diff options
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/base.scm | 115 | ||||
| -rw-r--r-- | gnu/services/certbot.scm | 11 | ||||
| -rw-r--r-- | gnu/services/docker.scm | 4 | ||||
| -rw-r--r-- | gnu/services/linux.scm | 2 | ||||
| -rw-r--r-- | gnu/services/mail.scm | 122 | ||||
| -rw-r--r-- | gnu/services/virtualization.scm | 100 | ||||
| -rw-r--r-- | gnu/services/web.scm | 29 |
7 files changed, 252 insertions, 131 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 491f35702a..d560ad5a13 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1558,57 +1558,72 @@ proxy of 'guix-daemon'...~%") (provision '(guix-daemon)) (requirement '(user-processes)) (actions (list shepherd-set-http-proxy-action)) - (modules '((srfi srfi-1))) + (modules '((srfi srfi-1) + (ice-9 match) + (gnu build shepherd))) (start - #~(lambda _ - (define proxy - ;; HTTP/HTTPS proxy. The 'http_proxy' variable is set by - ;; the 'set-http-proxy' action. - (or (getenv "http_proxy") #$http-proxy)) - - (fork+exec-command - (cons* #$(file-append guix "/bin/guix-daemon") - "--build-users-group" #$build-group - "--max-silent-time" #$(number->string max-silent-time) - "--timeout" #$(number->string timeout) - "--log-compression" #$(symbol->string log-compression) - #$@(if use-substitutes? - '() - '("--no-substitutes")) - "--substitute-urls" #$(string-join substitute-urls) - #$@extra-options - - ;; Add CHROOT-DIRECTORIES and all their dependencies - ;; (if these are store items) to the chroot. - (append-map (lambda (file) - (append-map (lambda (directory) - (list "--chroot-directory" - directory)) - (call-with-input-file file - read))) - '#$(map references-file - chroot-directories))) - - #:environment-variables - (append (list #$@(if tmpdir - (list (string-append "TMPDIR=" tmpdir)) - '()) - - ;; Make sure we run in a UTF-8 locale so that - ;; 'guix offload' correctly restores nars that - ;; contain UTF-8 file names such as - ;; 'nss-certs'. See - ;; <https://bugs.gnu.org/32942>. - (string-append "GUIX_LOCPATH=" - #$glibc-utf8-locales - "/lib/locale") - "LC_ALL=en_US.utf8") - (if proxy - (list (string-append "http_proxy=" proxy) - (string-append "https_proxy=" proxy)) - '())) - - #:log-file #$log-file))) + (with-imported-modules (source-module-closure + '((gnu build shepherd))) + #~(lambda args + (define proxy + ;; HTTP/HTTPS proxy. The 'http_proxy' variable is set by + ;; the 'set-http-proxy' action. + (or (getenv "http_proxy") #$http-proxy)) + + (fork+exec-command/container + (cons* #$(file-append guix "/bin/guix-daemon") + "--build-users-group" #$build-group + "--max-silent-time" + #$(number->string max-silent-time) + "--timeout" #$(number->string timeout) + "--log-compression" + #$(symbol->string log-compression) + #$@(if use-substitutes? + '() + '("--no-substitutes")) + "--substitute-urls" #$(string-join substitute-urls) + #$@extra-options + + ;; Add CHROOT-DIRECTORIES and all their dependencies + ;; (if these are store items) to the chroot. + (append-map + (lambda (file) + (append-map (lambda (directory) + (list "--chroot-directory" + directory)) + (call-with-input-file file + read))) + '#$(map references-file + chroot-directories))) + + ;; When running the installer, we need guix-daemon to + ;; operate from within the same MNT namespace as the + ;; installation container. In that case only, enter the + ;; namespace of the process PID passed as start argument. + #:pid (match args + ((pid) (string->number pid)) + (else (getpid))) + + #:environment-variables + (append (list #$@(if tmpdir + (list (string-append "TMPDIR=" tmpdir)) + '()) + + ;; Make sure we run in a UTF-8 locale so that + ;; 'guix offload' correctly restores nars + ;; that contain UTF-8 file names such as + ;; 'nss-certs'. See + ;; <https://bugs.gnu.org/32942>. + (string-append "GUIX_LOCPATH=" + #$glibc-utf8-locales + "/lib/locale") + "LC_ALL=en_US.utf8") + (if proxy + (list (string-append "http_proxy=" proxy) + (string-append "https_proxy=" proxy)) + '())) + + #:log-file #$log-file)))) (stop #~(make-kill-destructor)))))) (define (guix-accounts config) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 5643340799..1c67ff63f1 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -71,7 +71,8 @@ (default "/var/www")) (certificates certbot-configuration-certificates (default '())) - (email certbot-configuration-email) + (email certbot-configuration-email + (default #f)) (server certbot-configuration-server (default #f)) (rsa-key-size certbot-configuration-rsa-key-size @@ -99,12 +100,14 @@ (if challenge (append (list name certbot "certonly" "-n" "--agree-tos" - "-m" email "--manual" (string-append "--preferred-challenges=" challenge) "--cert-name" name "--manual-public-ip-logging-ok" "-d" (string-join domains ",")) + (if email + `("--email" ,email) + '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (if authentication-hook @@ -114,10 +117,12 @@ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) (append (list name certbot "certonly" "-n" "--agree-tos" - "-m" email "--webroot" "-w" webroot "--cert-name" name "-d" (string-join domains ",")) + (if email + `("--email" ,email) + '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 380a942ed2..2fb2ae2c47 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org> ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -133,6 +134,9 @@ loop-back communications.") bundles in Docker containers.") (extensions (list + ;; Make sure the 'docker' command is available. + (service-extension profile-service-type + (list docker-cli)) (service-extension activation-service-type %docker-activation) (service-extension shepherd-root-service-type diff --git a/gnu/services/linux.scm b/gnu/services/linux.scm index ec42663a11..72c7779596 100644 --- a/gnu/services/linux.scm +++ b/gnu/services/linux.scm @@ -196,7 +196,7 @@ representation." (define-record-type* <zram-device-configuration> zram-device-configuration make-zram-device-configuration zram-device-configuration? - (size zram-device-configration-size + (size zram-device-configuration-size (default "1G")) ; string or integer (compression-algorithm zram-device-configuration-compression-algorithm (default 'lzo)) ; symbol diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index cfcaf4601b..71fa975b5d 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -99,7 +99,9 @@ (and (string? x) (not (string-index x #\space)))) val))) (define (serialize-space-separated-string-list field-name val) - (serialize-field field-name (string-join val " "))) + (match val + (() #f) + (_ (serialize-field field-name (string-join val " "))))) (define (comma-separated-string-list? val) (and (list? val) @@ -479,64 +481,6 @@ interfaces. If you want to specify non-default ports or anything more complex, customize the address and port fields of the @samp{inet-listener} of the specific services you are interested in.") - (protocols - (protocol-configuration-list - (list (protocol-configuration - (name "imap")))) - "List of protocols we want to serve. Available protocols include -@samp{imap}, @samp{pop3}, and @samp{lmtp}.") - - (services - (service-configuration-list - (list - (service-configuration - (kind "imap-login") - (client-limit 0) - (process-limit 0) - (listeners - (list - (inet-listener-configuration (protocol "imap") (port 143) (ssl? #f)) - (inet-listener-configuration (protocol "imaps") (port 993) (ssl? #t))))) - (service-configuration - (kind "pop3-login") - (listeners - (list - (inet-listener-configuration (protocol "pop3") (port 110) (ssl? #f)) - (inet-listener-configuration (protocol "pop3s") (port 995) (ssl? #t))))) - (service-configuration - (kind "lmtp") - (client-limit 1) - (process-limit 0) - (listeners - (list (unix-listener-configuration (path "lmtp") (mode "0666"))))) - (service-configuration - (kind "imap") - (client-limit 1) - (process-limit 1024)) - (service-configuration - (kind "pop3") - (client-limit 1) - (process-limit 1024)) - (service-configuration - (kind "auth") - (service-count 0) - (client-limit 0) - (process-limit 1) - (listeners - (list (unix-listener-configuration (path "auth-userdb"))))) - (service-configuration - (kind "auth-worker") - (client-limit 1) - (process-limit 0)) - (service-configuration - (kind "dict") - (client-limit 1) - (process-limit 0) - (listeners (list (unix-listener-configuration (path "dict"))))))) - "List of services to enable. Available services include @samp{imap}, -@samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and -@samp{lmtp}.") - (dict (dict-configuration (dict-configuration)) "Dict configuration, as created by the @code{dict-configuration} @@ -1430,7 +1374,65 @@ greyed out, instead of only later giving \"not selectable\" popup error. (imap-urlauth-host (string "") - "Host allowed in URLAUTH URLs sent by client. \"*\" allows all.") ) + "Host allowed in URLAUTH URLs sent by client. \"*\" allows all.") + + (protocols + (protocol-configuration-list + (list (protocol-configuration + (name "imap")))) + "List of protocols