@ -725,7 +726,8 @@ is declared offline by known master candidates."))) #~('#$master-schedule))) (lambda () (system* #$(file-append ganeti "/sbin/ganeti-cleaner") - "master"))) + "master")) + "ganeti master cleaner") #~(job #$@(match node-schedule ((? string?) #~(#$node-schedule)) @@ -733,7 +735,8 @@ is declared offline by known master candidates."))) #~('#$node-schedule))) (lambda () (system* #$(file-append ganeti "/sbin/ganeti-cleaner") - "node"))))))) + "node")) + "ganeti node cleaner"))))) (define ganeti-cleaner-service-type (service-type (name 'ganeti-cleaner) @@ -777,6 +780,8 @@ than 21 days from @file{/var/lib/ganeti/queue/archive}."))) (default (ganeti-cleaner-configuration))) (file-storage-paths ganeti-configuration-file-storage-paths ;list of strings | gexp (default '())) + (hooks ganeti-configuration-hooks ;<file-like> | #f + (default #f)) (os ganeti-configuration-os ;list of <ganeti-os> (default '()))) @@ -910,7 +915,7 @@ trap - EXIT (partition-alignment debootstrap-configuration-partition-alignment ;#f | integer (default 2048))) -(define (hooks->directory hooks) +(define (debootstrap-hooks->directory hooks) (match hooks ((? file-like?) hooks) @@ -918,7 +923,7 @@ trap - EXIT (let ((names (map car hooks)) (files (map cdr hooks))) (with-imported-modules '((guix build utils)) - (computed-file "hooks-union" + (computed-file "debootstrap-hooks" #~(begin (use-modules (guix build utils) (ice-9 match)) @@ -942,7 +947,7 @@ trap - EXIT (($ <debootstrap-configuration> hooks proxy mirror arch suite extra-pkgs components generate-cache? clean-cache partition-style partition-alignment) - (let ((customize-dir (hooks->directory hooks))) + (let ((customize-dir (debootstrap-hooks->directory hooks))) (gexp->derivation "debootstrap-variant" #~(call-with-output-file (ungexp output "out") @@ -1034,7 +1039,7 @@ in /etc/ganeti/instance-$os for OS." (computed-file (string-append name "-os") builder #:local-build? #t))) -(define (ganeti-directory file-storage-file os) +(define (ganeti-directory file-storage-file hooks os) (let ((dirs (map ganeti-os->directory os)) (names (map ganeti-os-name os))) (define builder @@ -1044,6 +1049,9 @@ in /etc/ganeti/instance-$os for OS." (when #$file-storage-file (symlink #$file-storage-file (string-append #$output "/file-storage-paths"))) + (when #$hooks + (symlink #$hooks + (string-append #$output "/hooks"))) (for-each (match-lambda ((name dest) (symlink dest @@ -1063,6 +1071,7 @@ in /etc/ganeti/instance-$os for OS." (list `("ganeti" ,(ganeti-directory (file-storage-file (ganeti-configuration-file-storage-paths config)) + (ganeti-configuration-hooks config) (ganeti-configuration-os config))))) (define (debootstrap-os variants) diff --git a/gnu/services/guix.scm b/gnu/services/guix.scm index 486d9f49d7..65bf0b5a7f 100644 --- a/gnu/services/guix.scm +++ b/gnu/services/guix.scm @@ -336,30 +336,30 @@ (start #~(lambda args (parameterize ((%current-logfile-date-format "")) (apply - make-forkexec-constructor - (list #$(make-guix-build-coordinator-start-script - database-uri-string - allocation-strategy - "/var/run/guix-build-coordinator/pid" - package - #:agent-communication-uri-string - agent-communication-uri-string - #:client-communication-uri-string - client-communication-uri-string - #:hooks hooks - #:parallel-hooks parallel-hooks - #:guile guile)) - #:user #$user - #:group #$group - #:pid-file "/var/run/guix-build-coordinator/pid" - ;; Allow time for migrations to run - #:pid-file-timeout 60 - #:environment-variables - `(,(string-append - "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale") - "LC_ALL=en_US.utf8" - "PATH=/run/current-system/profile/bin") ; for hooks - #:log-file "/var/log/guix-build-coordinator/coordinator.log" + (make-forkexec-constructor + (list #$(make-guix-build-coordinator-start-script + database-uri-string + allocation-strategy + "/var/run/guix-build-coordinator/pid" + package + #:agent-communication-uri-string + agent-communication-uri-string + #:client-communication-uri-string + client-communication-uri-string + #:hooks hooks + #:parallel-hooks parallel-hooks + #:guile guile)) + #:user #$user + #:group #$group + #:pid-file "/var/run/guix-build-coordinator/pid" + ;; Allow time for migrations to run + #:pid-file-timeout 60 + #:environment-variables + `(,(string-append + "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale") + "LC_ALL=en_US.utf8" + "PATH=/run/current-system/profile/bin") ; for hooks + #:log-file "/var/log/guix-build-coordinator/coordinator.log") args)))) (stop #~(make-kill-destructor)) (modules diff --git a/gnu/services/ldap.scm b/gnu/services/ldap.scm new file mode 100644 index 0000000000..49a33fac08 --- /dev/null +++ b/gnu/services/ldap.scm @@ -0,0 +1,317 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2018, 2019, 2022 Ricardo Wurmus <rekado@elephly.net> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of thye GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu services ldap) + #:use-module (gnu packages admin) + #:use-module (gnu packages openldap) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu system shadow) + #:use-module (guix gexp) + #:use-module (srfi srfi-1) + #:use-module (ice-9 match) + #:use-module (ice-9 string-fun) + #:export (directory-server-service-type + directory-server-shepherd-service + + directory-server-instance-configuration + slapd-configuration + backend-configuration)) + +(define (uglify-field-name name) + (let ((str (string-map (match-lambda + (#\- #\_) + (chr chr)) + (symbol->string name)))) + (if (string-suffix? "?" str) + (substring str 0 (1- (string-length str))) + str))) +(define (serialize-field field-name val) + (format #t "~a = ~a\n" (uglify-field-name field-name) val)) +(define serialize-string serialize-field) +(define-maybe string) +(define (serialize-boolean field-name val) + (serialize-field field-name (if val "True" "False"))) +(define (serialize-number field-name val) + (serialize-field field-name (number->string val))) + + +(define-configuration slapd-configuration + (instance-name + (string "localhost") + "Sets the name of the instance. You can refer to this value in other +parameters of this INF file using the \"{instance_name}\" variable. Note that +this name cannot be changed after the installation!") + (user + (string "dirsrv") + "Sets the user name the ns-slapd process will use after the service +started.") + (group + (string "dirsrv") + "Sets the group name the ns-slapd process will use after the service +started.") + (port + (number 389) + "Sets the TCP port the instance uses for LDAP connections.") + (secure-port + (number 636) + "Sets the TCP port the instance uses for TLS-secured LDAP +connections (LDAPS).") + (root-dn + (string "cn=Directory Manager") + "Sets the Distinquished Name (DN) of the administrator account for this +instance.") + (root-password + (string "{invalid}YOU-SHOULD-CHANGE-THIS") + "Sets the password of the account specified in the \"root-dn\" parameter. +You can either set this parameter to a plain text password dscreate hashes +during the installation or to a \"{algorithm}hash\" string generated by the +pwdhash utility. Note that setting a plain text password can be a security +risk if unprivileged users can read this INF file!") + (self-sign-cert + (boolean #t) + "Sets whether the setup creates a self-signed certificate and enables TLS +encryption during the installation. This is not suitable for production, but +it enables administrators to use TLS right after the installation. You can +replace the self-signed certificate with a certificate issued by a certificate +authority.") + (self-sign-cert-valid-months + (number 24) + "Set the number of months the issued self-signed certificate will be valid.") + (backup-dir + (string "/var/lib/dirsrv/slapd-{instance_name}/bak") + "Set the backup directory of the instance.") + (cert-dir + (string "/etc/dirsrv/slapd-{instance_name}") + "Sets the directory of the instance's Network Security Services (NSS) +database.") + (config-dir + (string "/etc/dirsrv/slapd-{instance_name}") + "Sets the configuration directory of the instance.") + (db-dir + (string "/var/lib/dirsrv/slapd-{instance_name}/db") + "Sets the database directory of the instance.") + (initconfig-dir + (string "/etc/dirsrv/registry") + "Sets the directory of the operating system's rc configuration directory.") + (ldif-dir + (string "/var/lib/dirsrv/slapd-{instance_name}/ldif") + "Sets the LDIF export and import directory of the instance.") + (lock-dir + (string "/var/lock/dirsrv/slapd-{instance_name}") + "Sets