1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013-2022 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
5 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
6 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
7 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
8 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
9 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
10 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
11 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
12 ;;; Copyright © 2019 Florian Pelz <pelzflorian@pelzflorian.de>
13 ;;; Copyright © 2019, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
14 ;;; Copyright © 2019 Sou Bunnbu <iyzsong@member.fsf.org>
15 ;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
16 ;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re>
17 ;;; Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
18 ;;; Copyright © 2021 Christine Lemmer-Webber <cwebber@dustycloud.org>
19 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
20 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
22 ;;; This file is part of GNU Guix.
24 ;;; GNU Guix is free software; you can redistribute it and/or modify it
25 ;;; under the terms of the GNU General Public License as published by
26 ;;; the Free Software Foundation; either version 3 of the License, or (at
27 ;;; your option) any later version.
29 ;;; GNU Guix is distributed in the hope that it will be useful, but
30 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
31 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
32 ;;; GNU General Public License for more details.
34 ;;; You should have received a copy of the GNU General Public License
35 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
37 (define-module (gnu services networking)
38 #:use-module (gnu services)
39 #:use-module (gnu services base)
40 #:use-module (gnu services configuration)
41 #:use-module (gnu services linux)
42 #:use-module (gnu services shepherd)
43 #:use-module (gnu services dbus)
44 #:use-module (gnu system shadow)
45 #:use-module (gnu system pam)
46 #:use-module ((gnu system file-systems) #:select (file-system-mapping))
47 #:use-module (gnu packages admin)
48 #:use-module (gnu packages base)
49 #:use-module (gnu packages bash)
50 #:use-module (gnu packages cluster)
51 #:use-module (gnu packages connman)
52 #:use-module (gnu packages freedesktop)
53 #:use-module (gnu packages linux)
54 #:use-module (gnu packages tor)
55 #:use-module (gnu packages usb-modeswitch)
56 #:use-module (gnu packages messaging)
57 #:use-module (gnu packages networking)
58 #:use-module (gnu packages ntp)
59 #:use-module (gnu packages wicd)
60 #:use-module (gnu packages gnome)
61 #:use-module (gnu packages ipfs)
62 #:use-module (gnu build linux-container)
63 #:autoload (guix least-authority) (least-authority-wrapper)
64 #:use-module (guix gexp)
65 #:use-module (guix records)
66 #:use-module (guix modules)
67 #:use-module (guix packages)
68 #:use-module (guix deprecation)
69 #:use-module (rnrs enums)
70 #:use-module (srfi srfi-1)
71 #:use-module (srfi srfi-9)
72 #:use-module (srfi srfi-26)
73 #:use-module (srfi srfi-43)
74 #:use-module (ice-9 match)
76 #:re-export (static-networking-service
77 static-networking-service-type)
78 #:export (%facebook-host-aliases
79 dhcp-client-service-type
84 dhcpd-configuration-package
85 dhcpd-configuration-config-file
86 dhcpd-configuration-version
87 dhcpd-configuration-run-directory
88 dhcpd-configuration-lease-file
89 dhcpd-configuration-pid-file
90 dhcpd-configuration-interfaces
95 ntp-configuration-servers
96 ntp-allow-large-adjustment?
107 openntpd-configuration
108 openntpd-configuration?
109 openntpd-service-type
115 opendht-configuration
116 opendht-configuration-peer-discovery?
117 opendht-configuration-verbose?
118 opendht-configuration-bootstrap-host
119 opendht-configuration-port
120 opendht-configuration-proxy-server-port
121 opendht-configuration-proxy-server-port-tls
122 opendht-configuration->command-line-arguments
124 opendht-shepherd-service
135 network-manager-configuration
136 network-manager-configuration?
137 network-manager-configuration-dns
138 network-manager-configuration-vpn-plugins
139 network-manager-service-type
141 connman-configuration
142 connman-configuration?
145 modem-manager-configuration
146 modem-manager-configuration?
147 modem-manager-service-type
149 usb-modeswitch-configuration
150 usb-modeswitch-configuration?
151 usb-modeswitch-configuration-usb-modeswitch
152 usb-modeswitch-configuration-usb-modeswitch-data
153 usb-modeswitch-service-type
155 wpa-supplicant-configuration
156 wpa-supplicant-configuration?
157 wpa-supplicant-configuration-wpa-supplicant
158 wpa-supplicant-configuration-requirement
159 wpa-supplicant-configuration-pid-file
160 wpa-supplicant-configuration-dbus?
161 wpa-supplicant-configuration-interface
162 wpa-supplicant-configuration-config-file
163 wpa-supplicant-configuration-extra-options
164 wpa-supplicant-service-type
166 hostapd-configuration
167 hostapd-configuration?
168 hostapd-configuration-package
169 hostapd-configuration-interface
170 hostapd-configuration-ssid
171 hostapd-configuration-broadcast-ssid?
172 hostapd-configuration-channel
173 hostapd-configuration-driver
176 simulated-wifi-service-type
178 openvswitch-service-type
179 openvswitch-configuration
181 iptables-configuration
182 iptables-configuration?
183 iptables-configuration-iptables
184 iptables-configuration-ipv4-rules
185 iptables-configuration-ipv6-rules
186 iptables-service-type
188 nftables-service-type
189 nftables-configuration
190 nftables-configuration?
191 nftables-configuration-package
192 nftables-configuration-ruleset
193 %default-nftables-ruleset
195 pagekite-service-type
196 pagekite-configuration
197 pagekite-configuration?
198 pagekite-configuration-package
199 pagekite-configuration-kitename
200 pagekite-configuration-kitesecret
201 pagekite-configuration-frontend
202 pagekite-configuration-kites
203 pagekite-configuration-extra-file
205 yggdrasil-service-type
206 yggdrasil-configuration
207 yggdrasil-configuration?