we want to serve. Available protocols include +@samp{imap}, @samp{pop3}, and @samp{lmtp}.") + + (services + (service-configuration-list + (list + (service-configuration + (kind "imap-login") + (client-limit 0) + (process-limit 0) + (listeners + (list + (inet-listener-configuration (protocol "imap") (port 143) (ssl? #f)) + (inet-listener-configuration (protocol "imaps") (port 993) (ssl? #t))))) + (service-configuration + (kind "pop3-login") + (listeners + (list + (inet-listener-configuration (protocol "pop3") (port 110) (ssl? #f)) + (inet-listener-configuration (protocol "pop3s") (port 995) (ssl? #t))))) + (service-configuration + (kind "lmtp") + (client-limit 1) + (process-limit 0) + (listeners + (list (unix-listener-configuration (path "lmtp") (mode "0666"))))) + (service-configuration + (kind "imap") + (client-limit 1) + (process-limit 1024)) + (service-configuration + (kind "pop3") + (client-limit 1) + (process-limit 1024)) + (service-configuration + (kind "auth") + (service-count 0) + (client-limit 0) + (process-limit 1) + (listeners + (list (unix-listener-configuration (path "auth-userdb"))))) + (service-configuration + (kind "auth-worker") + (client-limit 1) + (process-limit 0)) + (service-configuration + (kind "dict") + (client-limit 1) + (process-limit 0) + (listeners (list (unix-listener-configuration (path "dict"))))))) + "List of services to enable. Available services include @samp{imap}, +@samp{imap-login}, @samp{pop3}, @samp{pop3-login}, @samp{auth}, and +@samp{lmtp}.")) (define-configuration opaque-dovecot-configuration (dovecot diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index b93ed70099..20e104f48c 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Ryan Moe <ryan.moe@gmail.com> -;;; Copyright © 2018 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2018, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> ;;; ;;; This file is part of GNU Guix. @@ -39,6 +39,7 @@ #:use-module (gnu system) #:use-module (guix derivations) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix monads) #:use-module (guix packages) #:use-module (guix records) @@ -61,7 +62,10 @@ hurd-vm-configuration-options hurd-vm-configuration-id hurd-vm-configuration-net-options + hurd-vm-configuration-secrets + hurd-vm-disk-image + hurd-vm-port hurd-vm-net-options hurd-vm-service-type @@ -806,6 +810,41 @@ functionality of the kernel Linux."))) ;;; +;;; Secrets for guest VMs. +;;; + +(define (secret-service-activation port) + "Return an activation snippet that fetches sensitive material at local PORT, +over TCP. Reboot upon failure." + (with-imported-modules '((gnu build secret-service) + (guix build utils)) + #~(begin + (use-modules (gnu build secret-service)) + (let ((sent (secret-service-receive-secrets #$port))) + (unless sent + (sleep 3) + (reboot)))))) + +(define secret-service-type + (service-type + (name 'secret-service) + (extensions (list (service-extension activation-service-type + secret-service-activation))) + (description + "This service fetches secret key and other sensitive material over TCP at +boot time. This service is meant to be used by virtual machines (VMs) that +can only be accessed by their host."))) + +(define (secret-service-operating-system os) + "Return an operating system based on OS that includes the secret-service, +that will be listening to receive secret keys on port 1004, TCP." + (operating-system + (inherit os) + (services (cons (service secret-service-type 1004) + (operating-system-user-services os))))) + + +;;; ;;; The Hurd in VM service: a Childhurd. ;;; @@ -849,11 +888,14 @@ functionality of the kernel Linux."))) (default #f)) (net-options hurd-vm-configuration-net-options ;list of string (thunked) - (default (hurd-vm-net-options this-record)))) + (default (hurd-vm-net-options this-record))) + (secret-root hurd-vm-configuration-secret-root ;string + (default "/etc/childhurd"))) (define (hurd-vm-disk-image config) - "Return a disk-image for the Hurd according to CONFIG." - (let ((os (hurd-vm-configuration-os config)) + "Return a disk-image for the Hurd according to CONFIG. The secret-service +is added to the OS specified in CONFIG." + (let ((os (secret-service-operating-system (hurd-vm-configuration-os config))) (disk-size (hurd-vm-configuration-disk-size config))) (system-image (image @@ -861,15 +903,27 @@ functionality of the kernel Linux."))) (size disk-size) (operating-system os))))) -(define (hurd-vm-net-options config) +(define (hurd-vm-port