From 1bcc87bb685b7985512add221f10e4cb58b5f6f7 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 29 Oct 2016 01:16:24 +0200 Subject: guix download: Add '-o' option. * guix/scripts/download.scm (download-to-file, download-to-store*): New procedures. (%default-options): Add 'download-proc'. (show-help): Adjust description and document '-o'. (%options): Add '-o'. (guix-download): Remove 'store' variable. Add 'fetch' and define 'path' to as its result. * tests/guix-download.sh: Add test. --- doc/guix.texi | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index a3eba5811e..1a809c340d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4836,6 +4836,10 @@ When using this option, you have @emph{absolutely no guarantee} that you are communicating with the authentic server responsible for the given URL, which makes you vulnerable to ``man-in-the-middle'' attacks. +@item --output=@var{file} +@itemx -o @var{file} +Save the downloaded file to @var{file} instead of adding it to the +store. @end table @node Invoking guix hash -- cgit v1.2.3 From 1f9803c2a49e853ca5721f13888a61a816c4dc09 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 17 Nov 2016 23:19:45 +0100 Subject: services: static-networking: Add netmask. Reported by Mathieu Lirzin and Andreas Enge. * gnu/services/networking.scm ()[netmask]: New field. (static-networking-service-type): Honor it. * gnu/services/networking.scm (static-networking-service): Add #:netmask and honor it. * doc/guix.texi (Networking Services): Adjust accordingly. --- doc/guix.texi | 6 +++--- gnu/services/networking.scm | 22 +++++++++++++++------- 2 files changed, 18 insertions(+), 10 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 1a809c340d..0e70830d02 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8363,10 +8363,10 @@ Protocol (DHCP) client, on all the non-loopback network interfaces. @end deffn @deffn {Scheme Procedure} static-networking-service @var{interface} @var{ip} @ - [#:gateway #f] [#:name-servers @code{'()}] + [#:netmask #f] [#:gateway #f] [#:name-servers @code{'()}] Return a service that starts @var{interface} with address @var{ip}. If -@var{gateway} is true, it must be a string specifying the default network -gateway. +@var{netmask} is true, use it as the network mask. If @var{gateway} is true, +it must be a string specifying the default network gateway. @end deffn @cindex wicd diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 2adde23789..884c542439 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -112,6 +112,8 @@ fe80::1%lo0 apps.facebook.com\n") static-networking? (interface static-networking-interface) (ip static-networking-ip) + (netmask static-networking-netmask + (default #f)) (gateway static-networking-gateway) (provision static-networking-provision) (name-servers static-networking-name-servers) @@ -121,7 +123,7 @@ fe80::1%lo0 apps.facebook.com\n") (shepherd-service-type 'static-networking (match-lambda - (($ interface ip gateway provision + (($ interface ip netmask gateway provision name-servers net-tools) (let ((loopback? (memq 'loopback provision))) @@ -139,12 +141,18 @@ fe80::1%lo0 apps.facebook.com\n") (start #~(lambda _ ;; Return #t if successfully started. (let* ((addr (inet-pton AF_INET #$ip)) - (sockaddr (make-socket-address AF_INET addr 0))) + (sockaddr (make-socket-address AF_INET addr 0)) + (mask (and #$netmask + (inet-pton AF_INET #$netmask))) + (maskaddr (and mask + (make-socket-address AF_INET + mask 0)))) (configure-network-interface #$interface sockaddr (logior IFF_UP #$(if loopback? #~IFF_LOOPBACK - 0)))) + 0)) + #:netmask maskaddr)) #$(if gateway #~(zero? (system* (string-append #$net-tools "/sbin/route") @@ -176,16 +184,16 @@ fe80::1%lo0 apps.facebook.com\n") (define* (static-networking-service interface ip #:key - gateway + netmask gateway (provision '(networking)) (name-servers '()) (net-tools net-tools)) "Return a service that starts @var{interface} with address @var{ip}. If -@var{gateway} is true, it must be a string specifying the default network -gateway." +@var{netmask} is true, use it as the network mask. If @var{gateway} is