208 yggdrasil-configuration-autoconf?
209 yggdrasil-configuration-config-file
210 yggdrasil-configuration-log-level
211 yggdrasil-configuration-log-to
212 yggdrasil-configuration-json-config
213 yggdrasil-configuration-package
218 ipfs-configuration-package
219 ipfs-configuration-gateway
220 ipfs-configuration-api
222 keepalived-configuration
223 keepalived-configuration?
224 keepalived-service-type))
228 ;;; Networking services.
232 (define %facebook-host-aliases
233 ;; This is the list of known Facebook hosts to be added to /etc/hosts if you
236 # Block Facebook IPv4.
237 127.0.0.1 www.facebook.com
238 127.0.0.1 facebook.com
239 127.0.0.1 login.facebook.com
240 127.0.0.1 www.login.facebook.com
242 127.0.0.1 www.fbcdn.net
244 127.0.0.1 www.fbcdn.com
245 127.0.0.1 static.ak.fbcdn.net
246 127.0.0.1 static.ak.connect.facebook.com
247 127.0.0.1 connect.facebook.net
248 127.0.0.1 www.connect.facebook.net
249 127.0.0.1 apps.facebook.com
251 # Block Facebook IPv6.
252 fe80::1%lo0 facebook.com
253 fe80::1%lo0 login.facebook.com
254 fe80::1%lo0 www.login.facebook.com
255 fe80::1%lo0 fbcdn.net
256 fe80::1%lo0 www.fbcdn.net
257 fe80::1%lo0 fbcdn.com
258 fe80::1%lo0 www.fbcdn.com
259 fe80::1%lo0 static.ak.fbcdn.net
260 fe80::1%lo0 static.ak.connect.facebook.com
261 fe80::1%lo0 connect.facebook.net
262 fe80::1%lo0 www.connect.facebook.net
263 fe80::1%lo0 apps.facebook.com\n")
265 (define dhcp-client-service-type
266 (shepherd-service-type
270 (file-append dhcp "/sbin/dhclient"))
273 "/var/run/dhclient.pid")
276 (documentation "Set up networking via DHCP.")
277 (requirement '(user-processes udev))
279 ;; XXX: Running with '-nw' ("no wait") avoids blocking for a minute when
280 ;; networking is unavailable, but also means that the interface is not up
281 ;; yet when 'start' completes. To wait for the interface to be ready, one
282 ;; should instead monitor udev events.
283 (provision '(networking))
286 ;; When invoked without any arguments, 'dhclient' discovers all
287 ;; non-loopback interfaces *that are up*. However, the relevant
288 ;; interfaces are typically down at this point. Thus we perform
289 ;; our own interface discovery here.
292 (and (arp-network-interface? interface)
293 (not (loopback-network-interface? interface))
294 ;; XXX: Make sure the interfaces are up so that
295 ;; 'dhclient' can actually send/receive over them.
296 ;; Ignore those that cannot be activated.
298 (set-network-interface-up interface)))))
300 (filter valid? (all-network-interface-names)))
302 (false-if-exception (delete-file #$pid-file))
303 (let ((pid (fork+exec-command
304 (cons* #$dhclient "-nw"
305 "-pf" #$pid-file ifaces))))
306 (and (zero? (cdr (waitpid pid)))
307 (read-pid-file #$pid-file)))))
308 (stop #~(make-kill-destructor))))
310 (description "Run @command{dhcp}, a Dynamic Host Configuration
311 Protocol (DHCP) client, on all the non-loopback network interfaces.")))
313 (define-record-type* <dhcpd-configuration>
314 dhcpd-configuration make-dhcpd-configuration
316 (package dhcpd-configuration-package ;file-like
318 (config-file dhcpd-configuration-config-file ;file-like
320 (version dhcpd-configuration-version ;"4", "6", or "4o6"
322 (run-directory dhcpd-configuration-run-directory
323 (default "/run/dhcpd"))
324 (lease-file dhcpd-configuration-lease-file
325 (default "/var/db/dhcpd.leases"))
326 (pid-file dhcpd-configuration-pid-file
327 (default "/run/dhcpd/dhcpd.pid"))
328 ;; list of strings, e.g. (list "enp0s25")
329 (interfaces dhcpd-configuration-interfaces
332 (define dhcpd-shepherd-service
334 (($ <dhcpd-configuration> package config-file version run-directory
335 lease-file pid-file interfaces)
337 (error "Must supply a config-file"))
338 (list (shepherd-service
339 ;; Allow users to easily run multiple versions simultaneously.
340 (provision (list (string->symbol
341 (string-append "dhcpv" version "-daemon"))))
342 (documentation (string-append "Run the DHCPv" version " daemon"))
343 (requirement '(networking))
344 (start #~(make-forkexec-constructor
345 '(#$(file-append package "/sbin/dhcpd")
346 #$(string-append "-" version)
351 #:pid-file #$pid-file))
352 (stop #~(make-kill-destructor)))))))
354 (define dhcpd-activation
356 (($ <dhcpd-configuration> package config-file version run-directory
357 lease-file pid-file interfaces)
358 (with-imported-modules '((guix build utils))
360 (unless (file-exists? #$run-directory)
361 (mkdir #$run-directory))
362 ;; According to the DHCP manual (man dhcpd.leases), the lease
363 ;; database must be present for dhcpd to start successfully.
364 (unless (file-exists? #$lease-file)
365 (with-output-to-file #$lease-file
366 (lambda _ (display ""))))
367 ;; Validate the config.
369 #$(file-append package "/sbin/dhcpd")
370 #$(string-append "-" version)
371 "-t" "-cf" #$config-file))))))
373 (define dhcpd-service-type
377 (list (service-extension shepherd-root-service-type dhcpd-shepherd-service)
378 (service-extension activation-service-type dhcpd-activation)))
379 (description "Run a DHCP (Dynamic Host Configuration Protocol) daemon. The
380 daemon is responsible for allocating IP addresses to its client.")))
