diff options
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/base.scm | 197 | ||||
| -rw-r--r-- | gnu/services/cuirass.scm | 120 | ||||
| -rw-r--r-- | gnu/services/guix.scm | 212 | ||||
| -rw-r--r-- | gnu/services/mail.scm | 4 | ||||
| -rw-r--r-- | gnu/services/networking.scm | 82 | ||||
| -rw-r--r-- | gnu/services/shepherd.scm | 77 | ||||
| -rw-r--r-- | gnu/services/virtualization.scm | 2 | ||||
| -rw-r--r-- | gnu/services/web.scm | 2 | ||||
| -rw-r--r-- | gnu/services/xorg.scm | 23 |
9 files changed, 531 insertions, 188 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 25716ef152..e75c56828e 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -573,7 +573,13 @@ file systems, as well as corresponding @file{/etc/fstab} entries."))) (lambda (seed) (call-with-output-file "/dev/urandom" (lambda (urandom) - (dump-port seed urandom)))))) + (dump-port seed urandom) + + ;; Writing SEED to URANDOM isn't enough: we must + ;; also tell the kernel to account for these + ;; extra bits of entropy. + (let ((bits (* 8 (stat:size (stat seed))))) + (add-to-entropy-count urandom bits))))))) ;; Try writing from /dev/hwrng into /dev/urandom. ;; It seems that the file /dev/hwrng always exists, even @@ -590,7 +596,9 @@ file systems, as well as corresponding @file{/etc/fstab} entries."))) (when buf (call-with-output-file "/dev/urandom" (lambda (urandom) - (put-bytevector urandom buf))))) + (put-bytevector urandom buf) + (let ((bits (* 8 (bytevector-length buf)))) + (add-to-entropy-count urandom bits)))))) ;; Immediately refresh the seed in case the system doesn't ;; shut down cleanly. @@ -939,36 +947,38 @@ the message of the day, among other things." (define (default-serial-port) "Return a gexp that determines a reasonable default serial port to use as the tty. This is primarily useful for headless systems." - #~(begin - ;; console=device,options - ;; device: can be tty0, ttyS0, lp0, ttyUSB0 (serial). - ;; options: BBBBPNF. P n|o|e, N number of bits, - ;; F flow control (r RTS) - (let* ((not-comma (char-set-complement (char-set #\,))) - (command (linux-command-line)) - (agetty-specs (find-long-options "agetty.tty" command)) - (console-specs (filter (lambda (spec) - (and (string-prefix? "tty" spec) - (not (or - (string-prefix? "tty0" spec) - (string-prefix? "tty1" spec) - (string-prefix? "tty2" spec) - (string-prefix? "tty3" spec) - (string-prefix? "tty4" spec) - (string-prefix? "tty5" spec) - (string-prefix? "tty6" spec) - (string-prefix? "tty7" spec) - (string-prefix? "tty8" spec) - (string-prefix? "tty9" spec))))) - (find-long-options "console" command))) - (specs (append agetty-specs console-specs))) - (match specs - (() #f) - ((spec _ ...) - ;; Extract device name from first spec. - (match (string-tokenize spec not-comma) - ((device-name _ ...) - device-name))))))) + (with-imported-modules (source-module-closure + '((gnu build linux-boot))) ;for 'find-long-options' + #~(begin + ;; console=device,options + ;; device: can be tty0, ttyS0, lp0, ttyUSB0 (serial). + ;; options: BBBBPNF. P n|o|e, N number of bits, + ;; F flow control (r RTS) + (let* ((not-comma (char-set-complement (char-set #\,))) + (command (linux-command-line)) + (agetty-specs (find-long-options "agetty.tty" command)) + (console-specs (filter (lambda (spec) + (and (string-prefix? "tty" spec) + (not (or + (string-prefix? "tty0" spec) + (string-prefix? "tty1" spec) + (string-prefix? "tty2" spec) + (string-prefix? "tty3" spec) + (string-prefix? "tty4" spec) + (string-prefix? "tty5" spec) + (string-prefix? "tty6" spec) + (string-prefix? "tty7" spec) + (string-prefix? "tty8" spec) + (string-prefix? "tty9" spec))))) + (find-long-options "console" command))) + (specs (append agetty-specs console-specs))) + (match specs + (() #f) + ((spec _ ...) + ;; Extract device name from first spec. + (match (string-tokenize spec not-comma) + ((device-name _ ...) + device-name)))))))) (define agetty-shepherd-service (match-lambda @@ -1478,7 +1488,7 @@ information on the configuration file syntax." (module "pam_limits.so") (arguments '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) - '("login" "su" "slim")) + '("login" "su" "slim" "gdm-password")) (pam-service (inherit pam) (session (cons pam-limits @@ -1994,64 +2004,67 @@ item of @var{packages}." (requirement '(root-file-system)) (documentation "Populate the /dev directory, dynamically.") - (start #~(lambda () - (define udevd - ;; 'udevd' from eudev. - #$(file-append udev "/sbin/udevd")) - - (define (wait-for-udevd) - ;; Wait until someone's listening on udevd's control - ;; socket. - (let ((sock (socket AF_UNIX SOCK_SEQPACKET 0))) - (let try () - (catch 'system-error - (lambda () - (connect sock PF_UNIX "/run/udev/control") - (close-port sock)) - (lambda args - (format #t "waiting for udevd...~%") - (usleep 500000) - (try)))))) - - ;; Allow udev to find the modules. - (setenv "LINUX_MODULE_DIRECTORY" - "/run/booted-system/kernel/lib/modules") - - ;; The first one is for udev, the second one for eudev. - (setenv "UDEV_CONFIG_FILE" #$udev.conf) - (setenv "EUDEV_RULES_DIRECTORY" - #$(file-append rules "/lib/udev/rules.d")) - - (let* ((kernel-release - (utsname:release (uname))) - (linux-module-directory - (getenv "LINUX_MODULE_DIRECTORY")) - (directory - (string-append linux-module-directory "/" - kernel-release)) - (old-umask (umask #o022))) - ;; If we're in a container, DIRECTORY might not exist, - ;; for instance because the host runs a different - ;; kernel. In that case, skip it; we'll just miss a few - ;; nodes like /dev/fuse. - (when (file-exists? directory) - (make-static-device-nodes directory)) - (umask old-umask)) - - (let ((pid (fork+exec-command (list udevd)))) - ;; Wait until udevd is up and running. This appears to - ;; be needed so that the events triggered below are - ;; actually handled. - (wait-for-udevd) - - ;; Trigger device node creation. - (system* #$(file-append udev "/bin/udevadm") - "trigger" "--action=add") - - ;; Wait for things to settle down. - (system* #$(file-append udev "/bin/udevadm") - "settle") - pid))) + (start + (with-imported-modules (source-module-closure + '((gnu build linux-boot))) + #~(lambda () + (define udevd + ;; 'udevd' from eudev. + #$(file-append udev "/sbin/udevd")) + + (define (wait-for-udevd) + ;; Wait until someone's listening on udevd's control + ;; socket. + (let ((sock (socket AF_UNIX SOCK_SEQPACKET 0))) + (let try () + (catch 'system-error + (lambda () + (connect sock PF_UNIX "/run/udev/control") + (close-port sock)) + (lambda args + (format #t "waiting for udevd...~%") + (usleep 500000) + (try)))))) + + ;; Allow udev to find the modules. + (setenv "LINUX_MODULE_DIRECTORY" + "/run/booted-system/kernel/lib/modules") + + ;; The first one is for udev, the second one for eudev. + (setenv "UDEV_CONFIG_FILE" #$udev.conf) + (setenv "EUDEV_RULES_DIRECTORY" + #$(file-append rules "/lib/udev/rules.d")) + + (let* ((kernel-release + (utsname:release (uname))) + (linux-module-directory + (getenv "LINUX_MODULE_DIRECTORY")) + (directory + (string-append linux-module-directory "/" + kernel-release)) + (old-umask (umask #o022))) + ;; If we're in a container, DIRECTORY might not exist, + ;; for instance because the host runs a different + ;; kernel. In that case, skip it; we'll just miss a few + ;; nodes like /dev/fuse. + (when (file-exists? directory) + (make-static-device-nodes directory)) + (umask old-umask)) + + (let ((pid (fork+exec-command (list udevd)))) + ;; Wait until udevd is up and running. This appears to + ;; be needed so that the events triggered below are + ;; actually handled. + (wait-for-udevd) + + ;; Trigger device node creation. + (system* #$(file-append udev "/bin/udevadm") + "trigger" "--action=add") + + ;; Wait for things to settle down. + (system* #$(file-append udev "/bin/udevadm") + "settle") + pid)))) (stop #~(make-kill-destructor)) ;; When halting the system, 'udev' is actually killed by @@ -2059,7 +2072,7 @@ item of @var{packages}." ;; Thus, make sure it is not respawned. (respawn? #f) ;; We need additional modules. - (modules `((gnu build linux-boot) + (modules `((gnu build