true, +it must be a string specifying the default network gateway." (service static-networking-service-type (static-networking (interface interface) (ip ip) - (gateway gateway) + (netmask netmask) (gateway gateway) (provision provision) (name-servers name-servers) (net-tools net-tools)))) -- cgit v1.2.3 From fac46e3f5e55f9de6fa2ab8082bc418139590fc0 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 19 Nov 2016 18:06:46 +0100 Subject: lint: Add 'mirror-url' checker. * guix/scripts/lint.scm (origin-uris): New procedure. (check-source): Use it. (check-mirror-url): New procedure. (%checkers): Add 'mirror-url' checker. * tests/lint.scm ("mirror-url") ("mirror-url: one suggestion"): New tests. * doc/guix.texi (Invoking guix lint): Document it. --- doc/guix.texi | 4 +++- guix/scripts/lint.scm | 43 +++++++++++++++++++++++++++++++++++++++---- tests/lint.scm | 19 +++++++++++++++++++ 3 files changed, 61 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 0e70830d02..7352ea973f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -5379,9 +5379,11 @@ Identify inputs that should most likely be native inputs. @item source @itemx home-page +@itemx mirror-url @itemx source-file-name Probe @code{home-page} and @code{source} URLs and report those that are -invalid. Check that the source file name is meaningful, e.g. is not +invalid. Suggest a @code{mirror://} URL when applicable. Check that +the source file name is meaningful, e.g. is not just a version number or ``git-checkout'', without a declared @code{file-name} (@pxref{origin Reference}). diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 6e6f550941..9641d3926a 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -65,6 +65,7 @@ check-home-page check-source check-source-file-name + check-mirror-url check-license check-vulnerabilities check-formatting @@ -567,6 +568,14 @@ descriptions maintained upstream." (location->string loc) (package-full-name package) (fill-paragraph (escape-quotes upstream) 77 7))))))) +(define (origin-uris origin) + "Return the list of URIs (strings) for ORIGIN." + (match (origin-uri origin) + ((? string? uri) + (list uri)) + ((uris ...) + uris))) + (define (check-source package) "Emit a warning if PACKAGE has an invalid 'source' field, or if that 'source' is not reachable." @@ -583,10 +592,7 @@ descriptions maintained upstream." (let ((origin (package-source package))) (when (and origin (eqv? (origin-method origin) url-fetch)) - (let* ((strings (origin-uri origin)) - (uris (if (list? strings) - (map string->uri strings) - (list (string->uri strings))))) + (let ((uris (map string->uri (origin-uris origin)))) ;; Just make sure that at least one of the URIs is valid. (call-with-values @@ -626,6 +632,31 @@ descriptions maintained upstream." (_ "the source file name should contain the package name") 'source)))) +(define (check-mirror-url package) + "Check whether PACKAGE uses source URLs that should be 'mirror://'." + (define (check-mirror-uri uri) ;XXX: could be optimized + (let loop ((mirrors %mirrors)) + (match mirrors + (() + #t) + (((mirror-id mirror-urls ...) rest ...) + (match (find (cut string-prefix? <> uri) mirror-urls) + (#f + (loop rest)) + (prefix + (emit-warning package + (format #f (_ "URL should be \ +'mirror://~a/~a'") + mirror-id + (string-drop uri (string-length prefix))) + 'source))))))) + + (let ((origin (package-source package))) + (when (and (origin? origin) + (eqv? (origin-method origin) url-fetch)) + (let ((uris (origin-uris origin))) + (for-each check-mirror-uri uris))))) + (define (check-derivation package) "Emit a warning if we fail to compile PACKAGE to a derivation." (catch #t @@ -863,6 +894,10 @@ or a list thereof") (name 'source) (description "Validate source URLs") (check check-source)) + (lint-checker + (name 'mirror-url) + (description "Suggest 'mirror://' URLs") + (check check-mirror-url)) (lint-checker (name 'source-file-name) (description "Validate file names of sources") diff --git a/tests/lint.scm b/tests/lint.scm index cf1b95ee69..0c534562a4 100644 --- a/tests/lint.scm +++ b/tests/lint.scm @@ -508,6 +508,25 @@ (check-source pkg)))) "not reachable: 404"))) +(test-assert "mirror-url" + (string-null? + (with-warnings + (let ((source (origin + (method url-fetch) + (uri "http://example.org/foo/bar.tar.gz") + (sha256 %null-sha256)))) + (check-mirror-url (dummy-package "x" (source source))))))) + +(test-assert "mirror-url: one suggestion" + (string-contains + (with-warnings + (let ((source (origin + (method url-fetch) + (uri "http://ftp.gnu.org/pub/gnu/foo/foo.tar.gz") + (sha256 %null-sha256)))) + (check-mirror-url (dummy-package "x" (source source))))) + "mirror://gnu/foo/foo.tar.gz")) + (test-assert "cve" (mock ((guix scripts lint) package-vulnerabilities (const '())) (string-null? -- cgit v1.2.3 From e01e2c6c525f1c0ef0ab62b832435a4ece0348ec Mon Sep 17 00:00:00 2001 From: ng0 Date: Sat, 19 Nov 2016 21:49:06 +0000 Subject: gnu: services: Add git-service. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/version-control.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (Misellaneous Services)[Version Control]: New section. Co-authored-by: 宋文武 --- doc/guix.texi | 61 +++++++++++++++++ gnu/local.mk | 1 + gnu/services/version-control.scm | 141 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 203 insertions(+) create mode 100644 gnu/services/version-control.scm (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 7352ea973f..3a88dd4044 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11673,6 +11673,67 @@ A @code{} object serving the GNU Collaborative International Dictonary of English using the @code{gcide} package. @end defvr +@subsubsection Version Control + +The @code{(gnu services version-control)} module provides the following services: + +@subsubheading Git daemon service + +@deffn {Scheme Procedure} git-daemon-service [#:config (git-daemon-configuration)] + +Return a service that runs @command{git daemon}, a simple TCP server to +expose repositiories over the Git protocol for annoymous access. + +The optional @var{config} argument should be a +@code{} object, by default it allows read-only +access to exported@footnote{By creating the magic file +"git-daemon-export-ok" in the repository directory.} repositories under +@file{/srv/git}. + +@end deffn + +@deftp {Data Type} git-daemon-configuration +Data type representing the configuration for @code{git-daemon-service}. + +@table @asis +@item @code{package} (default: @var{git}) +Package object of the Git distributed version control system. + +@item @code{export-all?} (default: @var{#f}) +Whether to allow access for all Git repositories, even if they do not +have the @file{git-daemon-export-ok} file. + +@item @code{base-path} (default: @file{/srv/git}) +Whether to remap all the path requests as relative to the given path. +If you run git daemon with @var{(base-path "/srv/git")} on example.com, +then if you later try to pull @code{git://example.com/hello.git}, git +daemon will interpret the path as @code{/srv/git/hello.git}. + +@item @code{user-path} (default: @var{#f}) +Whether to allow @code{~user} notation to be used in requests. When +specified with empty string, requests to @code{git://host/~alice/foo} is +taken as a request to access @code{foo} repository in the home directory +of user @code{alice}. If @var{(user-path "path")} is specified, the +same request is taken as a request to access @code{path/foo} repository +in the home directory of user @code{alice}. + +@item @code{listen} (default: @var{'()}) +Whether to listen on specific IP addresses or hostnames, defaults to +all. + +@item @code{port} (default: @var{#f}) +Whether to listen on an alternative port, which defaults to 9418. + +@item @code{whitelist} (default: @var{'()}) +If not empty, only allow access to this list of directories. + +@item @code{extra-options} (default: @var{'()}) +Extra options will be passed to @code{git daemon}, please run +@command{man git-daemon} for more information. + +@end table +@end deftp + @node Setuid Programs @subsection Setuid Programs diff --git a/gnu/local.mk b/gnu/local.mk index df7fb4c995..430d05ff3e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -416,6 +416,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/sddm.scm \ %D%/services/spice.scm \ %D%/services/ssh.scm \ + %D%/services/version-control.scm \ %D%/services/web.scm \ %D%/services/xorg.scm \ \ diff --git a/gnu/services/version-control.scm b/gnu/services/version-control.scm new file mode 100644 index 0000000000..107bc8e77a --- /dev/null +++ b/gnu/services/version-control.scm @@ -0,0 +1,141 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2016 ng0 +;;; Copyright © 2016 Sou Bunnbu +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services version-control) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services shepherd) + #:use-module (gnu system shadow) + #:use-module (gnu packages version-control) + #:use-module (gnu packages admin) + #:use-module (guix records) + #:use-module (guix gexp) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-26) + #:use-module (ice-9 match) + #:export (git-daemon-service + git-daemon-service-type + git-daemon-configuration + git-daemon-configuration?)) + +;;; Commentary: +;;; +;;; Version Control related services. +;;; +;;; Code: + + +;;; +;;; Git daemon. +;;; + +(define-record-type* + git-daemon-configuration + make-git-daemon-configuration + git-daemon-configuration? + (package git-daemon-configuration-package ;package + (default git)) + (export-all? git-daemon-configuration-export-all ;boolean + (default #f)) + (base-path git-daemon-configuration-base-path ;string | #f + (default "/srv/git")) + (user-path git-daemon-configuration-user-path ;string | #f + (default #f)) + (listen git-daemon-configuration-listen ;list of string + (default '())) + (port git-daemon-configuration-port ;number | #f + (default #f)) + (whitelist git-daemon-configuration-whitelist ;list of string + (default '())) + (extra-options git-daemon-configuration-extra-options ;list of string + (default '()))) + +(define git-daemon-shepherd-service + (match-lambda + (($ + package export-all? base-path user-path + listen port whitelist extra-options) + (let* ((git (file-append package "/bin/git")) + (command `(,git + "daemon" "--syslog" "--reuseaddr" + ,@(if export-all? + '("--export-all") + '()) + ,@(if base-path + `(,(string-append "--base-path=" base-path)) + '()) + ,@(if user-path + `(,(string-append "--user-path=" user-path)) + '()) + ,@(map (cut string-append "--listen=" <>) listen) + ,@(if port + `(,(string-append + "--port=" (number->string port))) + '()) + ,@extra-options + ,@whitelist))) + (list (shepherd-service + (documentation "Run the git-daemon.") + (requirement '(networking)) + (provision '(git-daemon)) + (start #~(make-forkexec-constructor '#$command + #:user "git-daemon" + #:group "git-daemon")) + (stop #~(make-kill-destructor)))))))) + +(define %git-daemon-accounts + ;; User account and group for git-daemon. + (list (user-group + (name "git-daemon") + (system? #t)) + (user-account + (name "git-daemon") + (system? #t) + (group "git-daemon") + (comment "Git daemon user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + +(define (git-daemon-activation config) + "Return the activation gexp for git-daemon using CONFIG." + (let ((base-path (git-daemon-configuration-base-path config))) + #~(begin + (use-modules (guix build utils)) + ;; Create the 'base-path' directory when it's not '#f'. + (and=> #$base-path mkdir-p)))) + +(define git-daemon-service-type + (service-type + (name 'git-daemon) + (extensions + (list (service-extension shepherd-root-service-type + git-daemon-shepherd-service) + (service-extension account-service-type + (const %git-daemon-accounts)) + (service-extension activation-service-type + git-daemon-activation))))) + +(define* (git-daemon-service #:key (config (git-daemon-configuration))) + "Return a service that runs @command{git daemon}, a simple TCP server to +expose repositories over the Git protocol for annoymous access. + +The optional @var{config} argument should be a +@code{} object, by default it allows read-only +access to exported repositories under @file{/srv/git}." + (service git-daemon-service-type config)) -- cgit v1.2.3 From 52db41aff8771518f99eb1f9b63b814b568f7a4a