387 (define ntp-server-types (make-enumeration
394 (define-record-type* <ntp-server>
395 ntp-server make-ntp-server
397 ;; The type can be one of the symbols of the NTP-SERVER-TYPE? enumeration.
398 (type ntp-server-type
400 (address ntp-server-address) ; a string
401 ;; The list of options can contain single option names or tuples in the form
403 (options ntp-server-options
406 (define (ntp-server->string ntp-server)
407 ;; Serialize the NTP server object as a string, ready to use in the NTP
408 ;; configuration file.
409 (define (flatten lst)
415 (cons (format #f "~a" x) res)))))
418 (($ <ntp-server> type address options)
419 ;; XXX: It'd be neater if fields were validated at the syntax level (for
420 ;; static ones at least). Perhaps the Guix record type could support a
421 ;; predicate property on a field?
422 (unless (enum-set-member? type ntp-server-types)
423 (error "Invalid NTP server type" type))
424 (string-join (cons* (symbol->string type)
426 (flatten options))))))
429 ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
430 ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
431 ;; for this NTP pool "zone".
432 ;; The full list of available URLs are 0.guix.pool.ntp.org,
433 ;; 1.guix.pool.ntp.org, 2.guix.pool.ntp.org, and 3.guix.pool.ntp.org.
437 (address "0.guix.pool.ntp.org")
438 (options '("iburst"))))) ;as recommended in the ntpd manual
440 (define-record-type* <ntp-configuration>
441 ntp-configuration make-ntp-configuration
443 (ntp ntp-configuration-ntp
445 (servers %ntp-configuration-servers ;list of <ntp-server> objects
446 (default %ntp-servers))
447 (allow-large-adjustment? ntp-allow-large-adjustment?
448 (default #t))) ;as recommended in the ntpd manual
450 (define (ntp-configuration-servers ntp-configuration)
451 ;; A wrapper to support the deprecated form of this field.
452 (let ((ntp-servers (%ntp-configuration-servers ntp-configuration)))
454 (((? string?) (? string?) ...)
455 (format (current-error-port) "warning: Defining NTP servers as strings is \
456 deprecated. Please use <ntp-server> records instead.\n")
461 (options '()))) ntp-servers))
462 ((($ <ntp-server>) ($ <ntp-server>) ...)
465 (define ntp-shepherd-service
468 (($ <ntp-configuration> ntp servers allow-large-adjustment?)
469 (let ((servers (ntp-configuration-servers config)))
470 ;; TODO: Add authentication support.
472 (string-append "driftfile /var/run/ntpd/ntp.drift\n"
473 (string-join (map ntp-server->string servers)
476 # Disable status queries as a workaround for CVE-2013-5211:
477 # <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
478 restrict default kod nomodify notrap nopeer noquery limited
479 restrict -6 default kod nomodify notrap nopeer noquery limited
481 # Yet, allow use of the local 'ntpq'.
485 # This is required to use servers from a pool directive when using the 'nopeer'
486 # option by default, as documented in the 'ntp.conf' manual.
487 restrict source notrap nomodify noquery\n"))
490 (plain-file "ntpd.conf" config))
492 (list (shepherd-service
494 (documentation "Run the Network Time Protocol (NTP) daemon.")
495 (requirement '(user-processes networking))
496 (start #~(make-forkexec-constructor
497 (list (string-append #$ntp "/bin/ntpd") "-n"
498 "-c" #$ntpd.conf "-u" "ntpd"
499 #$@(if allow-large-adjustment?
502 #:log-file "/var/log/ntpd.log"))
503 (stop #~(make-kill-destructor)))))))))
505 (define %ntp-accounts
510 (comment "NTP daemon user")
511 (home-directory "/var/empty")
512 (shell (file-append shadow "/sbin/nologin")))))
515 (define (ntp-service-activation config)
516 "Return the activation gexp for CONFIG."
517 (with-imported-modules '((guix build utils))
519 (use-modules (guix build utils))
523 (let ((directory "/var/run/ntpd"))
525 (chown directory (passwd:uid %user) (passwd:gid %user))))))
527 (define ntp-service-type
528 (service-type (name 'ntp)
530 (list (service-extension shepherd-root-service-type
531 ntp-shepherd-service)
532 (service-extension account-service-type
533 (const %ntp-accounts))
534 (service-extension activation-service-type
535 ntp-service-activation)))
537 "Run the @command{ntpd}, the Network Time Protocol (NTP)
538 daemon of the @uref{http://www.ntp.org, Network Time Foundation}. The daemon
539 will keep the system clock synchronized with that of the given servers.")
540 (default-value (ntp-configuration))))
547 (define %openntpd-servers
548 (map ntp-server-address %ntp-servers))
550 (define-record-type* <openntpd-configuration>
551 openntpd-configuration make-openntpd-configuration
552 openntpd-configuration?
553 (openntpd openntpd-configuration-openntpd
555 (listen-on openntpd-listen-on
556 (default '("127.0.0.1"
558 (query-from openntpd-query-from
560 (sensor openntpd-sensor
562 (server openntpd-server
564 (servers openntpd-servers
565 (default %openntpd-servers))
566 (constraint-from openntpd-constraint-from
568 (constraints-from openntpd-constraints-from
571 (define (openntpd-configuration->string config)
573 (define (quote-field? name)
574 (member name '("constraints from")))
576 (match-record config <openntpd-configuration>
577 (listen-on query-from sensor server servers constraint-from
582 (filter-map (lambda (field values)
584 (() #f) ;discard entry with filter-map
585 ((val ...) ;validate value type
587 (if (quote-field? field)
588 (format #f "~a \"~a\"" field value)
589 (format #f "~a ~a" field value)))
592 '("listen on" "query from" "sensor" "server" "servers"
593 "constraint from" "constraints from")
594 ;; The corresponding entry values.