linux-boot) ;'make-static-device-nodes' ,@%default-modules)) (actions (list (shepherd-action diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index 7bd43cd427..914a0d337f 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -81,70 +81,68 @@ (define (cuirass-shepherd-service config) "Return a <shepherd-service> for the Cuirass service with CONFIG." - (and - (cuirass-configuration? config) - (let ((cuirass (cuirass-configuration-cuirass config)) - (cache-directory (cuirass-configuration-cache-directory config)) - (web-log-file (cuirass-configuration-web-log-file config)) - (log-file (cuirass-configuration-log-file config)) - (user (cuirass-configuration-user config)) - (group (cuirass-configuration-group config)) - (interval (cuirass-configuration-interval config)) - (database (cuirass-configuration-database config)) - (ttl (cuirass-configuration-ttl config)) - (port (cuirass-configuration-port config)) - (host (cuirass-configuration-host config)) - (specs (cuirass-configuration-specifications config)) - (use-substitutes? (cuirass-configuration-use-substitutes? config)) - (one-shot? (cuirass-configuration-one-shot? config)) - (fallback? (cuirass-configuration-fallback? config))) - (list (shepherd-service - (documentation "Run Cuirass.") - (provision '(cuirass)) - (requirement '(guix-daemon networking)) - (start #~(make-forkexec-constructor - (list (string-append #$cuirass "/bin/cuirass") - "--cache-directory" #$cache-directory - "--specifications" - #$(scheme-file "cuirass-specs.scm" specs) - "--database" #$database - "--ttl" #$(string-append (number->string ttl) "s") - "--interval" #$(number->string interval) - #$@(if use-substitutes? '("--use-substitutes") '()) - #$@(if one-shot? '("--one-shot") '()) - #$@(if fallback? '("--fallback") '())) + (let ((cuirass (cuirass-configuration-cuirass config)) + (cache-directory (cuirass-configuration-cache-directory config)) + (web-log-file (cuirass-configuration-web-log-file config)) + (log-file (cuirass-configuration-log-file config)) + (user (cuirass-configuration-user config)) + (group (cuirass-configuration-group config)) + (interval (cuirass-configuration-interval config)) + (database (cuirass-configuration-database config)) + (ttl (cuirass-configuration-ttl config)) + (port (cuirass-configuration-port config)) + (host (cuirass-configuration-host config)) + (specs (cuirass-configuration-specifications config)) + (use-substitutes? (cuirass-configuration-use-substitutes? config)) + (one-shot? (cuirass-configuration-one-shot? config)) + (fallback? (cuirass-configuration-fallback? config))) + (list (shepherd-service + (documentation "Run Cuirass.") + (provision '(cuirass)) + (requirement '(guix-daemon networking)) + (start #~(make-forkexec-constructor + (list (string-append #$cuirass "/bin/cuirass") + "--cache-directory" #$cache-directory + "--specifications" + #$(scheme-file "cuirass-specs.scm" specs) + "--database" #$database + "--ttl" #$(string-append (number->string ttl) "s") + "--interval" #$(number->string interval) + #$@(if use-substitutes? '("--use-substitutes") '()) + #$@(if one-shot? '("--one-shot") '()) + #$@(if fallback? '("--fallback") '())) - #:environment-variables - (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" - (string-append "GIT_EXEC_PATH=" #$git - "/libexec/git-core")) + #:environment-variables + (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" + (string-append "GIT_EXEC_PATH=" #$git + "/libexec/git-core")) - #:user #$user - #:group #$group - #:log-file #$log-file)) - (stop #~(make-kill-destructor))) - (shepherd-service - (documentation "Run Cuirass web interface.") - (provision '(cuirass-web)) - (requirement '(guix-daemon networking)) - (start #~(make-forkexec-constructor - (list (string-append #$cuirass "/bin/cuirass") - "--cache-directory" #$cache-directory - "--specifications" - #$(scheme-file "cuirass-specs.scm" specs) - "--database" #$database - "--ttl" #$(string-append (number->string ttl) "s") - "--web" - "--port" #$(number->string port) - "--listen" #$host - "--interval" #$(number->string