config base) + "Return the forwarded vm port for this childhurd config." (let ((id (or (hurd-vm-configuration-id config) 0))) - (define (qemu-vm-port base) - (number->string (+ base (* 1000 id)))) - `("--device" "rtl8139,netdev=net0" - "--netdev" ,(string-append - "user,id=net0" - ",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 10022) "-:2222" - ",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 15900) "-:5900")))) + (+ base (* 1000 id)))) +(define %hurd-vm-secrets-port 11004) +(define %hurd-vm-ssh-port 10022) +(define %hurd-vm-vnc-port 15900) + +(define (hurd-vm-net-options config) + `("--device" "rtl8139,netdev=net0" + "--netdev" + ,(string-append "user,id=net0" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-secrets-port)) + "-:1004" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-ssh-port)) + "-:2222" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-vnc-port)) + "-:5900"))) (define (hurd-vm-shepherd-service config) "Return a <shepherd-service> for a Hurd in a Virtual Machine with CONFIG." @@ -900,8 +954,26 @@ functionality of the kernel Linux."))) (string->symbol (number->string id))) provisions) provisions)) - (requirement '(networking)) - (start #~(make-forkexec-constructor #$vm-command)) + (requirement '(loopback networking user-processes)) + (start + (with-imported-modules + (source-module-closure '((gnu build secret-service) + (guix build utils))) + #~(let ((spawn (make-forkexec-constructor #$vm-command))) + (lambda _ + (let ((pid (spawn)) + (port #$(hurd-vm-port config %hurd-vm-secrets-port)) + (root #$(hurd-vm-configuration-secret-root config))) + (catch #t + (lambda _ + (secret-service-send-secrets port root)) + (lambda (key . args) + (kill (- pid) SIGTERM) + (apply throw key args))) + pid))))) + (modules `((gnu build secret-service) + (guix build utils) + ,@%default-modules)) (stop #~(make-kill-destructor)))))) (define hurd-vm-service-type diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 3b9f9e40be..c8ffc19d83 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2019, 2020 Florian Pelz <pelzflorian@pelzflorian.de> ;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2020 Arun Isaac <arunisaac@systemreboot.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -151,6 +152,7 @@ php-fpm-configuration-timezone php-fpm-configuration-workers-log-file php-fpm-configuration-file + php-fpm-configuration-php-ini-file php-fpm-dynamic-process-manager-configuration make-php-fpm-dynamic-process-manager-configuration @@ -794,13 +796,29 @@ of index files." #:user #$user #:group #$group)) (stop #~(make-kill-destructor))))))) +(define fcgiwrap-activation + (match-lambda + (($ <fcgiwrap-configuration> package socket user group) + #~(begin + ;; When listening on a unix socket, create a parent directory for the + ;; socket with the correct permissions. + (when (string-prefix? "unix:" #$socket) + (let ((run-directory + (dirname (substring #$socket (string-length "unix:"))))) + (mkdir-p run-directory) + (chown run-directory + (passwd:uid (getpw #$user)) + (group:gid (getgr #$group))))))))) + (define fcgiwrap-service-type (service-type (name 'fcgiwrap) (extensions (list (service-extension shepherd-root-service-type fcgiwrap-shepherd-service) (service-extension account-service-type - fcgiwrap-accounts))) + fcgiwrap-accounts) + (service-extension activation-service-type + fcgiwrap-activation))) (default-value (fcgiwrap-configuration)))) (define-record-type* <php-fpm-configuration> php-fpm-configuration @@ -839,6 +857,8 @@ of index files." (version-major (package-version php)) "-fpm.www.log"))) (file php-fpm-configuration-file ;#f | file-like + (default #f)) + (php-ini-file php-fpm-configuration-php-ini-file ;#f | file-like (default #f))) (define-record-type* <php-fpm-dynamic-process-manager-configuration> @@ -945,7 +965,7 @@ of index files." (match-lambda (($ <php-fpm-configuration> php socket user group socket-user socket-group pid-file log-file pm display-errors - timezone workers-log-file file) + timezone workers-log-file file php-ini-file) (list (shepherd-service (provision '(php-fpm)) (documentation "Run the php-fpm daemon.") @@ -956,7 +976,10 @@ of index files." #$(or file (default-php-fpm-config socket user group socket-user socket-group pid-file log-file - pm display-errors timezone workers-log-file))) + pm display-errors timezone workers-log-file)) + #$@(if php-ini-file + `("-c" ,php-ini-file) + '())) #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))))) |