From 71992a532dd0bb88b39dda285482b332a24dae66 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 13 Sep 2020 23:02:49 +0200 Subject: services: Fix zram-device-service. * gnu/services/linux.scm (): Fix typo. --- gnu/services/linux.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/linux.scm b/gnu/services/linux.scm index ec42663a11..72c7779596 100644 --- a/gnu/services/linux.scm +++ b/gnu/services/linux.scm @@ -196,7 +196,7 @@ representation." (define-record-type* zram-device-configuration make-zram-device-configuration zram-device-configuration? - (size zram-device-configration-size + (size zram-device-configuration-size (default "1G")) ; string or integer (compression-algorithm zram-device-configuration-compression-algorithm (default 'lzo)) ; symbol -- cgit v1.2.3 From 11a962e6536d59b8c5b24880fbb19550242ffa04 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Fri, 11 Sep 2020 13:55:55 +0200 Subject: services: certbot: Support registration without email. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/certbot.scm (certbot-configuration): Add default for the email option. (certbot-command): Pass email for registration only when specified. * doc/guix.texi (Certificate Services): "mandatory"→"optional" email. Signed-off-by: Ludovic Courtès --- doc/guix.texi | 7 ++++--- gnu/services/certbot.scm | 11 ++++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index a6e14ea177..5e4bfd8e85 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -22478,9 +22478,10 @@ A list of @code{certificates-configuration}s for which to generate certificates and request signatures. Each certificate has a @code{name} and several @code{domains}. -@item @code{email} -Mandatory email used for registration, recovery contact, and important -account notifications. +@item @code{email} (default: @code{#f}) +Optional email address used for registration and recovery contact. +Setting this is encouraged as it allows you to receive important +notifications about the account and issued certificates. @item @code{server} (default: @code{#f}) Optional URL of ACME server. Setting this overrides certbot's default, diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 5643340799..1c67ff63f1 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -71,7 +71,8 @@ (default "/var/www")) (certificates certbot-configuration-certificates (default '())) - (email certbot-configuration-email) + (email certbot-configuration-email + (default #f)) (server certbot-configuration-server (default #f)) (rsa-key-size certbot-configuration-rsa-key-size @@ -99,12 +100,14 @@ (if challenge (append (list name certbot "certonly" "-n" "--agree-tos" - "-m" email "--manual" (string-append "--preferred-challenges=" challenge) "--cert-name" name "--manual-public-ip-logging-ok" "-d" (string-join domains ",")) + (if email + `("--email" ,email) + '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (if authentication-hook @@ -114,10 +117,12 @@ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) (append (list name certbot "certonly" "-n" "--agree-tos" - "-m" email "--webroot" "-w" webroot "--cert-name" name "-d" (string-join domains ",")) + (if email + `("--email" ,email) + '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) -- cgit v1.2.3 From 8422a67dc16af4dd5eb82180463aa7a0b362d5b9 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 14 Sep 2020 16:35:36 +0300 Subject: services: docker: Make docker command available. * gnu/services/docker.scm (docker-service-type): Extend the profile-service-type and add the docker-cli package. --- gnu/services/docker.scm | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'gnu/services') diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 380a942ed2..2fb2ae2c47 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2018 Danny Milosavljevic ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Maxim Cournoyer +;;; Copyright © 2020 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -133,6 +134,9 @@ loop-back communications.") bundles in Docker containers.") (extensions (list + ;; Make sure the 'docker' command is available. + (service-extension profile-service-type + (list docker-cli)) (service-extension activation-service-type %docker-activation) (service-extension shepherd-root-service-type -- cgit v1.2.3 From a404716d411cf7cd49ff02e3100f0bbf6622d6d5 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 14 Sep 2020 23:21:20 +0300 Subject: services: docker: Fix service definition. This is a follow-up to 8422a67dc16af4dd5eb82180463aa7a0b362d5b9. * gnu/services/docker.scm (docker-service-type): Use a composed list for packages in profile-service-type. --- gnu/services/docker.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 2fb2ae2c47..1cce767675 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -136,7 +136,7 @@ bundles in Docker containers.") (list ;; Make sure the 'docker' command is available. (service-extension profile-service-type - (list docker-cli)) + (compose list docker-cli)) (service-extension activation-service-type %docker-activation) (service-extension shepherd-root-service-type -- cgit v1.2.3 From f6dfe42129d005662d91e1acb1c75eafe7b9b33e Mon Sep 17 00:00:00 2001 From: Oleg Pykhalov Date: Tue, 15 Sep 2020 01:10:55 +0300 Subject: services: docker: Fix service definition. This commit follows a404716d411cf7cd49ff02e3100f0bbf6622d6d5. * gnu/services/docker.scm (docker-configuration)[docker-cli]: New record field. (docker-service-type): Use this. * doc/guix.texi (Miscellaneous Services)[Docker Service]: Document this. --- doc/guix.texi | 5 ++++- gnu/services/docker.scm | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index bfffb4ac2a..88128a4b3a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27990,7 +27990,10 @@ This is the data type representing the configuration of Docker and Containerd. @table @asis @item @code{package} (default: @code{docker}) -The Docker package to use. +The Docker daemon package to use. + +@item @code{package} (default: @code{docker-cli}) +The Docker client package to use. @item @code{containerd} (default: @var{containerd}) The Containerd package to use. diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 1cce767675..a4eccc7928 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -45,6 +45,9 @@ (docker (package docker) "Docker daemon package.") + (docker-cli + (package docker-cli) + "Docker client package.") (containerd (package containerd) "containerd package.") @@ -136,7 +139,7 @@ bundles in Docker containers.") (list ;; Make sure the 'docker' command is available. (service-extension profile-service-type - (compose list docker-cli)) + (compose list docker-configuration-docker-cli)) (service-extension activation-service-type %docker-activation) (service-extension shepherd-root-service-type -- cgit v1.2.3 From 1b157bbef0032121c88be2bbb834846115ce9341 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 15 Sep 2020 12:30:39 +0200 Subject: services: bitlbee: Support libpurple plugins. * gnu/services/messaging.scm (bitlbee-shepherd-service): Pass PURPLE_PLUGIN_PATH as #:environment-variables. --- gnu/services/messaging.scm | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index 11b41f2bf6..8f2f3914cf 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017, 2018 Clément Lassieur ;;; Copyright © 2017 Mathieu Othacehe -;;; Copyright © 2015, 2017, 2018, 2019 Ludovic Courtès +;;; Copyright © 2015, 2017, 2018, 2019, 2020 Ludovic Courtès ;;; Copyright © 2018 Pierre-Antoine Rouby ;;; ;;; This file is part of GNU Guix. @@ -813,14 +813,15 @@ string, you could instantiate a prosody service like this: (match-lambda (($ bitlbee interface port plugins extra-settings) - (let ((conf (mixed-text-file "bitlbee.conf" + (let* ((plugins (directory-union "bitlbee-plugins" plugins)) + (conf (mixed-text-file "bitlbee.conf" " [settings] User = bitlbee ConfigDir = /var/lib/bitlbee DaemonInterface = " interface " DaemonPort = " (number->string port) " - PluginDir = " (directory-union "bitlbee-plugins" plugins) "/lib/bitlbee + PluginDir = " plugins "/lib/bitlbee " extra-settings))) (with-imported-modules (source-module-closure @@ -840,6 +841,11 @@ string, you could instantiate a prosody service like this: (list #$(file-append bitlbee "/sbin/bitlbee") "-n" "-F" "-u" "bitlbee" "-c" #$conf) + ;; Allow 'bitlbee-purple' to use libpurple plugins. + #:environment-variables + (list (string-append "PURPLE_PLUGIN_PATH=" + #$plugins "/lib/purple-2")) + #:pid-file "/var/run/bitlbee.pid" #:mappings (list (file-system-mapping (source "/var/lib/bitlbee") -- cgit v1.2.3 From b864ddb6905a1c4e3a88a6e8214b58f42ff5bf19 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 20 Sep 2020 22:01:25 +0200 Subject: services: dicod: Reduce irony. * gnu/services/dict.scm (dicod-service): Fix docstring typo. --- gnu/services/dict.