595 (list listen-on query-from sensor server servers
596 constraint-from constraints-from)))
598 "\n"))) ;add a trailing newline
600 (define (openntpd-shepherd-service config)
601 (let ((openntpd (openntpd-configuration-openntpd config)))
604 (plain-file "ntpd.conf" (openntpd-configuration->string config)))
606 (list (shepherd-service
608 (documentation "Run the Network Time Protocol (NTP) daemon.")
609 (requirement '(user-processes networking))
610 (start #~(make-forkexec-constructor
611 (list (string-append #$openntpd "/sbin/ntpd")
613 "-d") ;; don't daemonize
614 ;; When ntpd is daemonized it repeatedly tries to respawn
615 ;; while running, leading shepherd to disable it. To
616 ;; prevent spamming stderr, redirect output to logfile.
617 #:log-file "/var/log/ntpd"))
618 (stop #~(make-kill-destructor))))))
620 (define (openntpd-service-activation config)
621 "Return the activation gexp for CONFIG."
622 (with-imported-modules '((guix build utils))
624 (use-modules (guix build utils))
628 (unless (file-exists? "/var/db/ntpd.drift")
629 (with-output-to-file "/var/db/ntpd.drift"
631 (format #t "0.0")))))))
633 (define openntpd-service-type
634 (service-type (name 'openntpd)
636 (list (service-extension shepherd-root-service-type
637 openntpd-shepherd-service)
638 (service-extension account-service-type
639 (const %ntp-accounts))
640 (service-extension profile-service-type
641 (compose list openntpd-configuration-openntpd))
642 (service-extension activation-service-type
643 openntpd-service-activation)))
644 (default-value (openntpd-configuration))
646 "Run the @command{ntpd}, the Network Time Protocol (NTP)
647 daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The
648 daemon will keep the system clock synchronized with that of the given servers.")))
655 (define-record-type* <inetd-configuration> inetd-configuration
656 make-inetd-configuration
658 (program inetd-configuration-program ;file-like
659 (default (file-append inetutils "/libexec/inetd")))
660 (entries inetd-configuration-entries ;list of <inetd-entry>
663 (define-record-type* <inetd-entry> inetd-entry make-inetd-entry
665 (node inetd-entry-node ;string or #f
667 (name inetd-entry-name) ;string, from /etc/services
669 (socket-type inetd-entry-socket-type) ;stream | dgram | raw |
671 (protocol inetd-entry-protocol) ;string, from /etc/protocols
673 (wait? inetd-entry-wait? ;Boolean
675 (user inetd-entry-user) ;string
677 (program inetd-entry-program ;string or file-like object
678 (default "internal"))
679 (arguments inetd-entry-arguments ;list of strings or file-like objects
682 (define (inetd-config-file entries)
683 (apply mixed-text-file "inetd.conf"
686 (let* ((node (inetd-entry-node entry))
687 (name (inetd-entry-name entry))
689 (if node (string-append node ":" name) name))
691 (match (inetd-entry-socket-type entry)
692 ((or 'stream 'dgram 'raw 'rdm 'seqpacket)
693 (symbol->string (inetd-entry-socket-type entry)))))
694 (protocol (inetd-entry-protocol entry))
695 (wait (if (inetd-entry-wait? entry) "wait" "nowait"))
696 (user (inetd-entry-user entry))
697 (program (inetd-entry-program entry))
698 (args (inetd-entry-arguments entry)))
701 (list #$@(list socket type protocol wait user program) #$@args)
705 (define inetd-shepherd-service
707 (($ <inetd-configuration> program ()) '()) ; empty list of entries -> do nothing
708 (($ <inetd-configuration> program entries)
711 (documentation "Run inetd.")
713 (requirement '(user-processes networking syslogd))
714 (start #~(make-forkexec-constructor
715 (list #$program #$(inetd-config-file entries))
716 #:pid-file "/var/run/inetd.pid"))
717 (stop #~(make-kill-destructor)))))))
719 (define-public inetd-service-type
723 (list (service-extension shepherd-root-service-type
724 inetd-shepherd-service)))
726 ;; The service can be extended with additional lists of entries.
727 (compose concatenate)
728 (extend (lambda (config entries)
731 (entries (append (inetd-configuration-entries config)
734 "Start @command{inetd}, the @dfn{Internet superserver}. It is responsible
735 for listening on Internet sockets and spawning the corresponding services on
740 ;;; OpenDHT, the distributed hash table network used by Jami
743 (define-maybe/no-serialization number)
744 (define-maybe/no-serialization string)
746 ;;; To generate the documentation of the following configuration record, you
747 ;;; can evaluate: (configuration->documentation 'opendht-configuration)
748 (define-configuration/no-serialization opendht-configuration
751 "The @code{opendht} package to use.")
754 "Whether to enable the multicast local peer discovery mechanism.")
757 "Whether to enable logging messages to syslog. It is disabled by default
758 as it is rather verbose.")
761 "Whether to enable debug-level logging messages. This has no effect if
762 logging is disabled.")
764 (maybe-string "bootstrap.jami.net:4222")
765 "The node host name that is used to make the first connection to the
766 network. A specific port value can be provided by appending the @code{:PORT}
767 suffix. By default, it uses the Jami bootstrap nodes, but any host can be
768 specified here. It's also possible to disable bootstrapping by setting this
769 to the @code{'disabled} symbol.")
772 "The UDP port to bind to. When set to @code{'disabled}, an available port
773 is automatically selected.")
775 (maybe-number 'disabled)
776 "Spawn a proxy server listening on the specified port.")
777 (proxy-server-port-tls
778 (maybe-number 'disabled)
779 "Spawn a proxy server listening to TLS connections on the specified
782 (define %opendht-accounts
783 ;; User account and groups for Tor.
