diff options
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/desktop.scm | 77 | ||||
| -rw-r--r-- | gnu/services/pam-mount.scm | 111 | ||||
| -rw-r--r-- | gnu/services/ssh.scm | 6 | ||||
| -rw-r--r-- | gnu/services/sysctl.scm | 3 | ||||
| -rw-r--r-- | gnu/services/web.scm | 4 |
5 files changed, 194 insertions, 7 deletions
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 0152e86e8a..b40622a637 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -135,6 +135,12 @@ inputattach-configuration? inputattach-service-type + polkit-wheel-service + + gnome-keyring-configuration + gnome-keyring-configuration? + gnome-keyring-service-type + %desktop-services)) ;;; Commentary: @@ -1066,6 +1072,74 @@ dispatches events from it."))) ;;; +;;; gnome-keyring-service-type +;;; + +(define-record-type* <gnome-keyring-configuration> gnome-keyring-configuration + make-gnome-keyring-configuration + gnome-keyring-configuration? + (keyring gnome-keyring-package (default gnome-keyring)) + (pam-services gnome-keyring-pam-services (default '(("gdm-password" . login) + ("passwd" . passwd))))) + +(define (pam-gnome-keyring config) + (define (%pam-keyring-entry . arguments) + (pam-entry + (control "optional") + (module (file-append (gnome-keyring-package config) + "/lib/security/pam_gnome_keyring.so")) + (arguments arguments))) + + (list + (lambda (service) + (case (assoc-ref (gnome-keyring-pam-services config) + (pam-service-name service)) + ((login) + (pam-service + (inherit service) + (auth (append (pam-service-auth service) + (list (%pam-keyring-entry)))) + (session (append (pam-service-session service) + (list (%pam-keyring-entry "auto_start")))))) + ((passwd) + (pam-service + (inherit service) + (password (append (pam-service-password service) + (list (%pam-keyring-entry)))))) + (else service))))) + +(define gnome-keyring-service-type + (service-type + (name 'gnome-keyring) + (extensions (list + (service-extension pam-root-service-type pam-gnome-keyring))) + (default-value (gnome-keyring-configuration)) + (description "Return a service, that adds the @code{gnome-keyring} package +to the system profile and extends PAM with entries using +@code{pam_gnome_keyring.so}, unlocking a user's login keyring when they log in +or setting its password with passwd."))) + + +;;; +;;; polkit-wheel-service -- Allow wheel group to perform admin actions +;;; + +(define polkit-wheel + (file-union + "polkit-wheel" + `(("share/polkit-1/rules.d/wheel.rules" + ,(plain-file + "wheel.rules" + "polkit.addAdminRule(function(action, subject) { + return [\"unix-group:wheel\"]; +}); +"))))) + +(define polkit-wheel-service + (simple-service 'polkit-wheel polkit-service-type (list polkit-wheel))) + + +;;; ;;; The default set of desktop services. ;;; @@ -1080,6 +1154,9 @@ dispatches events from it."))) ;; Add udev rules for MTP devices so that non-root users can access ;; them. (simple-service 'mtp udev-service-type (list libmtp)) + ;; Add polkit rules, so that non-root users in the wheel group can + ;; perform administrative tasks (similar to "sudo"). + polkit-wheel-service ;; NetworkManager and its applet. (service network-manager-service-type) diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm new file mode 100644 index 0000000000..98611462c2 --- /dev/null +++ b/gnu/services/pam-mount.scm @@ -0,0 +1,111 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2019 Guillaume Le Vaillant <glv@posteo.net> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu services pam-mount) + #:use-module (gnu packages admin) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix records) + #:export (pam-mount-configuration + pam-mount-configuration? + pam-mount-service-type)) + +(define %pam-mount-default-configuration + `((debug (@ (enable "0"))) + (mntoptions (@ (allow ,(string-join + '("nosuid" "nodev" "loop" + "encryption" "fsck" "nonempty" + "allow_root" "allow_other") + ",")))) + (mntoptions (@ (require "nosuid,nodev"))) + (logout (@ (wait "0") + (hup "0") + (term "no") + (kill "no"))) + (mkmountpoint (@ (enable "1") + (remove "true"))))) + +(define (make-pam-mount-configuration-file config) + (computed-file + "pam_mount.conf.xml" + #~(begin + (use-modules (sxml simple)) + (call-with-output-file #$output + (lambda (port) + (sxml->xml + '(*TOP* + (*PI* xml "version='1.0' encoding='utf-8'") + (pam_mount + #$@(pam-mount-configuration-rules config) + (pmvarrun + #$(file-append pam-mount + "/sbin/pmvarrun -u '%(USER)' -o '%(OPERATION)'")) + (cryptmount + #$(file-append pam-mount + (string-append + "/sbin/mount.crypt" + " '%(if %(CIPHER),-ocipher=%(CIPHER))'" + " '%(if %(FSKEYCIPHER)," + "-ofsk_cipher=%(FSKEYCIPHER))'" + " '%(if %(FSKEYHASH),-ofsk_hash=%(FSKEYHASH))'" + " '%(if %(FSKEYPATH),-okeyfile=%(FSKEYPATH))'" + " '%(if %(OPTIONS),-o%(OPTIONS))'" + " '%(VOLUME)' '%(MNTPT)'"))) + (cryptumount + #$(file-append pam-mount "/sbin/umount.crypt '%(MNTPT)'")))) + port)))))) + +(define-record-type* <pam-mount-configuration> + pam-mount-configuration + make-pam-mount-configuration + pam-mount-configuration? + (rules pam-mount-configuration-rules + (default %pam-mount-default-configuration))) + +(define (pam-mount-etc-service config) + `(("security/pam_mount.conf.xml" + ,(make-pam-mount-configuration-file config)))) + +(define (pam-mount-pam-service config) + (define optional-pam-mount + (pam-entry + (control "optional") + (module #~(string-append #$pam-mount "/lib/security/pam_mount.so")))) + (list (lambda (pam) + (if (member (pam-service-name pam) + '("login" "su" "slim" "gdm-password")) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list optional-pam-mount))) + (session (append (pam-service-session pam) + (list optional-pam-mount)))) + pam)))) + +(define pam-mount-service-type + (service-type + (name 'pam-mount) + (extensions (list (service-extension etc-service-type + pam-mount-etc-service) + (service-extension pam-root-service-type + pam-mount-pam-service))) + (default-value (pam-mount-configuration)) + (description "Activate PAM-Mount support. It allows mounting volumes for +specific users when they log in."))) diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index d026c3115e..d2dbb8f80d 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -173,7 +173,7 @@ (list (shepherd-service (documentation "GNU lsh SSH server") - (provision '(ssh-daemon)) + (provision '(ssh-daemon ssh sshd)) (requirement requires) (start #~(make-forkexec-constructor (list #$@lsh-command))) (stop #~(make-kill-destructor))))) @@ -497,7 +497,7 @@ of user-name/file-like tuples." (list (shepherd-service (documentation "OpenSSH server.") (requirement '(syslogd loopback)) - (provision '(ssh-daemon)) + (provision '(ssh-daemon ssh sshd)) (start #~(make-forkexec-constructor #$openssh-command #:pid-file #$pid-file)) (stop #~(make-kill-destructor)) @@ -606,7 +606,7 @@ of user-name/file-like tuples." (list (shepherd-service (documentation "Dropbear SSH server.") (requirement requires) - (provision '(ssh-daemon)) + (provision '(ssh-daemon ssh sshd)) (start #~(make-forkexec-constructor #$dropbear-command #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))) diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index 5e9e6f0661..eb7a61b2a9 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -59,8 +59,7 @@ (provision '(sysctl)) (start #~(lambda _ (zero? (system* #$sysctl "--load" #$sysctl.conf)))) - (stop #~(const #t)) - (respawn? #f)))))) + (one-shot? #t)))))) (define sysctl-service-type (service-type diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 3d149a105d..372f4dc6fc 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -742,8 +742,8 @@ of index files." (server-blocks (append (nginx-configuration-server-blocks config) servers))))) - (default-value - (nginx-configuration)))) + (default-value (nginx-configuration)) + (description "Run the nginx Web server."))) (define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration make-fcgiwrap-configuration |