the lock directory of the instance.") + (log-dir + (string "/var/log/dirsrv/slapd-{instance_name}") + "Sets the log directory of the instance.") + (run-dir + (string "/run/dirsrv") + "Sets PID directory of the instance.") + (schema-dir + (string "/etc/dirsrv/slapd-{instance_name}/schema") + "Sets schema directory of the instance.") + (tmp-dir + (string "/tmp") + "Sets the temporary directory of the instance.")) + +(define (serialize-slapd-configuration field-name val) + #t) + + +(define-configuration backend-userroot-configuration + (create-suffix-entry? + (boolean #false) + "Set this parameter to #true to create a generic root node entry for the +suffix in the database.") + (require-index? + (boolean #false) + "Set this parameter to #true to refuse unindexed searches in this +database.") + (sample-entries + (string "no") + "Set this parameter to \"yes\" to add latest version of sample entries to +this database. Or, use \"001003006\" to use the 1.3.6 version sample entries. +Use this option, for example, to create a database for testing purposes.") + (suffix + maybe-string + "Sets the root suffix stored in this database. If you do not set the +suffix attribute the install process will not create the backend/suffix. You +can also create multiple backends/suffixes by duplicating this section.")) + +(define (serialize-backend-userroot-configuration field-name val) + #t) + + +(define-configuration directory-server-instance-configuration + (package + (file-like 389-ds-base) + "The 389-ds-base package.") + ;; General settings + (config-version + (number 2) + "Sets the format version of the configuration file. To use the INF file +with dscreate, this parameter must be 2.") + (full-machine-name + (string "localhost") + "Sets the fully qualified hostname (FQDN) of this system.") + (selinux + (boolean #false) + "Enables SELinux detection and integration during the installation of this +instance. If set to #T, dscreate auto-detects whether SELinux is enabled.") + (strict-host-checking + (boolean #t) + "Sets whether the server verifies the forward and reverse record set in the +\"full-machine-name\" parameter. When installing this instance with GSSAPI +authentication behind a load balancer, set this parameter to #F.") + (systemd + (boolean #false) + "Enables systemd platform features. If set to #T, dscreate auto-detects +whether systemd is installed.") + (slapd + (slapd-configuration (slapd-configuration)) + "Configuration of slapd.") + (backend-userroot + (backend-userroot-configuration (backend-userroot-configuration)) + "Configuration of the userroot backend.")) + +(define (serialize-directory-server-instance-configuration x) + (format #t "[general]\n") + (serialize-configuration + x + (filter (lambda (field) + (not (member (configuration-field-name field) + '(package slapd backend-userroot)))) + directory-server-instance-configuration-fields)) + ;; Do not start instance while running dscreate. Do this later with + ;; shepherd. + (format #t "start = False\n") + (format #t "\n[slapd]\n") + (serialize-configuration + (directory-server-instance-configuration-slapd x) + slapd-configuration-fields) + (format #t "\n[backend-userroot]\n") + (serialize-configuration + (directory-server-instance-configuration-backend-userroot x) + backend-userroot-configuration-fields)) + +(define (directory-server-instance-config-file config) + "Return an LDAP directory server instance configuration file." + (let* ((slapd (directory-server-instance-configuration-slapd config)) + (instance-name (slapd-configuration-instance-name slapd))) + (plain-file + (string-append "dirsrv-" instance-name ".inf") + (with-output-to-string + (lambda () + (serialize-directory-server-instance-configuration config)))))) + +(define (directory-server-shepherd-service config) + "Return a shepherd service for an LDAP directory server with CONFIG." + (let* ((389-ds-base (directory-server-instance-configuration-package config)) + (slapd (directory-server-instance-configuration-slapd config)) + (instance-name + (slapd-configuration-instance-name slapd))) + (list (shepherd-service + (documentation "Run an 389 directory server instance.") + (provision (list (symbol-append 'directory-server- + (string->symbol