Mon Sep 17 00:00:00 2001 From: Eric Bavier Date: Sat, 19 Nov 2016 13:25:02 -0600 Subject: gnu: system: Add openfwwf-firmware to %base-firmware. * gnu/system.scm (%base-firmware): Add openfwwf-firmware. * doc/guix.texi (Hardware Considerations): Mention b43-open support. (operating-system Reference)[firmware]: Likewise. --- doc/guix.texi | 11 +++++++---- gnu/system.scm | 3 ++- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 3a88dd4044..7381c2c6ba 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6405,7 +6405,9 @@ hardware is not supported on GuixSD. One of the main areas where free drivers or firmware are lacking is WiFi devices. WiFi devices known to work include those using Atheros chips (AR9271 and AR7010), which corresponds to the @code{ath9k} Linux-libre -driver, and for which free firmware exists and is available +driver, and those using Broadcom/AirForce chips (BCM43xx with +Wireless-Core Revision 5), which corresponds to the @code{b43-open} +Linux-libre driver. Free firmware exists for both and is available out-of-the-box on GuixSD, as part of @var{%base-firmware} (@pxref{operating-system Reference, @code{firmware}}). @@ -7079,9 +7081,10 @@ the Linux kernel. @xref{Initial RAM Disk}. @cindex firmware List of firmware packages loadable by the operating system kernel. -The default includes firmware needed for Atheros-based WiFi devices -(Linux-libre module @code{ath9k}). @xref{Hardware Considerations}, for -more info on supported hardware. +The default includes firmware needed for Atheros- and Broadcom-based +WiFi devices (Linux-libre modules @code{ath9k} and @code{b43-open}, +respectively). @xref{Hardware Considerations}, for more info on +supported hardware. @item @code{host-name} The host name. diff --git a/gnu/system.scm b/gnu/system.scm index cf220e72fd..4e57f975e6 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -346,7 +346,8 @@ explicitly appear in OS." (define %base-firmware ;; Firmware usable by default. - (list ath9k-htc-firmware)) + (list ath9k-htc-firmware + openfwwf-firmware)) (define %base-packages ;; Default set of packages globally visible. It should include anything -- cgit v1.2.3 From b7230de54b493da5a78922b4226255763b525a98 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Fri, 18 Nov 2016 00:49:09 +0100 Subject: doc: Symlink daemon start-up files. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch ensures that always the current profile's daemon will be used. The .service file contains the path to the guix-daemon within the store. Thus when copying the file, it will point to the very version of guix-daemon used at the time of copying – even after system upgrade or when this version has been garbage collected from the store. * doc/guix.texi (Binary Installation): Change example code for installing the systemd and Upstart files to use symbolic links instead of copying the files. --- doc/guix.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 7381c2c6ba..347361ca74 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -453,7 +453,7 @@ If your host distro uses the systemd init system, this can be achieved with these commands: @example -# cp ~root/.guix-profile/lib/systemd/system/guix-daemon.service \ +# ln -s ~root/.guix-profile/lib/systemd/system/guix-daemon.service \ /etc/systemd/system/ # systemctl start guix-daemon && systemctl enable guix-daemon @end example @@ -461,7 +461,7 @@ with these commands: If your host distro uses the Upstart init system: @example -# cp ~root/.guix-profile/lib/upstart/system/guix-daemon.conf /etc/init/ +# ln -s ~root/.guix-profile/lib/upstart/system/guix-daemon.conf /etc/init/ # start guix-daemon @end example -- cgit v1.2.3 From 332d7903f52c2bf3741b04ac2d01cd9018b70800 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Thu, 24 Nov 2016 09:23:11 +0100 Subject: Add system start-up files for "guix publish". * .gitignore: add etc/guix-publish.conf and /etc/guix-publish.service. * etc/guix-publish.conf.in: New file. * etc/guix-publish.service.in: New file. * nix/local.mk (etc/guix-%.service, etc/guix-%.conf): Generalized former build-rules