784 (list (user-group (name "opendht") (system? #t))
789 (comment "OpenDHT daemon user")
790 (home-directory "/var/empty")
791 (shell (file-append shadow "/sbin/nologin")))))
793 (define (opendht-configuration->command-line-arguments config)
794 "Derive the command line arguments used to launch the OpenDHT daemon from
795 CONFIG, an <opendht-configuration> object."
796 (match-record config <opendht-configuration>
797 (opendht bootstrap-host enable-logging? port debug? peer-discovery?
798 proxy-server-port proxy-server-port-tls)
799 (let ((dhtnode (least-authority-wrapper
800 ;; XXX: Work around lack of support for multiple outputs
802 (computed-file "dhtnode"
804 (string-append #$opendht:tools
808 #:mappings (list (file-system-mapping
809 (source "/dev/log") ;for syslog
811 #:namespaces (delq 'net %namespaces))))
813 "--service" ;non-forking mode
814 ,@(if (string? bootstrap-host)
815 (list "--bootstrap" bootstrap-host))
816 ,@(if enable-logging?
820 (list "--port" (number->string port))
825 ,@(if peer-discovery?
826 (list "--peer-discovery")
828 ,@(if (number? proxy-server-port)
829 (list "--proxyserver" (number->string proxy-server-port))
831 ,@(if (number? proxy-server-port-tls)
832 (list "--proxyserverssl" (number->string proxy-server-port-tls))
835 (define (opendht-shepherd-service config)
836 "Return a <shepherd-service> running OpenDHT."
838 (documentation "Run an OpenDHT node.")
839 (provision '(opendht dhtnode dhtproxy))
840 (requirement '(networking syslogd))
841 (start #~(make-forkexec-constructor
842 (list #$@(opendht-configuration->command-line-arguments config))
845 (stop #~(make-kill-destructor))))
847 (define opendht-service-type
850 (default-value (opendht-configuration))
852 (list (service-extension shepherd-root-service-type
853 (compose list opendht-shepherd-service))
854 (service-extension account-service-type
855 (const %opendht-accounts))))
856 (description "Run the OpenDHT @command{dhtnode} command that allows
857 participating in the distributed hash table based OpenDHT network. The
858 service can be configured to act as a proxy to the distributed network, which
859 can be useful for portable devices where minimizing energy consumption is
860 paramount. OpenDHT was originally based on Kademlia and adapted for
861 applications in communication. It is used by Jami, for example.")))
868 (define-record-type* <tor-configuration>
869 tor-configuration make-tor-configuration
871 (tor tor-configuration-tor
873 (config-file tor-configuration-config-file
874 (default (plain-file "empty" "")))
875 (hidden-services tor-configuration-hidden-services
877 (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
879 (control-socket? tor-control-socket-path
882 (define %tor-accounts
883 ;; User account and groups for Tor.
884 (list (user-group (name "tor") (system? #t))
889 (comment "Tor daemon user")
890 (home-directory "/var/empty")
891 (shell (file-append shadow "/sbin/nologin")))))
893 (define-record-type <hidden-service>
894 (hidden-service name mapping)
896 (name hidden-service-name) ;string
897 (mapping hidden-service-mapping)) ;list of port/address tuples
899 (define (tor-configuration->torrc config)
900 "Return a 'torrc' file for CONFIG."
902 (($ <tor-configuration> tor config-file services
903 socks-socket-type control-socket?)
906 (with-imported-modules '((guix build utils))
908 (use-modules (guix build utils)
911 (call-with-output-file #$output
914 ### These lines were generated from your system configuration:
916 DataDirectory /var/lib/tor
917 PidFile /var/run/tor/tor.pid
918 Log notice syslog\n" port)
919 (when (eq? 'unix '#$socks-socket-type)
921 SocksPort unix:/var/run/tor/socks-sock
922 UnixSocksGroupWritable 1\n" port))
923 (when #$control-socket?
925 ControlSocket unix:/var/run/tor/control-sock GroupWritable RelaxDirModeCheck
926 ControlSocketsGroupWritable 1\n"
929 (for-each (match-lambda
930 ((service (ports hosts) ...)
932 HiddenServiceDir /var/lib/tor/hidden-services/~a~%"
934 (for-each (lambda (tcp-port host)
936 HiddenServicePort ~a ~a~%"
939 '#$(map (match-lambda
940 (($ <hidden-service> name mapping)
941 (cons name mapping)))
945 ### End of automatically generated lines.\n\n" port)
947 ;; Append the user's config file.
948 (call-with-input-file #$config-file
950 (dump-port input port)))
953 (define (tor-shepherd-service config)
954 "Return a <shepherd-service> running Tor."
956 (($ <tor-configuration> tor)
957 (let ((torrc (tor-configuration->torrc config)))
958 (with-imported-modules (source-module-closure
959 '((gnu build shepherd)
960 (gnu system file-systems)))
961 (list (shepherd-service
964 ;; Tor needs at least one network interface to be up, hence the
965 ;; dependency on 'loopback'.
966 (requirement '(user-processes loopback syslogd))
968 (modules '((gnu build shepherd)
969 (gnu system file-systems)))
971 (start #~(make-forkexec-constructor/container
972 (list #$(file-append tor "/bin/tor") "-f" #$torrc)
974 #:log-file "/var/log/tor.log"
975 #:mappings (list (file-system-mapping
976 (source "/var/lib/tor")
980 (source "/dev/log") ;for syslog
983 (source "/var/run/tor")
986 #:pid-file "/var/run/tor/tor.pid"))
987 (stop #~(make-kill-destructor))
988 (documentation "Run the Tor anonymous network overlay."))))))))
990 (define (tor-activation config)
991 "Set up directories for Tor and its hidden services, if any."