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm index 519ed3eca2..a97ad8f608 100644 --- a/gnu/services/dict.scm +++ b/gnu/services/dict.scm @@ -187,7 +187,7 @@ of DICT server (@pxref{Dicod,,, dico, GNU Dico Manual}). The optional @var{config} argument specifies the configuration for @command{dicod}, which should be a @code{} object, by -default it serves the GNU Collaborative International Dictonary of English. +default it serves the GNU Collaborative International Dictionary of English. You can add @command{open localhost} to your @file{~/.dico} file to make @code{localhost} the default server for @command{dico} -- cgit v1.2.3 From 1a0da8b4f38c11b70acbc641068d8e01144b8180 Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Mon, 21 Sep 2020 10:48:16 +0200 Subject: services: base: Improve container related comments. * gnu/services/base.scm (guix-shepherd-service): Clarify the usage of a container for guix-daemon. --- gnu/services/base.scm | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'gnu/services') diff --git a/gnu/services/base.scm b/gnu/services/base.scm index d560ad5a13..bef4eef241 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1570,6 +1570,9 @@ proxy of 'guix-daemon'...~%") ;; the 'set-http-proxy' action. (or (getenv "http_proxy") #$http-proxy)) + ;; Start the guix-daemon from a container, when supported, + ;; to solve an installation issue. See the comment below for + ;; more details. (fork+exec-command/container (cons* #$(file-append guix "/bin/guix-daemon") "--build-users-group" #$build-group @@ -1600,6 +1603,8 @@ proxy of 'guix-daemon'...~%") ;; operate from within the same MNT namespace as the ;; installation container. In that case only, enter the ;; namespace of the process PID passed as start argument. + ;; Otherwise, for symmetry purposes enter the caller + ;; namespaces which is a no-op. #:pid (match args ((pid) (string->number pid)) (else (getpid))) -- cgit v1.2.3 From f0a09310e6ff2ed63770cb585c551ba94ce4a9d0 Mon Sep 17 00:00:00 2001 From: Jesse Dowell Date: Sat, 19 Sep 2020 12:40:38 -0400 Subject: services: docker: Fix enable-proxy? option. The userland proxy option does not properly disable the userland proxy when set to false. Docker defaults to enabling the userland proxy if the option is unset on the command line. * gnu/services/docker.scm (docker-shepherd-service): Properly handle the 'enable-proxy?' option. Signed-off-by: Efraim Flashner --- gnu/services/docker.scm | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index a4eccc7928..c7296d5b1b 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Maxim Cournoyer ;;; Copyright © 2020 Efraim Flashner +;;; Copyright © 2020 Jesse Dowell ;;; ;;; This file is part of GNU Guix. ;;; @@ -121,9 +122,11 @@ loop-back communications.") #$@(if debug? '("--debug" "--log-level=debug") '()) - (if #$enable-proxy? "--userland-proxy" "") - "--userland-proxy-path" (string-append #$proxy - "/bin/proxy") + #$@(if enable-proxy? + '("--userland-proxy=true" + (string-append + "--userland-proxy-path=" proxy "/bin/proxy")) + '("--userland-proxy=false")) (if #$enable-iptables? "--iptables" "--iptables=false")) -- cgit v1.2.3 From e04b90607ac903359c90c9bad1b67fb7ce2f0eb6 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 21 Sep 2020 15:02:23 +0300 Subject: services: Docker: Fix typo in configuration. This is a follow-up to f0a09310e6ff2ed63770cb585c551ba94ce4a9d0. * gnu/services/docker.scm (docker-shepherd-service): Properly reference variables in service definition. --- gnu/services/docker.scm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index c7296d5b1b..2f13c270ab 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -122,11 +122,11 @@ loop-back communications.") #$@(if debug? '("--debug" "--log-level=debug") '()) - #$@(if enable-proxy? - '("--userland-proxy=true" - (string-append - "--userland-proxy-path=" proxy "/bin/proxy")) - '("--userland-proxy=false")) + (if #$enable-proxy? + '("--userland-proxy=true" + (string-append + "--userland-proxy-path=" #$proxy "/bin/proxy")) + '("--userland-proxy=false")) (if #$enable-iptables? "--iptables" "--iptables=false")) -- cgit v1.2.3 From 97e98e22691d3d1ecf35afc2ba2c961fdbd3cc7e Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 23 Sep 2020 19:06:28 +0200 Subject: services: Allow (service bluetooth-service-type). * gnu/services/desktop.scm (bluetooth-service-type) [default-value]: Set to (bluetooth-configuration). --- gnu/services/desktop.scm | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/services') diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index bdbea5dddf..1dcf71d359 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -470,6 +470,7 @@ site} for more information." ,(bluetooth-directory config))))) (service-extension shepherd-root-service-type (compose list bluetooth-shepherd-service)))) + (default-value (bluetooth-configuration)) (description "Run the @command{bluetoothd} daemon, which manages all the Bluetooth devices and provides a number of D-Bus interfaces."))) -- cgit v1.2.3 From cd4bb173e041fa961b05fb101f214d506182db84 Mon Sep 17 00:00:00 2001 From: Oleg Pykhalov Date: Wed, 23 Sep 2020 23:34:21 +0300 Subject: services: docker: Fix configuration. This is a follow-up to e04b90607ac903359c90c9bad1b67fb7ce2f0eb6. * gnu/services/docker.scm (docker-shepherd-service): Fix "enable-proxy?" configuration. --- gnu/services/docker.scm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 2f13c270ab..e23014213b 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -122,11 +122,11 @@ loop-back communications.") #$@(if debug? '("--debug" "--log-level=debug") '()) - (if #$enable-proxy? - '("--userland-proxy=true" - (string-append - "--userland-proxy-path=" #$proxy "/bin/proxy")) - '("--userland-proxy=false")) + #$@(if enable-proxy? + (list "--userland-proxy=true" + #~(string-append + "--userland-proxy-path=" #$proxy "/bin/proxy")) + '("--userland-proxy=false")) (if #$enable-iptables? "--iptables" "--iptables=false")) -- cgit v1.2.3 From 92e507c963470c6086a59ca8e1dd58ed4403649c Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Thu, 24 Sep 2020 10:47:22 +0200 Subject: services: cuirass: Add SQL queries logging support. * gnu/services/cuirass.scm ()[queries-log-file]: New field. (cuirass-shepherd-service): Honor it. (cuirass-log-rotations): If defined, add the queries log file to the log rotation. --- doc/guix.texi | 4 ++++ gnu/services/cuirass.scm | 23 +++++++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 949551a163..576845233a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -23904,6 +23904,10 @@ Location of the log file. @item @code{web-log-file} (default: @code{"/var/log/cuirass-web.log"}) Location of the log file used by the web interface. +@item @code{queries-log-file} (default: @code{#f}) +Location of the SQL queries log file. By default, SQL queries logging is +disabled. + @item @code{cache-directory} (default: @code{"/var/cache/cuirass"}) Location of the repository cache. diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index 0f4f0f9948..44f40a632c 