for by using patterns. (nodist_systemdservice_DATA): Add etc/guix-publish.service, update comment. (nodist_upstartjob_DATA): Add etc/guix-publish.conf, update comment. * doc/guix.texi (Invoking guix publish): Add description for enabling "guix publish" on host distros using the new files. --- .gitignore | 2 ++ doc/guix.texi | 24 ++++++++++++++++++++++++ etc/guix-publish.conf.in | 12 ++++++++++++ etc/guix-publish.service.in | 19 +++++++++++++++++++ nix/local.mk | 16 ++++++++-------- 5 files changed, 65 insertions(+), 8 deletions(-) create mode 100644 etc/guix-publish.conf.in create mode 100644 etc/guix-publish.service.in (limited to 'doc') diff --git a/.gitignore b/.gitignore index 329d489713..b64f5ef4b0 100644 --- a/.gitignore +++ b/.gitignore @@ -50,6 +50,8 @@ /emacs/guix-helper.scm /etc/guix-daemon.conf /etc/guix-daemon.service +/etc/guix-publish.conf +/etc/guix-publish.service /guix-daemon /guix-register /guix/config.scm diff --git a/doc/guix.texi b/doc/guix.texi index 347361ca74..0055d094e8 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6055,6 +6055,30 @@ add a call to @code{guix-publish-service} in the @code{services} field of the @code{operating-system} declaration (@pxref{guix-publish-service, @code{guix-publish-service}}). +If you are instead running Guix on a ``foreign distro'', follow these +instructions:” + +@itemize +@item +If your host distro uses the systemd init system: + +@example +# ln -s ~root/.guix-profile/lib/systemd/system/guix-publish.service \ + /etc/systemd/system/ +# systemctl start guix-publish && systemctl enable guix-publish +@end example + +@item +If your host distro uses the Upstart init system: + +@example +# ln -s ~root/.guix-profile/lib/upstart/system/guix-publish.conf /etc/init/ +# start guix-publish +@end example + +@item +Otherwise, proceed similarly with your distro's init system. +@end itemize @node Invoking guix challenge @section Invoking @command{guix challenge} diff --git a/etc/guix-publish.conf.in b/etc/guix-publish.conf.in new file mode 100644 index 0000000000..498fa295be --- /dev/null +++ b/etc/guix-publish.conf.in @@ -0,0 +1,12 @@ +# This is a "job" for the Upstart init system to launch 'guix-daemon'. +# Drop it in /etc/init to have 'guix-daemon' automatically started. + +description "Publish the GNU Guix store" + +start on runlevel [2345] + +stop on runlevel [016] + +task + +exec @bindir@/guix publish --user=nobody --port=8181 diff --git a/etc/guix-publish.service.in b/etc/guix-publish.service.in new file mode 100644 index 0000000000..fc4e3c21f3 --- /dev/null +++ b/etc/guix-publish.service.in @@ -0,0 +1,19 @@ +# This is a "service unit file" for the systemd init system to launch +# 'guix publish'. Drop it in /etc/systemd/system or similar to have +# 'guix publish' automatically started. + +[Unit] +Description=Publish the GNU Guix store + +[Service] +ExecStart=@bindir@/guix publish --user=nobody --port=8181 +Environment=GUIX_LOCPATH=/root/.guix-profile/lib/locale +RemainAfterExit=yes +StandardOutput=syslog +StandardError=syslog + +# See . +TasksMax=1024 + +[Install] +WantedBy=multi-user.target diff --git a/nix/local.mk b/nix/local.mk index 86ef769549..79667ed49e 100644 --- a/nix/local.mk +++ b/nix/local.mk @@ -183,26 +183,26 @@ endif BUILD_DAEMON_OFFLOAD nodist_libexec_SCRIPTS = \ %D%/scripts/guix-authenticate -# The '.service' file for systemd. +# The '.service' files for systemd. systemdservicedir = $(libdir)/systemd/system -nodist_systemdservice_DATA = etc/guix-daemon.service +nodist_systemdservice_DATA = etc/guix-daemon.service etc/guix-publish.service -etc/guix-daemon.service: etc/guix-daemon.service.in \ +etc/guix-%.service: etc/guix-%.service.in \ $(top_builddir)/config.status $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \ $(SED) -e 's|@''bindir''@|$(bindir)|' < \ - "$(srcdir)/etc/guix-daemon.service.in" > "$@.tmp"; \ + "$(srcdir)/$<" > "$@.tmp"; \ mv "$@.tmp" "$@" -# The '.conf' job for Upstart. +# The '.conf' jobs for Upstart. upstartjobdir = $(libdir)/upstart/system -nodist_upstartjob_DATA = etc/guix-daemon.conf +nodist_upstartjob_DATA = etc/guix-daemon.conf etc/guix-publish.conf -etc/guix-daemon.conf: etc/guix-daemon.conf.in \ +etc/guix-%.conf: etc/guix-%.conf.in \ $(top_builddir)/config.status $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \ $(SED) -e 's|@''bindir''@|$(bindir)|' < \ - "$(srcdir)/etc/guix-daemon.conf.in" > "$@.tmp"; \ + "$(srcdir)/$<" > "$@.tmp"; \ mv "$@.tmp" "$@" EXTRA_DIST += \ -- cgit v1.2.3 From cbf1024e9907c7402e66c0c225dba7406fbd82e8 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 24 Nov 2016 21:53:57 +0100 Subject: doc: Document 'wpa-supplicant-service-type'. Reported by Chris Marusich . * doc/guix.texi (Networking Services): Remove 'wpa-supplicant-service' procedure, which doesn't exist, and document 'wpa-supplicant-service-type'. --- doc/guix.texi | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 0055d094e8..4d9c107a9c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8431,13 +8431,22 @@ configure networking." @end deffn @cindex WPA Supplicant -@deffn {Scheme Procedure} wpa-supplicant-service @ - [#:wpa-supplicant @var{wpa-supplicant}] -Return a service that runs @url{https://w1.fi/wpa_supplicant/,WPA +@defvr {Scheme Variable} wpa-supplicant-service-type +This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA supplicant}, an authentication daemon required to authenticate against -encrypted WiFi or ethernet networks. Service is started to listen for +encrypted WiFi or ethernet networks. It is configured to listen for requests on D-Bus. -@end deffn + +The value of this service is the @code{wpa-supplicant} package to use. +Thus, it can be instantiated like this: + +@lisp +(use-modules (gnu services networking) + (gnu packages admin)) + +(service wpa-supplicant-type wpa-supplicant) +@end lisp +@end defvr @cindex NTP @cindex real time clock -- cgit v1.2.3 From 13fb1bd94e77ca231faaae25e8c9e3c4bde1b0f2 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 24 Nov 2016 23:03:04 +0100 Subject: doc: Document encrypted root partitions. This is a followup to f7f292d359e0eb77617f4ecf6b3164f868ec1784. * doc/guix.texi (Preparing for Installation): Give commands for encrypted root installation. (Proceeding with the Installation): Add item about mapped devices. (File Systems): Mention that 'dependencies' can list objects. * gnu/system/examples/desktop.tmpl (mapped-devices): New field. (file-systems): Add 'dependencies' field. --- doc/guix.texi | 48 +++++++++++++++++++++++----------------- gnu/system/examples/desktop.tmpl | 15 +++++++++++-- 2 files changed, 41 insertions(+), 22 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 4d9c107a9c..e488c5a553 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6665,27 +6665,26 @@ partition lives at @file{/dev/sda1}, a file system with the label mkfs.ext4 -L my-root /dev/sda1 @end example -@c FIXME: Uncomment this once GRUB fully supports encrypted roots. -@c A typical command sequence may be: -@c -@c @example -@c # fdisk /dev/sdX -@c @dots{} Create partitions etc.@dots{} -@c # cryptsetup luksFormat /dev/sdX1 -@c # cryptsetup open --type luks /dev/sdX1 my-partition -@c # mkfs.ext4 -L my-root /dev/mapper/my-partition -@c @end example - -In addition to e2fsprogs, the suite of tools to manipulate -ext2/ext3/ext4 file systems, the installation image includes -Cryptsetup/LUKS for disk encryption. +@cindex encrypted disk +If you are instead planning to encrypt the root partition, you can use +the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html, +@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}}, +@code{man cryptsetup}} for more information.) Assuming you want to +store the root partition on @file{/dev/sda1}, the command sequence would +be along these lines: + +@example +cryptsetup luksFormat /dev/sda1 +cryptsetup open --type luks /dev/sda1 my-partition +mkfs.ext4 -L my-root /dev/mapper/my-partition +@end example Once that is done, mount the target root partition under @file{/mnt} -with a command like (again, assuming @file{/dev/sda1} is the root -partition): +with a command like (again, assuming @code{my-root} is the label of the +root partition): @example -mount /dev/sda1 /mnt +mount LABEL=my-root /mnt @end example Finally, if you plan to use one or more swap partitions (@pxref{Memory @@ -6748,6 +6747,10 @@ Be sure that your partition labels match the value of their respective @code{device} fields in your @code{file-system} configuration, assuming your @code{file-system} configuration sets the value of @code{title} to @code{'label}. + +@item +If there are encrypted or RAID partitions, make sure to add a +@code{mapped-devices} field to describe them (@pxref{Mapped Devices}). @end itemize Once you are done preparing the configuration file, the new system must @@ -6992,7 +6995,9 @@ desired configuration. In particular, notice how we use @code{inherit} to create a new configuration which has the same values as the old configuration, but with a few modifications. -The configuration for a typical ``desktop'' usage, with the X11 display +@cindex encrypted disk +The configuration for a typical ``desktop'' usage, with an encrypted +root partition, the X11 display server, GNOME and Xfce (users can choose which of these desktop environments to use at the log-in screen by pressing @kbd{F1}), network management, power management, and more, would look like this: @@ -7317,13 +7322,16 @@ errors before being mounted. When true, the mount point is created if it does not exist yet. @item @code{dependencies} (default: @code{'()}) -This is a list of @code{} objects representing file systems -that must be mounted before (and unmounted after) this one. +This is a list of @code{} or @code{} objects +representing file systems that must be mounted or mapped devices that +must be opened before (and unmounted or closed after) this one. As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is a dependency of @file{/sys/fs/cgroup/cpu} and @file{/sys/fs/cgroup/memory}. +Another example is a file system that depends on a mapped device, for +example for an encrypted partition (@pxref{Mapped Devices}). @end table @end deftp diff --git a/gnu/system/examples/desktop.tmpl b/gnu/system/examples/desktop.tmpl index 2fcf90f8b1..82687e740b 100644 --- a/gnu/system/examples/desktop.tmpl +++ b/gnu/system/examples/desktop.tmpl @@ -1,5 +1,6 @@ ;; This is an operating system configuration template -;; for a "desktop" setup with GNOME and Xfce. +;; for a "desktop" setup with GNOME and Xfce where the +;; root partition is encrypted with LUKS. (use-modules (gnu) (gnu system nss)) (use-service-modules desktop) @@ -13,11 +14,21 @@ ;; Assuming /dev/sdX is the target hard disk, and "my-root" ;; is the label of the target root file system. (bootloader (grub-configuration (device "/dev/sdX"))) + + ;; Specify a mapped device for the encrypted root partition. + ;; The UUID is that returned by 'cryptsetup luksUUID'. + (mapped-devices + (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "the-root-device") + (type luks-device-mapping)))) + (file-systems (cons (file-system (device "my-root") (title 'label) (mount-point "/") - (type "ext4")) + (type "ext4") + (dependencies mapped-devices)) %base-file-systems)) (users (cons (user-account -- cgit v1.2.3 From df31e36a403ac8ff3d86813b88f02f816a936687 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 24 Nov 2016 23:21:08 +0100 Subject: doc: Fix typos in "Kerberos Services". * doc/guix.texi (Kerberos Services): Fix typos. --- doc/guix.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index e488c5a553..ebb138e15d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11412,13 +11412,13 @@ could instantiate a dovecot service like this: @subsubsection Kerberos Services @cindex Kerberos -The @code{(gnu services Kerberos)} module provides services relating to +The @code{(gnu services kerberos)} module provides services relating to the authentication protocol @dfn{Kerberos}. @subsubheading PAM krb5 Service @cindex pam-krb5 -The pam-krb5 service allows for login authentication and password +The @code{pam-krb5} service allows for login authentication and password management via Kerberos. You will need this service if you want PAM enabled applications to authenticate users using Kerberos. -- cgit v1.2.3