interval) - #$@(if use-substitutes? '("--use-substitutes") '()) - #$@(if fallback? '("--fallback") '())) + #:user #$user + #:group #$group + #:log-file #$log-file)) + (stop #~(make-kill-destructor))) + (shepherd-service + (documentation "Run Cuirass web interface.") + (provision '(cuirass-web)) + (requirement '(guix-daemon networking)) + (start #~(make-forkexec-constructor + (list (string-append #$cuirass "/bin/cuirass") + "--cache-directory" #$cache-directory + "--specifications" + #$(scheme-file "cuirass-specs.scm" specs) + "--database" #$database + "--ttl" #$(string-append (number->string ttl) "s") + "--web" + "--port" #$(number->string port) + "--listen" #$host + "--interval" #$(number->string interval) + #$@(if use-substitutes? '("--use-substitutes") '()) + #$@(if fallback? '("--fallback") '())) - #:user #$user - #:group #$group - #:log-file #$web-log-file)) - (stop #~(make-kill-destructor))))))) + #:user #$user + #:group #$group + #:log-file #$web-log-file)) + (stop #~(make-kill-destructor)))))) (define (cuirass-account config) "Return the user accounts and user groups for CONFIG." diff --git a/gnu/services/guix.scm b/gnu/services/guix.scm new file mode 100644 index 0000000000..0f0fad39b0 --- /dev/null +++ b/gnu/services/guix.scm @@ -0,0 +1,212 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2019 Christopher Baines <mail@cbaines.net> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu services guix) + #:use-module (ice-9 match) + #:use-module (guix gexp) + #:use-module (guix records) + #:use-module ((gnu packages base) + #:select (glibc-utf8-locales)) + #:use-module (gnu packages admin) + #:use-module (gnu packages web) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services admin) + #:use-module (gnu services shepherd) + #:use-module (gnu services getmail) + #:use-module (gnu system shadow) + #:export (<guix-data-service-configuration> + guix-data-service-configuration + guix-data-service-configuration? + guix-data-service-package + guix-data-service-user + guix-data-service-group + guix-data-service-port + guix-data-service-host + guix-data-service-getmail-idle-mailboxes + guix-data-service-commits-getmail-retriever-configuration + + guix-data-service-type)) + +;;;; Commentary: +;;; +;;; This module implements a service that to run instances of the Guix Data +;;; Service, which provides data about Guix over time. +;;; +;;;; Code: + +(define-record-type* <guix-data-service-configuration> + guix-data-service-configuration make-guix-data-service-configuration + guix-data-service-configuration? + (package guix-data-service-package + (default guix-data-service)) + (user guix-data-service-configuration-user + (default "guix-data-service")) + (group guix-data-service-configuration-group + (default "guix-data-service")) + (port guix-data-service-port + (default 8765)) + (host guix-data-service-host + (default "127.0.0.1")) + (getmail-idle-mailboxes + guix-data-service-getmail-idle-mailboxes + (default #f)) + (commits-getmail-retriever-configuration + guix-data-service-commits-getmail-retriever-configuration + (default #f))) + +(define (guix-data-service-profile-packages config) + "Return the guix-data-service package, this will populate the +ca-certificates.crt file in the system profile." + (list + (guix-data-service-package config))) + +(define (guix-data-service-shepherd-services config) + (match-record config <guix-data-service-configuration> + (package user group port host) + (list + (shepherd-service + (documentation "Guix Data Service web server") + (provision '(guix-data-service)) + (requirement '(postgres networking)) + (start #~(make-forkexec-constructor + (list #$(file-append package + "/bin/guix-data-service") + "--pid-file=/var/run/guix-data-service/pid" + #$(string-append "--port=" (number->string port)) + #$(string-append "--host=" host) + ;; Perform any database migrations when the + ;; service is started + "--update-database") + + #:user #$user + #:group #$group + #:pid-file "/var/run/guix-data-service/pid" + ;; Allow time for migrations to