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -54,6 +54,8 @@ (default "/var/log/cuirass.log")) (web-log-file cuirass-configuration-web-log-file ;string (default "/var/log/cuirass-web.log")) + (queries-log-file cuirass-configuration-queries-log-file ;string + (default #f)) (cache-directory cuirass-configuration-cache-directory ;string (dir-name) (default "/var/cache/cuirass")) (ttl cuirass-configuration-ttl ;integer @@ -87,6 +89,7 @@ (cache-directory (cuirass-configuration-cache-directory config)) (web-log-file (cuirass-configuration-web-log-file config)) (log-file (cuirass-configuration-log-file config)) + (queries-log-file (cuirass-configuration-queries-log-file config)) (user (cuirass-configuration-user config)) (group (cuirass-configuration-group config)) (interval (cuirass-configuration-interval config)) @@ -111,6 +114,10 @@ "--database" #$database "--ttl" #$(string-append (number->string ttl) "s") "--interval" #$(number->string interval) + #$@(if queries-log-file + (list (string-append "--log-queries=" + queries-log-file)) + '()) #$@(if use-substitutes? '("--use-substitutes") '()) #$@(if one-shot? '("--one-shot") '()) #$@(if fallback? '("--fallback") '()) @@ -140,6 +147,10 @@ "--port" #$(number->string port) "--listen" #$host "--interval" #$(number->string interval) + #$@(if queries-log-file + (list (string-append "--log-queries=" + queries-log-file)) + '()) #$@(if use-substitutes? '("--use-substitutes") '()) #$@(if fallback? '("--fallback") '()) #$@extra-options) @@ -187,10 +198,14 @@ (define (cuirass-log-rotations config) "Return the list of log rotations that corresponds to CONFIG." - (list (log-rotation - (files (list (cuirass-configuration-log-file config))) - (frequency 'weekly) - (options '("rotate 40"))))) ;worth keeping + (let ((queries-log-file (cuirass-configuration-queries-log-file config))) + (list (log-rotation + (files `(,(cuirass-configuration-log-file config) + ,@(if queries-log-file + (list queries-log-file) + '()))) + (frequency 'weekly) + (options '("rotate 40")))))) ;worth keeping (define cuirass-service-type (service-type -- cgit v1.2.3 From 80e26d74294d40f311f61d13996f1ed1aa4d8edd Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Thu, 24 Sep 2020 11:28:14 +0200 Subject: services: cuirass: Add web SQL queries logging support. * gnu/services/cuirass.scm ()[web-queries-log-file]: New field. (cuirass-shepherd-service): Honor it. (cuirass-log-rotations): If defined, add the web queries log file to the log rotation. --- doc/guix.texi | 4 ++++ gnu/services/cuirass.scm | 16 +++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 576845233a..6b2c749bc7 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -23908,6 +23908,10 @@ Location of the log file used by the web interface. Location of the SQL queries log file. By default, SQL queries logging is disabled. +@item @code{web-queries-log-file} (default: @code{#f}) +Location of the web SQL queries log file. By default, web SQL queries +logging is disabled. + @item @code{cache-directory} (default: @code{"/var/cache/cuirass"}) Location of the repository cache. diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index 44f40a632c..adf79af8ac 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -56,6 +56,9 @@ (default "/var/log/cuirass-web.log")) (queries-log-file cuirass-configuration-queries-log-file ;string (default #f)) + (web-queries-log-file + cuirass-configuration-web-queries-log-file ;string + (default #f)) (cache-directory cuirass-configuration-cache-directory ;string (dir-name) (default "/var/cache/cuirass")) (ttl cuirass-configuration-ttl ;integer @@ -90,6 +93,8 @@ (web-log-file (cuirass-configuration-web-log-file config)) (log-file (cuirass-configuration-log-file config)) (queries-log-file (cuirass-configuration-queries-log-file config)) + (web-queries-log-file + (cuirass-configuration-web-queries-log-file config)) (user (cuirass-configuration-user config)) (group (cuirass-configuration-group config)) (interval (cuirass-configuration-interval config)) @@ -147,9 +152,9 @@ "--port" #$(number->string port) "--listen" #$host "--interval" #$(number->string interval) - #$@(if queries-log-file + #$@(if web-queries-log-file (list (string-append "--log-queries=" - queries-log-file)) + web-queries-log-file)) '()) #$@(if use-substitutes? '("--use-substitutes") '()) #$@(if fallback? '("--fallback") '()) @@ -198,11 +203,16 @@ (define (cuirass-log-rotations config) "Return the list of log rotations that corresponds to CONFIG." - (let ((queries-log-file (cuirass-configuration-queries-log-file config))) + (let ((queries-log-file (cuirass-configuration-queries-log-file config)) + (web-queries-log-file + (cuirass-configuration-web-queries-log-file config))) (list (log-rotation (files `(,(cuirass-configuration-log-file config) ,@(if queries-log-file (list queries-log-file) + '()) + ,@(if web-queries-log-file + (list web-queries-log-file) '()))) (frequency 'weekly) (options '("rotate 40")))))) ;worth keeping -- cgit v1.2.3 From a024eedb1c0a537aa236fa27fe7a94ba6aa3d76c Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Thu, 24 Sep 2020 13:50:06 +0200 Subject: services: cuirass: Create queries log files at activation. * gnu/services/cuirass.scm (cuirass-activation)[queries-log-file]: Create and set user permissions on "queries-log-file" and "web-queries-log-file". --- gnu/services/cuirass.scm | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index adf79af8ac..d4faf7823b 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -186,6 +186,9 @@ (db (dirname (cuirass-configuration-database config))) (user (cuirass-configuration-user config)) (log "/var/log/cuirass") + (queries-log-file (cuirass-configuration-queries-log-file config)) + (web-queries-log-file + (cuirass-configuration-web-queries-log-file config)) (group (cuirass-configuration-group config))) (with-imported-modules '((guix build utils)) #~(begin @@ -199,7 +202,13 @@ (gid (group:gid (getgr #$group)))) (chown #$cache uid gid) (chown #$db uid gid) - (chown #$log uid gid)))))) + (chown #$log uid gid) + + (call-with-output-file #$queries-log-file (const #t)) + (call-with-output-file #$web-queries-log-file (const #t)) + + (chown #$queries-log-file uid gid) + (chown #$web-queries-log-file uid gid)))))) (define (cuirass-log-rotations config) "Return the list of log rotations that corresponds to CONFIG." -- cgit v1.2.3 From d48b17adb91d68acf6fb3f321c05102fcc8c39eb Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 24 Sep 2020 20:18:20 +0200 Subject: services: WPA Supplicant: Conditionally depend on D-Bus. Fixes . Reported by calcium . * gnu/services/networking.scm ()[requirement]: Remove 'dbus-system. (wpa-supplicant-shepherd-service)[requirement]: Add 'dbus-system when DBUS? is true. * doc/guix.texi (Networking Services)[wpa-supplicant-service-type]: Adjust accordingly. --- doc/guix.texi | 2 +- gnu/services/networking.scm | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 6b2c749bc7..0fd56942e2 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14603,7 +14603,7 @@ It takes the following parameters: @item @code{wpa-supplicant} (default: @code{wpa-supplicant}) The WPA Supplicant package to use. -@item @code{requirement} (default: @code{'(user-processes dbus-system loopback syslogd)} +@item @code{requirement} (default: @code{'(user-processes loopback syslogd)} List of services that should be started before WPA Supplicant starts. @item @code{dbus?