993 (use-modules (guix build utils))
998 (define (initialize service)
999 (let ((directory (string-append "/var/lib/tor/hidden-services/"
1002 (chown directory (passwd:uid %user) (passwd:gid %user))
1004 ;; The daemon bails out if we give wider permissions.
1005 (chmod directory #o700)))
1007 ;; Allow Tor to write its PID file.
1008 (mkdir-p "/var/run/tor")
1009 (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
1010 ;; Set the group permissions to rw so that if the system administrator
1011 ;; has specified UnixSocksGroupWritable=1 in their torrc file, members
1012 ;; of the "tor" group will be able to use the SOCKS socket.
1013 (chmod "/var/run/tor" #o750)
1015 ;; Allow Tor to access the hidden services' directories.
1016 (mkdir-p "/var/lib/tor")
1017 (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
1018 (chmod "/var/lib/tor" #o700)
1020 ;; Make sure /var/lib is accessible to the 'tor' user.
1021 (chmod "/var/lib" #o755)
1023 (for-each initialize
1024 '#$(map hidden-service-name
1025 (tor-configuration-hidden-services config)))))
1027 (define tor-service-type
1028 (service-type (name 'tor)
1030 (list (service-extension shepherd-root-service-type
1031 tor-shepherd-service)
1032 (service-extension account-service-type
1033 (const %tor-accounts))
1034 (service-extension activation-service-type
1037 ;; This can be extended with hidden services.
1038 (compose concatenate)
1039 (extend (lambda (config services)
1043 (append (tor-configuration-hidden-services config)
1045 (default-value (tor-configuration))
1047 "Run the @uref{https://torproject.org, Tor} anonymous
1048 networking daemon.")))
1050 (define tor-hidden-service-type
1051 ;; A type that extends Tor with hidden services.
1052 (service-type (name 'tor-hidden-service)
1054 (list (service-extension tor-service-type list)))
1056 "Define a new Tor @dfn{hidden service}.")))
1058 (define (tor-hidden-service name mapping)
1059 "Define a new Tor @dfn{hidden service} called @var{name} and implementing
1060 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
1063 '((22 \"127.0.0.1:22\")
1064 (80 \"127.0.0.1:8080\"))
1067 In this example, port 22 of the hidden service is mapped to local port 22, and
1068 port 80 is mapped to local port 8080.
1070 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
1071 the @file{hostname} file contains the @code{.onion} host name for the hidden
1074 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
1075 project's documentation} for more information."
1076 (service tor-hidden-service-type
1077 (hidden-service name mapping)))
1084 (define %wicd-activation
1085 ;; Activation gexp for Wicd.
1087 (use-modules (guix build utils))
1089 (mkdir-p "/etc/wicd")
1090 (let ((file-name "/etc/wicd/dhclient.conf.template.default"))
1091 (unless (file-exists? file-name)
1092 (copy-file (string-append #$wicd file-name)
1095 ;; Wicd invokes 'wpa_supplicant', which needs this directory for its
1096 ;; named socket files.
1097 (mkdir-p "/var/run/wpa_supplicant")
1098 (chmod "/var/run/wpa_supplicant" #o750)))
1100 (define (wicd-shepherd-service wicd)
1101 "Return a shepherd service for WICD."
1102 (list (shepherd-service
1103 (documentation "Run the Wicd network manager.")
1104 (provision '(networking))
1105 (requirement '(user-processes dbus-system loopback))
1106 (start #~(make-forkexec-constructor
1107 (list (string-append #$wicd "/sbin/wicd")
1109 (stop #~(make-kill-destructor)))))
1111 (define wicd-service-type
1112 (service-type (name 'wicd)
1114 (list (service-extension shepherd-root-service-type
1115 wicd-shepherd-service)
1116 (service-extension dbus-root-service-type
1118 (service-extension activation-service-type
1119 (const %wicd-activation))
1121 ;; Add Wicd to the global profile.
1122 (service-extension profile-service-type list)))
1124 "Run @url{https://launchpad.net/wicd,Wicd}, a network
1125 management daemon that aims to simplify wired and wireless networking.")))
1127 (define* (wicd-service #:key (wicd wicd))
1128 "Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
1129 management daemon that aims to simplify wired and wireless networking.
1131 This service adds the @var{wicd} package to the global profile, providing
1132 several commands to interact with the daemon and configure networking:
1133 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
1134 and @command{wicd-curses} user interfaces."
1135 (service wicd-service-type wicd))
1142 (define-record-type* <modem-manager-configuration>
1143 modem-manager-configuration make-modem-manager-configuration
1144 modem-manager-configuration?
1145 (modem-manager modem-manager-configuration-modem-manager
1146 (default modem-manager)))
1153 (define-record-type* <network-manager-configuration>
1154 network-manager-configuration make-network-manager-configuration
1155 network-manager-configuration?
1156 (network-manager network-manager-configuration-network-manager
1157 (default network-manager))
1158 (dns network-manager-configuration-dns
1159 (default "default"))
1160 (vpn-plugins network-manager-configuration-vpn-plugins ;list of file-like
1163 (define network-manager-activation
1164 ;; Activation gexp for NetworkManager
1166 (($ <network-manager-configuration> network-manager dns vpn-plugins)
1168 (use-modules (guix build utils))
1169 (mkdir-p "/etc/NetworkManager/system-connections")
1170 #$@(if (equal? dns "dnsmasq")
1171 ;; create directory to store dnsmasq lease file
1172 '((mkdir-p "/var/lib/misc"))
1175 (define (vpn-plugin-directory plugins)
1176 "Return a directory containing PLUGINS, the NM VPN plugins."
1177 (directory-union "network-manager-vpn-plugins" plugins))
1179 (define (network-manager-accounts config)
1180 "Return the list of <user-account> and <user-group> for CONFIG."