run + #:pid-file-timeout 60 + #:environment-variables + `(,(string-append + "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale") + "LC_ALL=en_US.utf8") + #:log-file "/var/log/guix-data-service/web.log")) + (stop #~(make-kill-destructor))) + + (shepherd-service + (documentation "Guix Data Service process jobs") + (provision '(guix-data-service-process-jobs)) + (requirement '(postgres + networking + ;; Require guix-data-service, as that the database + ;; migrations are handled through this service + guix-data-service)) + (start #~(make-forkexec-constructor + (list + #$(file-append package + "/bin/guix-data-service-process-jobs")) + #:user #$user + #:group #$group + #:environment-variables + `("HOME=/var/lib/guix-data-service" + "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" + ,(string-append + "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale") + "LC_ALL=en_US.utf8") + #:log-file "/var/log/guix-data-service/process-jobs.log")) + (stop #~(make-kill-destructor)))))) + +(define (guix-data-service-activation config) + #~(begin + (use-modules (guix build utils)) + + (define %user (getpw "guix-data-service")) + + (chmod "/var/lib/guix-data-service" #o755) + + (mkdir-p "/var/log/guix-data-service") + + ;; Allow writing the PID file + (mkdir-p "/var/run/guix-data-service") + (chown "/var/run/guix-data-service" + (passwd:uid %user) + (passwd:gid %user)))) + +(define (guix-data-service-account config) + (match-record config <guix-data-service-configuration> + (user group) + (list (user-group + (name group) + (system? #t)) + (user-account + (name user) + (group group) + (system? #t) + (comment "Guix Data Service user") + (home-directory "/var/lib/guix-data-service") + (shell (file-append shadow "/sbin/nologin")))))) + +(define (guix-data-service-getmail-configuration config) + (match config + (($ <guix-data-service-configuration> package user group + port host + #f #f) + '()) + (($ <guix-data-service-configuration> package user group + port host + getmail-idle-mailboxes + commits-getmail-retriever-configuration) + (list + (getmail-configuration + (name 'guix-data-service) + (user user) + (group group) + (directory "/var/lib/getmail/guix-data-service") + (rcfile + (getmail-configuration-file + (retriever commits-getmail-retriever-configuration) + (destination + (getmail-destination-configuration + (type "MDA_external") + (path (file-append + package + "/bin/guix-data-service-process-branch-updated-email")))) + (options + (getmail-options-configuration + (read-all #f) + (delivered-to #f) + (received #f))))) + (idle getmail-idle-mailboxes)))))) + +(define guix-data-service-type + (service-type + (name 'guix-data-service) + (extensions + (list + (service-extension profile-service-type + guix-data-service-profile-packages) + (service-extension shepherd-root-service-type + guix-data-service-shepherd-services) + (service-extension activation-service-type + guix-data-service-activation) + (service-extension account-service-type + guix-data-service-account) + (service-extension getmail-service-type + guix-data-service-getmail-configuration))) + (default-value + (guix-data-service-configuration)) + (description + "Run an instance of the Guix Data Service."))) diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index 3de0b4c2f3..2606aa9e3e 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -137,7 +137,7 @@ (define (free-form-fields? val) (match val (() #t) - ((((? symbol?) . (? string)) . val) (free-form-fields? val)) + ((((? symbol?) . (? string?)) . val) (free-form-fields? val)) (_ #f))) (define (serialize-free-form-fields field-name val) (for-each (match-lambda ((k . v) (serialize-field k v))) val)) @@ -145,7 +145,7 @@ (define (free-form-args? val) (match val (() #t) - ((((? symbol?) . (? string)) . val) (free-form-args? val)) + ((((? symbol?) . (? string?)) . val) (free-form-args? val)) (_ #f))) (define (serialize-free-form-args field-name val) (serialize-field field-name diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index c775242f99..dd63009116 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -11,6 +11,7 @@ ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2019 Florian Pelz <pelzflorian@pelzflorian.de> ;;; Copyright © 2019 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2019 Sou Bunnbu <iyzsong@member.fsf.