} (default: @code{#t}) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index e45b116218..64f54e787f 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -1324,7 +1324,7 @@ whatever the thing is supposed to do)."))) (wpa-supplicant wpa-supplicant-configuration-wpa-supplicant ; (default wpa-supplicant)) (requirement wpa-supplicant-configuration-requirement ;list of symbols - (default '(user-processes dbus-system loopback syslogd))) + (default '(user-processes loopback syslogd))) (pid-file wpa-supplicant-configuration-pid-file ;string (default "/var/run/wpa_supplicant.pid")) (dbus? wpa-supplicant-configuration-dbus? ;Boolean @@ -1343,7 +1343,9 @@ whatever the thing is supposed to do)."))) (list (shepherd-service (documentation "Run the WPA supplicant daemon") (provision '(wpa-supplicant)) - (requirement requirement) + (requirement (if dbus? + (cons 'dbus-system requirement) + requirement)) (start #~(make-forkexec-constructor (list (string-append #$wpa-supplicant "/sbin/wpa_supplicant") -- cgit v1.2.3 From 4c698cd51209a0102477478b026ea04bd7e45908 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 28 Sep 2020 15:55:55 +0200 Subject: services: Add elogind ‘handle-lid-switch-external-power’. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/desktop.scm : Add an handle-lid-switch-external-power field, mapping to the HandleLidSwitchExternalPower logind.conf setting. * doc/guix.texi (Desktop Services): ‘Document’ it. --- doc/guix.texi | 2 + gnu/services/desktop.scm | 119 ++++++++++++++++++++++++----------------------- 2 files changed, 63 insertions(+), 58 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index c600d577ac..452453241c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17262,6 +17262,8 @@ their default values are: @code{suspend} @item handle-lid-switch-docked @code{ignore} +@item handle-lid-switch-external-power +@code{ignore} @item power-key-ignore-inhibited? @code{#f} @item suspend-key-ignore-inhibited? diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 1dcf71d359..96bacf1cff 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -596,64 +596,66 @@ include the @command{udisksctl} command, part of UDisks, and GNOME Disks." (define-record-type* elogind-configuration make-elogind-configuration elogind-configuration? - (elogind elogind-package - (default elogind)) - (kill-user-processes? elogind-kill-user-processes? - (default #f)) - (kill-only-users elogind-kill-only-users - (default '())) - (kill-exclude-users elogind-kill-exclude-users - (default '("root"))) - (inhibit-delay-max-seconds elogind-inhibit-delay-max-seconds - (default 5)) - (handle-power-key elogind-handle-power-key - (default 'poweroff)) - (handle-suspend-key elogind-handle-suspend-key - (default 'suspend)) - (handle-hibernate-key elogind-handle-hibernate-key - ;; (default 'hibernate) - ;; XXX Ignore it for now, since we don't - ;; yet handle resume-from-hibernation in - ;; our initrd. - (default 'ignore)) - (handle-lid-switch elogind-handle-lid-switch - (default 'suspend)) - (handle-lid-switch-docked elogind-handle-lid-switch-docked - (default 'ignore)) - (power-key-ignore-inhibited? elogind-power-key-ignore-inhibited? - (default #f)) - (suspend-key-ignore-inhibited? elogind-suspend-key-ignore-inhibited? - (default #f)) - (hibernate-key-ignore-inhibited? elogind-hibernate-key-ignore-inhibited? - (default #f)) - (lid-switch-ignore-inhibited? elogind-lid-switch-ignore-inhibited? - (default #t)) - (holdoff-timeout-seconds elogind-holdoff-timeout-seconds - (default 30)) - (idle-action elogind-idle-action - (default 'ignore)) - (idle-action-seconds elogind-idle-action-seconds - (default (* 30 60))) - (runtime-directory-size-percent elogind-runtime-directory-size-percent - (default 10)) - (runtime-directory-size elogind-runtime-directory-size - (default #f)) - (remove-ipc? elogind-remove-ipc? - (default #t)) - - (suspend-state elogind-suspend-state - (default '("mem" "standby" "freeze"))) - (suspend-mode elogind-suspend-mode - (default '())) - (hibernate-state elogind-hibernate-state - (default '("disk"))) - (hibernate-mode elogind-hibernate-mode - (default '("platform" "shutdown"))) - (hybrid-sleep-state elogind-hybrid-sleep-state - (default '("disk"))) - (hybrid-sleep-mode elogind-hybrid-sleep-mode - (default - '("suspend" "platform" "shutdown")))) + (elogind elogind-package + (default elogind)) + (kill-user-processes? elogind-kill-user-processes? + (default #f)) + (kill-only-users elogind-kill-only-users + (default '())) + (kill-exclude-users elogind-kill-exclude-users + (default '("root"))) + (inhibit-delay-max-seconds elogind-inhibit-delay-max-seconds + (default 5)) + (handle-power-key elogind-handle-power-key + (default 'poweroff)) + (handle-suspend-key elogind-handle-suspend-key + (default 'suspend)) + (handle-hibernate-key elogind-handle-hibernate-key + ;; (default 'hibernate) + ;; XXX Ignore it for now, since we don't + ;; yet handle resume-from-hibernation in + ;; our initrd. + (default 'ignore)) + (handle-lid-switch elogind-handle-lid-switch + (default 'suspend)) + (handle-lid-switch-docked elogind-handle-lid-switch-docked + (default 'ignore)) + (handle-lid-switch-external-power elogind-handle-lid-switch-external-power + (default 'ignore)) + (power-key-ignore-inhibited? elogind-power-key-ignore-inhibited? + (default #f)) + (suspend-key-ignore-inhibited? elogind-suspend-key-ignore-inhibited? + (default #f)) + (hibernate-key-ignore-inhibited? elogind-hibernate-key-ignore-inhibited? + (default #f)) + (lid-switch-ignore-inhibited? elogind-lid-switch-ignore-inhibited? + (default #t)) + (holdoff-timeout-seconds elogind-holdoff-timeout-seconds + (default 30)) + (idle-action elogind-idle-action + (default 'ignore)) + (idle-action-seconds elogind-idle-action-seconds + (default (* 30 60))) + (runtime-directory-size-percent elogind-runtime-directory-size-percent + (default 10)) + (runtime-directory-size elogind-runtime-directory-size + (default #f)) + (remove-ipc? elogind-remove-ipc? + (default #t)) + + (suspend-state elogind-suspend-state + (default '("mem" "standby" "freeze"))) + (suspend-mode elogind-suspend-mode + (default '())) + (hibernate-state elogind-hibernate-state + (default '("disk"))) + (hibernate-mode elogind-hibernate-mode + (default '("platform" "shutdown"))) + (hybrid-sleep-state elogind-hybrid-sleep-state + (default '("disk"))) + (hybrid-sleep-mode elogind-hybrid-sleep-mode + (default + '("suspend" "platform" "shutdown")))) (define (elogind-configuration-file config) (define (yesno x) @@ -705,6 +707,7 @@ include the @command{udisksctl} command, part of UDisks, and GNOME Disks." ("HandleHibernateKey" (handle-action elogind-handle-hibernate-key)) ("HandleLidSwitch" (handle-action elogind-handle-lid-switch)) ("HandleLidSwitchDocked" (handle-action elogind-handle-lid-switch-docked)) + ("HandleLidSwitchExternalPower" (handle-action elogind-handle-lid-switch-external-power)) ("PowerKeyIgnoreInhibited" (yesno elogind-power-key-ignore-inhibited?)) ("SuspendKeyIgnoreInhibited" (yesno elogind-suspend-key-ignore-inhibited?)) ("HibernateKeyIgnoreInhibited" (yesno elogind-hibernate-key-ignore-inhibited?)) -- cgit v1.2.3 From d692ebf98077d6b651d426aba92bf2a38599c4dc Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 26 Sep 2020 16:50:49 +0200 Subject: services: hurd-vm: Run QEMU as an unprivileged user. Until qemu was running as "root", which is unnecessary. * gnu/services/virtualization.scm (%hurd-vm-accounts): New variable. (hurd-vm-service-type)[extensions]: Add ACCOUNT-SERVICE-TYPE extension. --- gnu/services/virtualization.scm | 43 ++++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 13 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 20e104f48c..55a19d7af9 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -959,28 +959,45 @@ is added to the OS specified in CONFIG." (with-imported-modules (source-module-closure '((gnu build secret-service) (guix build utils))) - #~(let ((spawn (make-forkexec-constructor #$vm-command))) - (lambda _ - (let ((pid (spawn)) - (port #$(hurd-vm-port config %hurd-vm-secrets-port)) - (root #$(hurd-vm-configuration-secret-root config))) - (catch #t - (lambda _ - (secret-service-send-secrets port root)) - (lambda (key . args) - (kill (- pid) SIGTERM) - (apply throw key args))) - pid))))) + #~(lambda () + (let ((pid (fork+exec-command #$vm-command + #:user "childhurd" + #:group "childhurd" + #:environment-variables + ;; QEMU tries to write