1182 (file-append shadow "/sbin/nologin"))
1185 (append-map (lambda (package)
1187 (user-account (system? #t)
1189 (group "network-manager")
1190 (comment "NetworkManager helper")
1191 (home-directory "/var/empty")
1192 (create-home-directory? #f)
1194 (or (assoc-ref (package-properties package)
1197 (network-manager-configuration-vpn-plugins config)))
1203 (cons (user-group (name "network-manager") (system? #t))
1206 (define network-manager-environment
1208 (($ <network-manager-configuration> network-manager dns vpn-plugins)
1209 ;; Define this variable in the global environment such that
1210 ;; "nmcli connection import type openvpn file foo.ovpn" works.
1211 `(("NM_VPN_PLUGIN_DIR"
1212 . ,(file-append (vpn-plugin-directory vpn-plugins)
1213 "/lib/NetworkManager/VPN"))))))
1215 (define network-manager-shepherd-service
1217 (($ <network-manager-configuration> network-manager dns vpn-plugins)
1218 (let ((conf (plain-file "NetworkManager.conf"
1219 (string-append "[main]\ndns=" dns "\n")))
1220 (vpn (vpn-plugin-directory vpn-plugins)))
1221 (list (shepherd-service
1222 (documentation "Run the NetworkManager.")
1223 (provision '(networking))
1224 (requirement '(user-processes dbus-system wpa-supplicant loopback))
1225 (start #~(make-forkexec-constructor
1226 (list (string-append #$network-manager
1227 "/sbin/NetworkManager")
1228 (string-append "--config=" #$conf)
1230 #:environment-variables
1231 (list (string-append "NM_VPN_PLUGIN_DIR=" #$vpn
1232 "/lib/NetworkManager/VPN")
1233 ;; Override non-existent default users
1235 "NM_OPENVPN_GROUP=")))
1236 (stop #~(make-kill-destructor))))))))
1238 (define network-manager-service-type
1242 (($ <network-manager-configuration> network-manager _ vpn-plugins)
1243 `(,network-manager ,@vpn-plugins)))))
1246 (name 'network-manager)
1248 (list (service-extension shepherd-root-service-type
1249 network-manager-shepherd-service)
1250 (service-extension dbus-root-service-type config->packages)
1251 (service-extension polkit-service-type
1254 network-manager-configuration-network-manager))
1255 (service-extension account-service-type
1256 network-manager-accounts)
1257 (service-extension activation-service-type
1258 network-manager-activation)
1259 (service-extension session-environment-service-type
1260 network-manager-environment)
1261 ;; Add network-manager to the system profile.
1262 (service-extension profile-service-type config->packages)))
1263 (default-value (network-manager-configuration))
1265 "Run @uref{https://wiki.gnome.org/Projects/NetworkManager,
1266 NetworkManager}, a network management daemon that aims to simplify wired and
1267 wireless networking."))))
1274 (define-record-type* <connman-configuration>
1275 connman-configuration make-connman-configuration
1276 connman-configuration?
1277 (connman connman-configuration-connman
1279 (disable-vpn? connman-configuration-disable-vpn?
1282 (define (connman-activation config)
1283 (let ((disable-vpn? (connman-configuration-disable-vpn? config)))
1284 (with-imported-modules '((guix build utils))
1286 (use-modules (guix build utils))
1287 (mkdir-p "/var/lib/connman/")
1288 (unless #$disable-vpn?
1289 (mkdir-p "/var/lib/connman-vpn/"))))))
1291 (define (connman-shepherd-service config)
1292 "Return a shepherd service for Connman"
1294 (connman-configuration? config)
1295 (let ((connman (connman-configuration-connman config))
1296 (disable-vpn? (connman-configuration-disable-vpn? config)))
1297 (list (shepherd-service
1298 (documentation "Run Connman")
1299 (provision '(networking))
1301 '(user-processes dbus-system loopback wpa-supplicant))
1302 (start #~(make-forkexec-constructor
1303 (list (string-append #$connman
1307 #$@(if disable-vpn? '("--noplugin=vpn") '()))
1309 ;; As connman(8) notes, when passing '-n', connman
1310 ;; "directs log output to the controlling terminal in
1311 ;; addition to syslog." Redirect stdout and stderr
1312 ;; to avoid spamming the console (XXX: for some reason
1313 ;; redirecting to /dev/null doesn't work.)
1314 #:log-file "/var/log/connman.log"))
1315 (stop #~(make-kill-destructor)))))))
1317 (define connman-service-type
1318 (let ((connman-package (compose list connman-configuration-connman)))
1319 (service-type (name 'connman)
1321 (list (service-extension shepherd-root-service-type
1322 connman-shepherd-service)
1323 (service-extension polkit-service-type
1325 (service-extension dbus-root-service-type
1327 (service-extension activation-service-type
1329 ;; Add connman to the system profile.
1330 (service-extension profile-service-type
1332 (default-value (connman-configuration))
1334 "Run @url{https://01.org/connman,Connman},
1335 a network connection manager."))))
1342 (define modem-manager-service-type
1343 (let ((config->package
1345 (($ <modem-manager-configuration> modem-manager)
1346 (list modem-manager)))))
1347 (service-type (name 'modem-manager)
1349 (list (service-extension dbus-root-service-type
1351 (service-extension udev-service-type
1353 (service-extension polkit-service-type
1355 (default-value (modem-manager-configuration))
1357 "Run @uref{https://wiki.gnome.org/Projects/ModemManager,
1358 ModemManager}, a modem management daemon that aims to simplify dialup
1366 (define-record-type* <usb-modeswitch-configuration>
1367 usb-modeswitch-configuration make-usb-modeswitch-configuration
1368 usb-modeswitch-configuration?