instance-name)))) + (requirement '()) + (start #~(make-forkexec-constructor + (list #$(file-append 389-ds-base "/sbin/dsctl") + #$instance-name "start") + #:pid-file + (string-append + #$(slapd-configuration-run-dir slapd) + "/slapd-" #$instance-name ".pid"))) + (stop #~(make-kill-destructor)))))) + +(define (directory-server-accounts config) + (let* ((slapd (directory-server-instance-configuration-slapd config)) + (user (slapd-configuration-user slapd)) + (group (slapd-configuration-group slapd))) + (list (user-group + (name group) + (system? #true)) + (user-account + (name user) + (group group) + (system? #true) + (comment "System user for the 389 directory server") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")))))) + +(define (directory-server-activation config) + (let* ((389-ds-base (directory-server-instance-configuration-package config)) + (config-file (directory-server-instance-config-file config)) + (slapd (directory-server-instance-configuration-slapd config)) + (instance-name (slapd-configuration-instance-name slapd)) + (user (slapd-configuration-user slapd)) + (group (slapd-configuration-group slapd)) + (instantiate (lambda (proc) + (string-replace-substring + (proc slapd) "{instance_name}" instance-name))) + (config-dir (instantiate slapd-configuration-config-dir)) + (all-dirs (delete-duplicates + (map (compose dirname instantiate) + (list slapd-configuration-backup-dir + slapd-configuration-cert-dir + slapd-configuration-db-dir + slapd-configuration-ldif-dir + slapd-configuration-lock-dir + slapd-configuration-log-dir + slapd-configuration-run-dir + slapd-configuration-schema-dir))))) + ;; 389-ds-base doesn't let us update an instance configuration, so bail + ;; out when the configuration directory already exists. + #~(begin + (use-modules (ice-9 match) + (guix build utils)) + (if (file-exists? #$config-dir) + (format #t + "directory-server: Instance configuration for `~a' already exists. Skipping.\n" + #$instance-name) + (let ((owner (getpwnam #$user))) + (for-each (lambda (dir) + (mkdir-p dir) + (chown dir (passwd:uid owner) (passwd:gid owner))) + (sort '#$all-dirs string<=)) + (system* #$(file-append 389-ds-base "/sbin/dscreate") + "from-file" #$config-file)))))) + +(define directory-server-service-type + (service-type (name 'directory-server) + (extensions + (list (service-extension shepherd-root-service-type + directory-server-shepherd-service) + (service-extension activation-service-type + directory-server-activation) + (service-extension account-service-type + directory-server-accounts))) + (default-value (directory-server-instance-configuration)) + (description + "Run a directory server instance."))) + +(define (generate-directory-server-documentation) + (generate-documentation + `((directory-server-instance-configuration + ,directory-server-instance-configuration-fields + (slapd slapd-configuration) + (backend-userroot backend-userroot-configuration)) + (slapd-configuration ,slapd-configuration-fields) + (backend-userroot-configuration + ,backend-userroot-configuration-fields)) + 'directory-server-instance-configuration)) diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index 2dc235a585..6f588679b1 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -1651,6 +1651,8 @@ by @code{dovecot-configuration}. @var{config} may also be created by opensmtpd-configuration? (package opensmtpd-configuration-package (default opensmtpd)) + (shepherd-requirement opensmtpd-configuration-shepherd-requirement + (default '())) ; list of symbols (config-file opensmtpd-configuration-config-file (default %default-opensmtpd-config-file)) (setgid-commands? opensmtpd-setgid-commands? (default #t))) @@ -1666,18 +1668,18 @@ action outbound relay match from local for any action outbound ")) -(define opensmtpd-shepherd-service - (match-lambda - (($ <opensmtpd-configuration> package config-file) - (list (shepherd-service - (provision '(smtpd)) - (requirement '(loopback)) - (documentation "Run the OpenSMTPD daemon.") - (start (let ((smtpd (file-append package "/sbin/smtpd"))) - #~(make-forkexec-constructor - (list #$smtpd "-f" #$config-file) - #:pid-file "/var/run/smtpd.pid"))) - (stop #~(make-kill-destructor))))))) +(define (opensmtpd-shepherd-service config) + (match-record config <opensmtpd-configuration> + (package config-file shepherd-requirement) + (list (shepherd-service + (provision '(smtpd)) + (requirement `(loopback ,@shepherd-requirement)) + (documentation "Run the OpenSMTPD daemon.") + (start (let ((smtpd (file-append package "/sbin/smtpd"))) + #~(make-forkexec-constructor + (list #$smtpd "-f" #$config-file) + #:pid-file "/var/run/smtpd.pid"))) + (stop #~(make-kill-destructor)))))) (define %opensmtpd-accounts (list (user-group @@ -1698,58 +1700,56 @@ match from local for any action outbound (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) -(define opensmtpd-activation - (match-lambda - (($ <opensmtpd-configuration> package config-file) - (let ((smtpd (file-append package "/sbin/smtpd"))) - #~(begin - (use-modules (guix build utils)) - ;; Create mbox and spool directories. - (mkdir-p "/var/mail") - (mkdir-p "/var/spool/smtpd") - (chmod "/var/spool/smtpd" #o711) - (mkdir-p "/var/spool/mail") - (chmod "/var/spool/mail" #o711)))))) +(define (opensmtpd-activation config) + (match-record config <opensmtpd-configuration> (package config-file) + (let ((smtpd (file-append package "/sbin/smtpd"))) + #~(begin + (use-modules (guix build utils)) + ;; Create mbox and spool directories. + (mkdir-p "/var/mail") + (mkdir-p "/var/spool/smtpd") + (chmod "/var/spool/smtpd" #o711) + (mkdir-p "/var/spool/mail") + (chmod "/var/spool/mail" #o711))))) (define %opensmtpd-pam-services (list (unix-pam-service "smtpd"))) -(define opensmtpd-set-gids - (match-lambda - (($ <opensmtpd-configuration> package config-file set-gids?) - (if set-gids? - (list - (setuid-program - (program (file-append package "/sbin/smtpctl")) - (setuid? #false) - (setgid? #true) - (group "smtpq")) - (setuid-program - (program (file-append package "/sbin/sendmail")) - (setuid? #false) - (setgid? #true) - (group "smtpq")) - (setuid-program - (program (file-append package "/sbin/send-mail")) - (setuid? #false) - (setgid? #true) - (group "smtpq")) - (setuid-program - (program (file-append package "/sbin/makemap")) - (setuid? #false) - (setgid? #true) - (group "smtpq")) - (setuid-program - (program (file-append package "/sbin/mailq")) - (setuid? #false) - (setgid? #true) - (group "smtpq")) - (setuid-program - (program (file-append package "/sbin/newaliases")) - (setuid? #false) - (setgid? #true) - (group "smtpq"))) - '())))) +(define (opensmtpd-set-gids config) + (match-record config <opensmtpd-configuration> (package config-file setgid-commands?) + (if setgid-commands? + (list + (setuid-program + (program (file-append package "/sbin/smtpctl")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/sendmail")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/send-mail")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/makemap")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/mailq")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/newaliases")) + (setuid? #false) + (setgid? #true) + (group "smtpq"))) + '()))) (define opensmtpd-service-type (service-type diff --git a/gnu/services/monitoring.scm b/gnu/services/monitoring.scm index 9a88351566..44e2e8886c 100644 --- a/gnu/services/monitoring.scm +++ b/gnu/services/monitoring.scm @@ -404,7 +404,10 @@ configuration file.")) /etc/ssl/certs" "SSL_CERT_FILE=/run/current-system/profile\ /etc/ssl/certs/ca-certificates.crt"))) - (stop #~(make-kill-destructor)))))) + (stop #~(make-kill-destructor + ;; The server needs to finish database work on shutdown + ;; which can take a while for big or busy databases. + #:grace-period 60)))))) (define zabbix-server-service-type (service-type diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm index df04a85c22..82853253f6 100644 --- a/gnu/services/nix.scm +++ b/gnu/services/nix.scm @@ -54,6 +54,8 @@ (default nix)) (sandbox nix-configuration-sandbox ;boolean (default #t)) + (build-directory nix-configuration-build-directory ;string + (default "/tmp")) (build-sandbox-items nix-configuration-build-sandbox-items ;list of strings (default '())) (extra-config nix-configuration-extra-config ;list of strings @@ -106,7 +108,7 @@ GID." (define nix-service-etc (match-lambda - (($ <nix-configuration> package sandbox build-sandbox-items extra-config) + (($ <nix-configuration> package sandbox build-directory build-sandbox-items