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -144,7 +145,14 @@ iptables-configuration-iptables iptables-configuration-ipv4-rules iptables-configuration-ipv6-rules - iptables-service-type)) + iptables-service-type + + nftables-service-type + nftables-configuration + nftables-configuration? + nftables-configuration-package + nftables-configuration-ruleset + %default-nftables-ruleset)) ;;; Commentary: ;;; @@ -1415,4 +1423,76 @@ COMMIT (list (service-extension shepherd-root-service-type (compose list iptables-shepherd-service)))))) +;;; +;;; nftables +;;; + +(define %default-nftables-ruleset + (plain-file "nftables.conf" + "# A simple and safe firewall +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + # early drop of invalid connections + ct state invalid drop + + # allow established/related connections + ct state { established, related } accept + + # allow from loopback + iifname lo accept + + # allow icmp + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # allow ssh + tcp dport ssh accept + + # reject everything else + reject with icmpx type port-unreachable + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} +")) + +(define-record-type* <nftables-configuration> + nftables-configuration + make-nftables-configuration + nftables-configuration? + (package nftables-configuration-package + (default nftables)) + (ruleset nftables-configuration-ruleset ; file-like object + (default %default-nftables-ruleset))) + +(define nftables-shepherd-service + (match-lambda + (($ <nftables-configuration> package ruleset) + (let ((nft (file-append package "/sbin/nft"))) + (shepherd-service + (documentation "Packet filtering and classification") + (provision '(nftables)) + (start #~(lambda _ + (invoke #$nft "--file" #$ruleset))) + (stop #~(lambda _ + (invoke #$nft "flush" "ruleset")))))))) + +(define nftables-service-type + (service-type + (name 'nftables) + (description + "Run @command{nft}, setting up the specified ruleset.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list nftables-shepherd-service)) + (service-extension profile-service-type + (compose list nftables-configuration-package)))) + (default-value (nftables-configuration)))) + ;;; networking.scm ends here diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm index 45c67e04eb..08bb33039c 100644 --- a/gnu/services/shepherd.scm +++ b/gnu/services/shepherd.scm @@ -255,6 +255,22 @@ stored." #~(#$name #$doc #$proc))) (shepherd-service-actions service)))))))) +(define (scm->go file) + "Compile FILE, which contains code to be loaded by shepherd's config file, +and return the resulting '.go' file." + (with-extensions (list shepherd) + (computed-file (string-append (basename (scheme-file-name file) ".scm") + ".go") + #~(begin + (use-modules (system base compile)) + + ;; Do the same as the Shepherd's 'load-in-user-module'. + (let ((env (make-fresh-user-module))) + (module-use! env (resolve-interface '(oop goops))) + (module-use! env (resolve-interface '(shepherd service))) + (compile-file #$file #:output-file #$output + #:env env)))))) + (define (shepherd-configuration-file services) "Return the shepherd configuration file for SERVICES." (assert-valid-graph services) @@ -269,36 +285,37 @@ stored." ;; than a kernel panic. (call-with-error-handling (lambda () - (apply register-services (map primitive-load '#$files)) - - ;; guix-daemon 0.6 aborts if 'PATH' is undefined, so work around - ;; it. - (setenv "PATH" "/run/current-system/profile/bin") - - (format #t "starting services...~%") - (for-each (lambda (service) - ;; In the Shepherd 0.3 the 'start' method can raise - ;; '&action-runtime-error' if it fails, so protect - ;; against it. (XXX: 'action-runtime-error?' is not - ;; exported is 0.3, hence 'service-error?'