to /var/tmp + ;; by default. + '("TMPDIR=/tmp"))) + (port #$(hurd-vm-port config %hurd-vm-secrets-port)) + (root #$(hurd-vm-configuration-secret-root config))) + (catch #t + (lambda _ + (secret-service-send-secrets port root) + pid) + (lambda (key . args) + (kill (- pid) SIGTERM) + (apply throw key args))))))) (modules `((gnu build secret-service) (guix build utils) ,@%default-modules)) (stop #~(make-kill-destructor)))))) +(define %hurd-vm-accounts + (list (user-group (name "childhurd") (system? #t)) + (user-account + (name "childhurd") + (group "childhurd") + (comment "Privilege separation user for the childhurd") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (system? #t)))) + (define hurd-vm-service-type (service-type (name 'hurd-vm) (extensions (list (service-extension shepherd-root-service-type - hurd-vm-shepherd-service))) + hurd-vm-shepherd-service) + (service-extension account-service-type + (const %hurd-vm-accounts)))) (default-value (hurd-vm-configuration)) (description "Provide a Virtual Machine running the GNU/Hurd."))) -- cgit v1.2.3 From dabb00ffee94cea6e2fbd3b356eb57f5292fdb27 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 26 Sep 2020 16:55:16 +0200 Subject: services: childhurd: Tweak description. * gnu/services/virtualization.scm (hurd-vm-service-type)[description]: Mention "childhurd". --- gnu/services/virtualization.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 55a19d7af9..d184eea746 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -1000,4 +1000,5 @@ is added to the OS specified in CONFIG." (const %hurd-vm-accounts)))) (default-value (hurd-vm-configuration)) (description - "Provide a Virtual Machine running the GNU/Hurd."))) + "Provide a virtual machine (VM) running GNU/Hurd, also known as a +@dfn{childhurd}."))) -- cgit v1.2.3 From 8ac318068b22b34fbee9980e607020f45a5b549e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 26 Sep 2020 22:45:01 +0200 Subject: services: hurd-vm: Check whether /dev/kvm exists at run time. This change allows a childhurd to run within Guix System in a VM. * gnu/services/virtualization.scm (hurd-vm-shepherd-service)[vm-command]: Stage the 'file-exists?' call. --- gnu/services/virtualization.scm | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index d184eea746..b84203ad18 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -937,13 +937,14 @@ is added to the OS specified in CONFIG." (provisions '(hurd-vm childhurd))) (define vm-command - #~(list - (string-append #$qemu "/bin/qemu-system-i386") - #$@(if (file-exists? "/dev/kvm") '("--enable-kvm") '()) - "-m" (number->string #$memory-size) - #$@net-options - #$@options - "--hda" #+image)) + #~(append (list #$(file-append qemu "/bin/qemu-system-i386") + "-m" (number->string #$memory-size) + #$@net-options + #$@options + "--hda" #+image) + (if (file-exists? "/dev/kvm") + '("--enable-kvm") + '()))) (list (shepherd-service -- cgit v1.2.3 From d367a7f3d00de20d5c6a88123297f878b3044fee Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Sep 2020 14:55:32 +0200 Subject: services: guix: Generate key pair if needed during activation. * gnu/services/base.scm (guix-activation): Invoke "guix archive --generate-key". * doc/guix.texi (Invoking guix archive) (Invoking guix deploy): Mention that 'guix-service-type' takes care of generating the key pair. --- doc/guix.texi | 11 +++++++---- gnu/services/base.scm | 13 +++++++++---- 2 files changed, 16 insertions(+), 8 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 452453241c..e6f04e1413 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4600,9 +4600,11 @@ the store. @item --generate-key[=@var{parameters}] @cindex signing, archives Generate a new key pair for the daemon. This is a prerequisite before -archives can be exported with @option{--export}. Note that this -operation usually takes time, because it needs to gather enough entropy -to generate the key pair. +archives can be exported with @option{--export}. This +operation is usually instantaneous but it can take time if the system's +entropy pool needs to be refilled. On Guix System, +@code{guix-service-type} takes care of generating this key pair the +first boot. The generated key pair is typically stored under @file{/etc/guix}, in @file{signing-key.pub} (public key) and @file{signing-key.sec} (private @@ -29684,7 +29686,8 @@ a Virtual Private Server (VPS) provider. In such a case, a different Do note that you first need to generate a key pair on the coordinator machine to allow the daemon to export signed archives of files from the store -(@pxref{Invoking guix archive}). +(@pxref{Invoking guix archive}), though this step is automatic on Guix +System: @example # guix archive --generate-key diff --git a/gnu/services/base.scm b/gnu/services/base.scm index bef4eef241..04bc991356 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1653,10 +1653,15 @@ proxy of 'guix-daemon'...~%") ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs, ;; chown leads to an entire copy of the tree, which is a bad idea. - ;; Optionally authorize substitute server keys. - (if authorize-key? - (substitute-key-authorization keys guix) - #~#f)))) + ;; Generate a key pair and optionally authorize substitute server keys. + #~(begin + (unless (file-exists? "/etc/guix/signing-key.pub") + (system* #$(file-append guix "/bin/guix") "archive" + "--generate-key")) + + #$(if authorize-key? + (substitute-key-authorization keys guix) + #~#f))))) (define* (references-file item #:optional (name "references")) "Return a file that contains the list of references of ITEM." -- cgit v1.2.3 From 37283f9f3e0130e262e0e4e0dc4b260471bc485b Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Sep 2020 15:14:36 +0200 Subject: services: hurd-vm: Initialize the guest's SSH/Guix keys at activation time. * gnu/services/virtualization.scm (initialize-hurd-vm-substitutes) (hurd-vm-activation): New procedures. (hurd-vm-service-type)[extensions]: Add ACTIVATION-SERVICE-TYPE extension. * doc/guix.texi (Transparent Emulation with QEMU): Mention GNU/Hurd. (The Hurd in a Virtual Machine): Explain which files are automatically installed and mention offloading. --- doc/guix.texi | 33 ++++++++++++++++++-- gnu/services/virtualization.scm | 67 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 96 insertions(+), 4 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index e6f04e1413..ff2e582347 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25445,6 +25445,8 @@ emulation of program binaries built for different architectures---e.g., it allows you to transparently execute an ARMv7 program on an x86_64 machine. It achieves this by combining the @uref{https://www.qemu.org, QEMU} emulator and the @code{binfmt_misc} feature of the kernel Linux. +This feature only allows you to emulate GNU/Linux on a different +architecture, but see below for GNU/Hurd support. @defvr {Scheme Variable} qemu-binfmt-service-type This is the type of the QEMU/binfmt service for transparent emulation. @@ -25647,10 +25649,11 @@ If the @file{/etc/childhurd} directory does not exist, the @code{secret-service} running in the Childhurd will be sent an empty list of secrets. -Typical use to populate @file{"/etc/childhurd"} with a tree of -non-volatile secrets, like so +By default, the service automatically populates @file{/etc/childhurd} +with the following non-volatile secrets, unless they already exist: @example +/etc/childhurd/etc/guix/acl /etc/childhurd/etc/guix/signing-key.pub /etc/childhurd/etc/guix/signing-key.sec /etc/childhurd/etc/ssh/ssh_host_ed25519_key @@ -25659,8 +25662,32 @@ non-volatile secrets, like so /etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub @end example -to be sent to the Childhurd, including permissions. +These files are automatically sent to the guest Hurd VM when it boots, +including permissions. +@cindex childhurd, offloading +@cindex Hurd, offloading +Having these files in place means that only a couple