extra-config) (let ((ref-file (references-file package))) `(("nix/nix.conf" ,(computed-file @@ -130,7 +132,7 @@ GID." (define nix-shepherd-service ;; Return a <shepherd-service> for Nix. (match-lambda - (($ <nix-configuration> package _ _ _ extra-options) + (($ <nix-configuration> package _ build-directory _ _ extra-options) (list (shepherd-service (provision '(nix-daemon)) @@ -138,7 +140,10 @@ GID." (requirement '()) (start #~(make-forkexec-constructor (list (string-append #$package "/bin/nix-daemon") - #$@extra-options))) + #$@extra-options) + #:environment-variables + (list (string-append "TMPDIR=" #$build-directory) + "PATH=/run/current-system/profile/bin"))) (respawn? #f) (stop #~(make-kill-destructor))))))) diff --git a/gnu/services/security.scm b/gnu/services/security.scm index 15fae7a628..50111455fb 100644 --- a/gnu/services/security.scm +++ b/gnu/services/security.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2022 muradm <mail@muradm.net> +;;; Copyright © 2022 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -351,28 +352,27 @@ provided as a list of file-like objects.")) (match-record config <fail2ban-configuration> (fail2ban run-directory) (let* ((fail2ban-server (file-append fail2ban "/bin/fail2ban-server")) + (fail2ban-client (file-append fail2ban "/bin/fail2ban-client")) (pid-file (in-vicinity run-directory "fail2ban.pid")) (socket-file (in-vicinity run-directory "fail2ban.sock")) (config-dir (file-append (config->fail2ban-etc-directory config) "/etc/fail2ban")) (fail2ban-action (lambda args - #~(lambda _ - (invoke #$fail2ban-server - "-c" #$config-dir - "-p" #$pid-file - "-s" #$socket-file - "-b" - #$@args))))) - - ;; TODO: Add 'reload' action. + #~(invoke #$fail2ban-client #$@args)))) + + ;; TODO: Add 'reload' action (see 'fail2ban.service.in' in the source). (list (shepherd-service (provision '(fail2ban)) (documentation "Run the fail2ban daemon.") (requirement '(user-processes)) - (modules `((ice-9 match) - ,@%default-modules)) - (start (fail2ban-action "start")) - (stop (fail2ban-action "stop"))))))) + (start #~(make-forkexec-constructor + (list #$fail2ban-server + "-c" #$config-dir "-s" #$socket-file + "-p" #$pid-file "-xf" "start") + #:pid-file #$pid-file)) + (stop #~(lambda (_) + #$(fail2ban-action "stop") + #f))))))) ;successfully stopped (define fail2ban-service-type (service-type (name 'fail2ban) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 7b3bb8903c..4103f89ecf 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -10,6 +10,7 @@ ;;; Copyright © 2021 jgart <jgart@dismail.de> ;;; Copyright © 2021 Nathan Dehnel <ncdehnel@gmail.com> ;;; Copyright © 2022 Cameron V Chaparro <cameron@cameronchaparro.com> +;;; Copyright © 2022 Timo Wilken <guix@twilken.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -61,6 +62,7 @@ wireguard-peer-endpoint wireguard-peer-allowed-ips wireguard-peer-public-key + wireguard-peer-preshared-key wireguard-peer-keep-alive wireguard-configuration @@ -709,6 +711,8 @@ strongSwan."))) (endpoint wireguard-peer-endpoint (default #f)) ;string (public-key wireguard-peer-public-key) ;string + (preshared-key wireguard-peer-preshared-key + (default #f)) ;string (allowed-ips wireguard-peer-allowed-ips) ;list of strings (keep-alive wireguard-peer-keep-alive (default #f))) ;integer @@ -762,10 +766,18 @@ AllowedIPs = ~a (format #f "PersistentKeepalive = ~a\n" keep-alive) "\n")))) + (define (peers->preshared-keys peer keys) + (let ((public-key (wireguard-peer-public-key peer)) + (preshared-key (wireguard-peer-preshared-key peer))) + (if preshared-key + (cons* public-key preshared-key keys) + keys))) + (match-record config <wireguard-configuration> (wireguard interface addresses port private-key peers dns pre-up post-up pre-down post-down table) (let* ((config-file (string-append interface ".conf")) + (peer-keys (fold peers->preshared-keys (list) peers)) (peers (map peer->config peers)) (config (computed-file @@ -780,7 +792,7 @@ AllowedIPs = ~a Address = ~a ~a ~a -PostUp = ~a set %i private-key ~a +PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~} ~a ~a ~a @@ -800,6 +812,7 @@ PostUp = ~a set %i private-key ~a "\n")) #$(file-append wireguard "/bin/wg") #$private-key + '#$peer-keys #$(if (null? post-up) "" (string-join |