.) - (guard (c ((service-error? c) - (format (current-error-port) - "failed to start service '~a'~%" - service))) - (start service))) - '#$(append-map shepherd-service-provision - (filter shepherd-service-auto-start? - services))) - - ;; Hang up stdin. At this point, we assume that 'start' methods - ;; that required user interaction on the console (e.g., - ;; 'cryptsetup open' invocations, post-fsck emergency REPL) have - ;; completed. User interaction becomes impossible after this - ;; call; this avoids situations where services wrongfully lead - ;; PID 1 to read from stdin (the console), which users may not - ;; have access to (see <https://bugs.gnu.org/23697>). - (redirect-port (open-input-file "/dev/null") - (current-input-port)))))) + (apply register-services + (map load-compiled '#$(map scm->go files))))) + + ;; guix-daemon 0.6 aborts if 'PATH' is undefined, so work around + ;; it. + (setenv "PATH" "/run/current-system/profile/bin") + + (format #t "starting services...~%") + (for-each (lambda (service) + ;; In the Shepherd 0.3 the 'start' method can raise + ;; '&action-runtime-error' if it fails, so protect + ;; against it. (XXX: 'action-runtime-error?' is not + ;; exported is 0.3, hence 'service-error?'.) + (guard (c ((service-error? c) + (format (current-error-port) + "failed to start service '~a'~%" + service))) + (start service))) + '#$(append-map shepherd-service-provision + (filter shepherd-service-auto-start? + services))) + + ;; Hang up stdin. At this point, we assume that 'start' methods + ;; that required user interaction on the console (e.g., + ;; 'cryptsetup open' invocations, post-fsck emergency REPL) have + ;; completed. User interaction becomes impossible after this + ;; call; this avoids situations where services wrongfully lead + ;; PID 1 to read from stdin (the console), which users may not + ;; have access to (see <https://bugs.gnu.org/23697>). + (redirect-port (open-input-file "/dev/null") + (current-input-port)))) (scheme-file "shepherd.conf" config))) diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 3eecd2c085..bc8ac9b40a 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -313,7 +313,7 @@ be logged: Multiple filters can be defined in a single filters statement, they just need to be separated by spaces.") (log-outputs - (string "3:stderr") + (string "3:syslog:libvirtd") "Logging outputs. An output is one of the places to save logging information diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 56971238ab..899be1c168 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -438,7 +438,7 @@ addresses-and-ports contents) `(,(string-append - "<VirtualHost " addresses-and-ports ">\n") + "\n<VirtualHost " addresses-and-ports ">\n") ,@contents "\n</VirtualHost>\n")) ((? string? x) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 06d72b5f60..1d55e388a1 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -773,6 +773,27 @@ the GNOME desktop environment.") (home-directory "/var/lib/gdm") (shell (file-append shadow "/sbin/nologin"))))) +(define %gdm-activation + ;; Ensure /var/lib/gdm is owned by the "gdm" user. This is normally the + ;; case but could be wrong if the "gdm" user was created, then removed, and + ;; then recreated under a different UID/GID: <https://bugs.gnu.org/37423>. + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + + (let* ((gdm (getpwnam "gdm")) + (uid (passwd:uid gdm)) + (gid (passwd:gid gdm)) + (st (stat "/var/lib/gdm" #f))) + ;; Recurse into /var/lib/gdm only if it has wrong ownership. + (when (and st + (or (not (= uid (stat:uid st))) + (not (= gid (stat:gid st))))) + (for-each (lambda (file) + (chown file uid gid)) + (find-files "/var/lib/gdm" + #:directories? #t))))))) + (define dbus-daemon-wrapper (program-file "gdm-dbus-wrapper" @@ -915,6 +936,8 @@ the GNOME desktop environment.") (extensions (list (service-extension shepherd-root-service-type gdm-shepherd-service) + (service-extension activation-service-type + (const %gdm-activation)) (service-extension account-service-type (const %gdm-accounts)) (service-extension pam-root-service-type |