of things are +missing to allow the host to offload @code{i586-gnu} builds to the +childhurd: + +@enumerate +@item +Authorizing the childhurd's key on the host so that the host accepts +build results coming from the childhurd, which can be done like so: + +@example +guix archive --authorize < \ + /etc/childhurd/etc/guix/signing-key.pub +@end example + +@item +Adding the childhurd to @file{/etc/guix/machines.scm} (@pxref{Daemon +Offload Setup}). +@end enumerate + +We're working towards making that happen automatically---get in touch +with us at @email{guix-devel@@gnu.org} to discuss it! @end table @end deftp diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index b84203ad18..c639fa3741 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -23,6 +23,7 @@ #:use-module (gnu bootloader grub) #:use-module (gnu image) #:use-module (gnu packages admin) + #:use-module (gnu packages package-management) #:use-module (gnu packages ssh) #:use-module (gnu packages virtualization) #:use-module (gnu services base) @@ -992,13 +993,77 @@ is added to the OS specified in CONFIG." (shell (file-append shadow "/sbin/nologin")) (system? #t)))) +(define (initialize-hurd-vm-substitutes) + "Initialize the Hurd VM's key pair and ACL and store it on the host." + (define run + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils) + (ice-9 match)) + + (define host-key + "/etc/guix/signing-key.pub") + + (define host-acl + "/etc/guix/acl") + + (match (command-line) + ((_ guest-config-directory) + (setenv "GUIX_CONFIGURATION_DIRECTORY" + guest-config-directory) + (invoke #+(file-append guix "/bin/guix") "archive" + "--generate-key") + + (when (file-exists? host-acl) + ;; Copy the host ACL. + (copy-file host-acl + (string-append guest-config-directory + "/acl"))) + + (when (file-exists? host-key) + ;; Add the host key to the childhurd's ACL. + (let ((key (open-fdes host-key O_RDONLY))) + (close-fdes 0) + (dup2 key 0) + (execl #+(file-append guix "/bin/guix") + "guix" "archive" "--authorize")))))))) + + (program-file "initialize-hurd-vm-substitutes" run)) + +(define (hurd-vm-activation config) + "Return a gexp to activate the Hurd VM according to CONFIG." + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + + (define secret-directory + #$(hurd-vm-configuration-secret-root config)) + + (define ssh-directory + (string-append secret-directory "/etc/ssh")) + + (define guix-directory + (string-append secret-directory "/etc/guix")) + + (unless (file-exists? ssh-directory) + ;; Generate SSH host keys under SSH-DIRECTORY. + (mkdir-p ssh-directory) + (invoke #$(file-append openssh "/bin/ssh-keygen") + "-A" "-f" secret-directory)) + + (unless (file-exists? guix-directory) + (invoke #$(initialize-hurd-vm-substitutes) + guix-directory))))) + (define hurd-vm-service-type (service-type (name 'hurd-vm) (extensions (list (service-extension shepherd-root-service-type hurd-vm-shepherd-service) (service-extension account-service-type - (const %hurd-vm-accounts)))) + (const %hurd-vm-accounts)) + (service-extension activation-service-type + hurd-vm-activation))) (default-value (hurd-vm-configuration)) (description "Provide a virtual machine (VM) running GNU/Hurd, also known as a -- cgit v1.2.3 From 1edb7c7eec88904afae49b6b399ff23bbb4d2a28 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Sep 2020 16:00:01 +0200 Subject: services: hurd-vm: Pass "-no-reboot" when spawning the Hurd VM. * gnu/services/virtualization.scm (hurd-vm-shepherd-service)[vm-command]: Add "--no-reboot". --- gnu/services/virtualization.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index c639fa3741..a50cf8b733 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -942,7 +942,12 @@ is added to the OS specified in CONFIG." "-m" (number->string #$memory-size) #$@net-options #$@options - "--hda" #+image) + "--hda" #+image + + ;; Cause the service to be respawned if the guest + ;; reboots (it can reboot for instance if it did not + ;; receive valid secrets, or if it crashed.) + "--no-reboot") (if (file-exists? "/dev/kvm") '("--enable-kvm") '()))) -- cgit v1.2.3 From e352706ad39a4d14fe9601785bd2fa9d168ad05e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 29 Sep 2020 11:13:20 +0200 Subject: services: secret-service: Move instance last in the list of services. * gnu/services/virtualization.scm (secret-service-operating-system): Add the SECRET-SERVICE-TYPE instance to the end of the list. --- gnu/services/virtualization.scm | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index a50cf8b733..2410be450b 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -841,8 +841,12 @@ can only be accessed by their host."))) that will be listening to receive secret keys on port 1004, TCP." (operating-system (inherit os) - (services (cons (service secret-service-type 1004) - (operating-system-user-services os))))) + ;; Arrange so that the secret service activation snippet shows up before + ;; the OpenSSH and Guix activation snippets. That way, we receive OpenSSH + ;; and Guix keys before the activation snippets try to generate fresh keys + ;; for nothing. + (services (append (operating-system-user-services os) + (list (service secret-service-type 1004)))))) ;;; -- cgit v1.2.3 From 59261a22f9819b1fdf797ffba17af17d385d6c92 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 29 Sep 2020 11:45:55 +0200 Subject: services: secret-service: Add initial client/server handshake. This allows the client running on the host to know when it's actually connect to the server running in the guest. Failing that, the client would connect right away to QEMU and send secrets even though the server is not running yet in the guest, which is unreliable. * gnu/build/secret-service.scm (secret-service-send-secrets): Add #:handshake-timeout. Read from SOCK an initial message from the server. Return #f on error. (secret-service-receive-secrets): Send 'secret-service-server' message to the client. Close SOCK upon timeout. * gnu/services/virtualization.scm (hurd-vm-shepherd-service): 'start' method returns #f when 'secret-service-send-secrets' returns #f. --- gnu/build/secret-service.scm | 75 +++++++++++++++++++++++++++++++---------- gnu/services/virtualization.scm | 11 ++++-- 2 files changed, 67 insertions(+), 19 deletions(-) (limited to 'gnu/services') diff --git a/gnu/build/secret-service.scm b/gnu/build/secret-service.scm index 6697e6e1b0..2cc59e0ee1 100644 --- a/gnu/build/secret-service.scm +++ b/gnu/build/secret-service.scm @@ -35,19 +35,37 @@ ;;; ;;; Code: -(define* (secret-service-send-secrets port secret-root #:key (retry 60)) +(define* (secret-service-send-secrets port secret-root + #:key (retry 60) + (handshake-timeout 120)) "Copy all files under SECRET-ROOT using TCP to secret-service listening at -local PORT. If connect fails, sleep 1s and retry RETRY times." - +local PORT. If connect fails, sleep 1s and retry RETRY times; once connected, +wait for at most HANDSHAKE-TIMEOUT seconds for handshake to complete. Return +#f on failure." (define (file->file+size+mode file-name) (let ((stat (stat file-name)) (target (substring file-name (string-length secret-root)))) (list target (stat:size stat) (stat:mode stat)))) + (define (send-files sock) + (let* ((files (if secret-root (find-files secret-root) '())) + (files-sizes-modes (map file->file+size+mode files)) + (secrets `(secrets + (version 0) + (files ,files-sizes-modes)))) + (write secrets sock) + (for-each (lambda (file) + (call-with-input-file file + (lambda (input) + (dump-port input sock)))) + files))) + (format (current-error-port) "sending secrets to ~a~%" port) (let ((sock (socket AF_INET SOCK_STREAM 0)) (addr (make-socket-address AF_INET INADDR_LOOPBACK port))) - ;; connect to wait for port + ;; Connect to QEMU on the forwarded port. The 'connect' call succeeds as + ;; soon as QEMU is ready, even if there's no server listening on the + ;; forward port inside the guest. (let loop ((retry retry)) (catch 'system-error (cute connect sock addr) @@ -61,19 +79,35 @@ local PORT. If connect fails, sleep 1s and retry RETRY times." (loop (1- retry))))) (format (current-error-port) - "secret service: connected; sending files in ~s~%" - secret-root) - (let* ((files (if secret-root (find-files secret-root) '())) - (files-sizes-modes (map file->file+size+mode files)) - (secrets `(secrets - (version 0) - (files ,files-sizes-modes)))) - (write secrets sock) - (for-each (lambda (file) - (call-with-input-file file - (lambda (input) - (dump-port input sock)))) - files)))) + "secret service: connected; waiting for handshake...~%") + + ;; Wait for "hello" message from the server. This is the only way to know + ;; that we're really connected to the server inside the guest. + (match (select (list sock) '() '() handshake-timeout) + (((_) () ()) + (match (read sock) + (('secret-service-server ('version version ...)) + (format (current-error-port) + "secret service: sending files from ~s...~%" + secret-root) + (send-files sock) + (format (current-error-port) + "secret service: done sending files to port ~a~%" + port) + (close-port sock) + secret-root) + (x + (format (current-error-port) + "secret service: invalid handshake ~s~%" + x) + (close-port sock) + #f))) + ((() () ()) ;timeout + (format (current-error-port) + "secret service: timeout while sending files to ~a~%" + port) + (close-port sock) + #f)))) (define (secret-service-receive-secrets port) "Listen to local PORT and wait for a secret service client to send secrets. @@ -98,11 +132,18 @@ and #f otherwise." "secret service: client connection from ~a~%" (inet-ntop (sockaddr:fam address) (sockaddr:addr address))) + + ;; Send a "hello" message. This allows the client running on the + ;; host to know that it's now actually connected to server running + ;; in the guest. + (write '(secret-service-server (version 0)) client) + (force-output client) (close-port sock) client))) ((() () ()) (format (current-error-port) "secret service: did not receive any secrets; time out~%") + (close-port sock) #f)))) ;; TODO: Remove when (@ (guix build utils) dump-port) has a 'size' diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 2410be450b..7e2f5a1490 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -982,8 +982,15 @@ is added to the OS specified in CONFIG." (root #$(hurd-vm-configuration-secret-root config))) (catch #t (lambda _ - (secret-service-send-secrets port root) - pid) + ;; XXX: 'secret-service-send-secrets' won't complete until + ;; the guest has booted and its secret service server is + ;; running, which could take 20+ seconds during which PID 1 + ;; is stuck waiting. + (if (secret-service-send-secrets port root) + pid + (begin + (kill (- pid) SIGTERM) + #f))) (lambda (key . args) (kill (- pid) SIGTERM) (apply throw key args))))))) -- cgit v1.2.3 From 2f1f7b6667e9130654987942a63fd95c8b1788be Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Tue, 29 Sep 2020 11:56:57 +0200 Subject: services: virtualization: Use a compressed qcow2 hurd disk-image. * gnu/services/virtualization.scm (hurd-vm-disk-image): Use 'compressed-qcow2 format. --- gnu/services/virtualization.scm | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 7e2f5a1490..539e4fa86a 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -905,6 +905,7 @@ is added to the OS specified in CONFIG." (system-image (image (inherit hurd-disk-image) + (format 'compressed-qcow2) (size disk-size) (operating-system os))))) -- cgit v1.2.3 From 04a459a069155a6b676b6b93d7dbddb426dd0679 Mon Sep 17 00:00:00 2001 From: "Jan (janneke) Nieuwenhuizen" Date: Wed, 30 Sep 2020 07:53:35 +0200 Subject: services: hurd-vm: Add childhurd user to kvm group. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a follow-up to commit d692ebf98077d6b651d426aba92bf2a38599c4dc. * gnu/services/virtualization.scm (%hurd-vm-accounts)[supplementary-groups]: Add ’kvm’. * gnu/services/virtualization.scm (hurd-vm-shepherd-service): Use #:group "kvm" --- gnu/services/virtualization.scm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 539e4fa86a..79d88f2b8a 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -974,7 +974,9 @@ is added to the OS specified in CONFIG." #~(lambda () (let ((pid (fork+exec-command #$vm-command #:user "childhurd" - #:group "childhurd" + ;; XXX TODO: use "childhurd" after + ;; updating Shepherd + #:group "kvm" #:environment-variables ;; QEMU tries to write to /var/tmp ;; by default. @@ -1005,6 +1007,7 @@ is added to the OS specified in CONFIG." (user-account (name "childhurd") (group "childhurd") + (supplementary-groups '("kvm")) (comment "Privilege separation user for the childhurd") (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin")) -- cgit v1.2.3 From da6aec32cf13cf06cfda909c45f7f35625c4e3fa Mon Sep 17 00:00:00 2001 From: Oleg Pykhalov Date: Mon, 28 Sep 2020 23:52:51 +0300 Subject: gnu: Add webssh service. * gnu/services/ssh.scm: (): New record type. (%webssh-configuration-nginx, webssh-service-type): New variables. (webssh-account, webssh-activation, webssh-shepherd-service): New procedures. * doc/guix.texi: Document this. --- doc/guix.texi | 75 +++++++++++++++++++++++++++++ gnu/services/ssh.scm | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 205 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index e8458ad8d8..79c79b6a96 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15547,6 +15547,81 @@ may cause undefined behaviour. @end table @end deftp +@cindex WebSSH +@deffn {Scheme Variable} webssh-service-type +This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH} +program that runs a web SSH client. WebSSH can be run manually from the +command-line by passing arguments to the binary @command{wssh} from the +package @code{webssh}, but it can also be run as a Guix service. This +latter use case is documented here. + +For example, to specify a service running WebSSH on loopback interface +on port @code{8888} with reject policy with a list of allowed to +connection hosts, and NGINX as a reverse-proxy to this service listening +for HTTPS connection, add this call to the operating system's +@code{services} field: + +@lisp +(service webssh-service-type + (webssh-configuration (address "127.0.0.1") + (port 8888) + (policy 'reject) + (known-hosts '("localhost ecdsa-sha2-nistp256 AAAA…" + "127.0.0.1 ecdsa-sha2-nistp256 AAAA…")))) + +(service nginx-service-type + (nginx-configuration + (server-blocks + (list + (nginx-server-configuration + (inherit %webssh-configuration-nginx) + (server-name '("webssh.example.com")) + (listen '("443 ssl")) + (ssl-certificate (letsencrypt-certificate "webssh.example.com")) + (ssl-certificate-key (letsencrypt-key "webssh.example.com")) + (locations + (cons (nginx-location-configuration + (uri "/.well-known") + (body '("root /var/www;"))) + (nginx-server-configuration-locations %webssh-configuration-nginx)))))))) +@end lisp +@end deffn + +@deftp {Data Type} webssh-configuration +Data type representing the configuration for @code{webssh-service}. + +@table @asis +@item @code{package} (default: @var{webssh}) +@code{webssh} package to use. + +@item @code{user-name} (default: @var{"webssh"}) +User name or user ID that file transfers to and from that module should take +place. + +@item @code{group-name} (default: @var{"webssh"}) +Group name or group ID that will be used when accessing the module. + +@item @code{address} (default: @var{#f}) +IP address on which @command{webssh} listens for incoming connections. + +@item @code{port} (default: @var{8888}) +TCP port on which @command{webssh} listens for incoming connections. + +@item @code{policy} (default: @var{#f}) +Connection policy. @var{reject} policy requires to specify @var{known-hosts}. + +@item @code{known-hosts} (default: @var{'()}) +List of hosts which allowed for SSH connection from @command{webssh}. + +@item @code{log-file} (default: @file{"/var/log/webssh.log"}) +Name of the file where @command{rsync} writes its log file. + +@item @code{log-level} (default: @var{#f}) +Logging level. + +@end table +@end deftp + @defvr {Scheme Variable} %facebook-host-aliases This variable contains a string for use in @file{/etc/hosts} (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}). Each diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index ced21c0742..1891db0487 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2017 Clément Lassieur ;;; Copyright © 2019 Ricardo Wurmus ;;; Copyright © 2020 pinoaffe +;;; Copyright © 2020 Oleg Pykhalov ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu packages admin) #:use-module (gnu services) #:use-module (gnu services shepherd) + #:use-module (gnu services web) #:use-module (gnu system pam) #:use-module (gnu system shadow) #:use-module (guix gexp) @@ -50,7 +52,12 @@ autossh-configuration autossh-configuration? - autossh-service-type)) + autossh-service-type + + webssh-configuration + webssh-configuration? + webssh-service-type + %webssh-configuration-nginx)) ;;; Commentary: ;;; @@ -732,4 +739,126 @@ object." autossh-service-activation))) (default-value (autossh-configuration)))) + +;;; +;;; WebSSH +;;; + +(define-record-type* + webssh-configuration make-webssh-configuration + webssh-configuration? + (package webssh-configuration-package ;package + (default webssh)) + (user-name webssh-configuration-user-name ;string + (default "webssh")) + (group-name webssh-configuration-group-name ;string + (default "webssh")) + (policy webssh-configuration-policy ;symbol + (default #f)) + (known-hosts webssh-configuration-known-hosts ;list of strings + (default #f)) + (port webssh-configuration-port ;number + (default #f)) + (address webssh-configuration-address ;string + (default #f)) + (log-file webssh-configuration-log-file ;string + (default "/var/log/webssh.log")) + (log-level webssh-configuration-log-level ;symbol + (default #f))) + +(define %webssh-configuration-nginx + (nginx-server-configuration + (listen '("80")) + (locations + (list (nginx-location-configuration + (uri "/") + (body '("proxy_pass http://127.0.0.1:8888;" + "proxy_http_version 1.1;" + "proxy_read_timeout 300;" + "proxy_set_header Upgrade $http_upgrade;" + "proxy_set_header Connection \"upgrade\";" + "proxy_set_header Host $http_host;" + "proxy_set_header X-Real-IP $remote_addr;" + "proxy_set_header X-Real-PORT $remote_port;"))))))) + +(define webssh-account + ;; Return the user accounts and user groups for CONFIG. + (match-lambda + (($ _ user-name group-name _ _ _ _ _ _) + (list (user-group + (name group-name)) + (user-account + (name user-name) + (group group-name) + (comment "webssh privilege separation user") + (home-directory (string-append "/var/run/" user-name)) + (shell #~(string-append #$shadow "/sbin/nologin"))))))) + +(define webssh-activation + ;; Return the activation GEXP for CONFIG. + (match-lambda + (($ _ user-name group-name policy known-hosts _ _ + log-file _) + (with-imported-modules '((guix build utils)) + #~(begin + (let* ((home-dir (string-append "/var/run/" #$user-name)) + (ssh-dir (string-append home-dir "/.ssh")) + (known-hosts-file (string-append ssh-dir "/known_hosts"))) + (call-with-output-file #$log-file (const #t)) + (mkdir-p ssh-dir) + (case '#$policy + ((reject) + (if '#$known-hosts + (call-with-output-file known-hosts-file + (lambda (port) + (for-each (lambda (host) (display host port) (newline port)) + '#$known-hosts))) + (display-hint (G_ "webssh: reject policy requires `known-hosts'."))))) + (for-each (lambda (file) + (chown file + (passwd:uid (getpw #$user-name)) + (group:gid (getpw #$group-name)))) + (list #$log-file ssh-dir known-hosts-file)) + (chmod ssh-dir #o700))))))) + +(define webssh-shepherd-service + (match-lambda + (($ package user-name group-name policy _ port + address log-file log-level) + (list (shepherd-service + (provision '(webssh)) + (documentation "Run webssh daemon.") + (start #~(make-forkexec-constructor + `(,(string-append #$webssh "/bin/wssh") + ,(string-append "--log-file-prefix=" #$log-file) + ,@(case '#$log-level + ((debug) '("--logging=debug")) + (else '())) + ,@(case '#$policy + ((reject) '("--policy=reject")) + (else '())) + ,@(if #$port + (list (string-append "--port=" (number->string #$port))) + '()) + ,@(if #$address + (list (string-append "--address=" #$address)) + '())) + #:user #$user-name + #:group #$group-name)) + (stop #~(make-kill-destructor))))))) + +(define webssh-service-type + (service-type + (name 'webssh) + (extensions + (list (service-extension shepherd-root-service-type + webssh-shepherd-service) + (service-extension account-service-type + webssh-account) + (service-extension activation-service-type + webssh-activation))) + (default-value (webssh-configuration)) + (description + "Run the webssh."))) + ;;; ssh.scm ends here -- cgit v1.2.3 From d40c9f6c85575a1abb3dac14679926e9e3bb59ca Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Thu, 24 Sep 2020 15:30:18 -0400 Subject: services: %desktop-services: Setuid root NTFS and NFS mount helpers. Fixes . Combined with commit def6e2ae46, this allows unprivileged users to mount file systems marked with the "user" option. It adds less than 4 MiB to the closure of the lightweight-desktop.tmpl operating system template. * gnu/services/desktop.scm (%desktop-services): Extend the setuid-program-service-type service with the 'mount.nfs' and 'mount.nfs-3g' programs. Reported-by: Nathan Dehnel --- gnu/services/desktop.scm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 96bacf1cff..3a3fd8fd1b 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015 Andy Wingo ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2016 Sou Bunnbu -;;; Copyright © 2017 Maxim Cournoyer +;;; Copyright © 2017, 2020 Maxim Cournoyer ;;; Copyright © 2017 Nikita ;;; Copyright © 2018, 2020 Efraim Flashner ;;; Copyright © 2018 Ricardo Wurmus @@ -54,6 +54,7 @@ #:use-module (gnu packages linux) #:use-module (gnu packages libusb) #:use-module (gnu packages mate) + #:use-module (gnu packages nfs) #:use-module (gnu packages enlightenment) #:use-module (guix deprecation) #:use-module (guix records) @@ -1206,6 +1207,12 @@ or setting its password with passwd."))) ;; perform administrative tasks (similar to "sudo"). polkit-wheel-service + ;; Allow desktop users to also mount NTFS and NFS file systems + ;; without root. + (simple-service 'mount-setuid-helpers setuid-program-service-type + (list (file-append nfs-utils "/sbin/mount.nfs") + (file-append ntfs-3g "/sbin/mount.ntfs-3g"))) + ;; The global fontconfig cache directory can sometimes contain ;; stale entries, possibly referencing fonts that have been GC'd, ;; so mount it read-only. -- cgit v1.2.3 From d6a8f0a9781a90c3037f25e51d7ff32e50f7a8c1 Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Fri, 2 Oct 2020 14:58:01 +0200 Subject: services: cuirass: Fix activation. Fixes: . * gnu/services/cuirass.scm (cuirass-activation): Do not create queries-log-file and web-queries-log-file if the corresponding config file are unset. --- gnu/services/cuirass.scm | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index d4faf7823b..a50f583807 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -204,11 +204,15 @@ (chown #$db uid gid) (chown #$log uid gid) - (call-with-output-file #$queries-log-file (const #t)) - (call-with-output-file #$web-queries-log-file (const #t)) - - (chown #$queries-log-file uid gid) - (chown #$web-queries-log-file uid gid)))))) + (let ((queries-log-file #$queries-log-file)) + (when queries-log-file + (call-with-output-file queries-log-file (const #t)) + (chown #$queries-log-file uid gid))) + + (let ((web-queries-log-file #$web-queries-log-file)) + (when web-queries-log-file + (call-with-output-file web-queries-log-file (const #t)) + (chown web-queries-log-file uid gid)))))))) (define (cuirass-log-rotations config) "Return the list of log rotations that corresponds to CONFIG." -- cgit v1.2.3