1369 (usb-modeswitch usb-modeswitch-configuration-usb-modeswitch
1370 (default usb-modeswitch))
1371 (usb-modeswitch-data usb-modeswitch-configuration-usb-modeswitch-data
1372 (default usb-modeswitch-data))
1373 (config-file usb-modeswitch-configuration-config-file
1374 (default #~(string-append #$usb-modeswitch:dispatcher
1375 "/etc/usb_modeswitch.conf"))))
1377 (define (usb-modeswitch-sh usb-modeswitch config-file)
1378 "Build a copy of usb_modeswitch.sh located in package USB-MODESWITCH,
1379 modified to pass the CONFIG-FILE in its calls to usb_modeswitch_dispatcher,
1380 and wrap it to actually find the dispatcher in USB-MODESWITCH. The script
1381 will be run by USB_ModeSwitch’s udev rules file when a modeswitchable USB
1382 device is detected."
1385 (with-imported-modules '((guix build utils))
1387 (use-modules (guix build utils))
1390 #~(string-append " --config-file=" #$config-file)
1393 (install-file (string-append #$usb-modeswitch:dispatcher
1394 "/lib/udev/usb_modeswitch")
1397 ;; insert CFG-PARAM into usb_modeswitch_dispatcher command-lines
1398 (substitute* (string-append #$output "/usb_modeswitch")
1399 (("(exec usb_modeswitch_dispatcher .*)( 2>>)" _ left right)
1400 (string-append left cfg-param right))
1401 (("(exec usb_modeswitch_dispatcher .*)( &)" _ left right)
1402 (string-append left cfg-param right)))
1404 ;; wrap-program needs bash in PATH:
1405 (putenv (string-append "PATH=" #$bash "/bin"))
1406 (wrap-program (string-append #$output "/usb_modeswitch")
1407 `("PATH" ":" = (,(string-append #$coreutils "/bin")
1409 #$usb-modeswitch:dispatcher
1412 (define (usb-modeswitch-configuration->udev-rules config)
1413 "Build a rules file for extending udev-service-type from the rules in the
1414 usb-modeswitch package specified in CONFIG. The rules file will invoke
1415 usb_modeswitch.sh from the usb-modeswitch package, modified to pass the right
1418 (($ <usb-modeswitch-configuration> usb-modeswitch data config-file)
1420 "usb_modeswitch.rules"
1421 (with-imported-modules '((guix build utils))
1423 (use-modules (guix build utils))
1424 (let ((in (string-append #$data "/udev/40-usb_modeswitch.rules"))
1425 (out (string-append #$output "/lib/udev/rules.d"))
1426 (script #$(usb-modeswitch-sh usb-modeswitch config-file)))
1429 (install-file in out)
1430 (substitute* "40-usb_modeswitch.rules"
1431 (("PROGRAM=\"usb_modeswitch")
1432 (string-append "PROGRAM=\"" script "/usb_modeswitch"))
1433 (("RUN\\+=\"usb_modeswitch")
1434 (string-append "RUN+=\"" script "/usb_modeswitch"))))))))))
1436 (define usb-modeswitch-service-type
1438 (name 'usb-modeswitch)
1444 (let ((rules (usb-modeswitch-configuration->udev-rules config)))
1446 (default-value (usb-modeswitch-configuration))
1447 (description "Run @uref{http://www.draisberghof.de/usb_modeswitch/,
1448 USB_ModeSwitch}, a mode switching tool for controlling USB devices with
1449 multiple @dfn{modes}. When plugged in for the first time many USB
1450 devices (primarily high-speed WAN modems) act like a flash storage containing
1451 installers for Windows drivers. USB_ModeSwitch replays the sequence the
1452 Windows drivers would send to switch their mode from storage to modem (or
1453 whatever the thing is supposed to do).")))
1460 (define-record-type* <wpa-supplicant-configuration>
1461 wpa-supplicant-configuration make-wpa-supplicant-configuration
1462 wpa-supplicant-configuration?
1463 (wpa-supplicant wpa-supplicant-configuration-wpa-supplicant ;file-like
1464 (default wpa-supplicant))
1465 (requirement wpa-supplicant-configuration-requirement ;list of symbols
1466 (default '(user-processes loopback syslogd)))
1467 (pid-file wpa-supplicant-configuration-pid-file ;string
1468 (default "/var/run/wpa_supplicant.pid"))
1469 (dbus? wpa-supplicant-configuration-dbus? ;Boolean
1471 (interface wpa-supplicant-configuration-interface ;#f | string
1473 (config-file wpa-supplicant-configuration-config-file ;#f | <file-like>
1475 (extra-options wpa-supplicant-configuration-extra-options ;list of strings
1478 (define wpa-supplicant-shepherd-service
1480 (($ <wpa-supplicant-configuration> wpa-supplicant requirement pid-file dbus?
1481 interface config-file extra-options)
1482 (list (shepherd-service
1483 (documentation "Run the WPA supplicant daemon")
1484 (provision '(wpa-supplicant))
1485 (requirement (if dbus?
1486 (cons 'dbus-system requirement)
1488 (start #~(make-forkexec-constructor
1489 (list (string-append #$wpa-supplicant
1490 "/sbin/wpa_supplicant")
1491 (string-append "-P" #$pid-file)
1492 "-B" ;run in background
1493 "-s" ;log to syslogd
1498 #~((string-append "-i" #$interface))
1501 #~((string-append "-c" #$config-file))
1504 #:pid-file #$pid-file))
1505 (stop #~(make-kill-destructor)))))))
1507 (define wpa-supplicant-service-type
1508 (let ((config->package
1510 (($ <wpa-supplicant-configuration> wpa-supplicant)
1511 (list wpa-supplicant)))))
1512 (service-type (name 'wpa-supplicant)
1514 (list (service-extension shepherd-root-service-type
1515 wpa-supplicant-shepherd-service)
1516 (service-extension dbus-root-service-type config->package)
1517 (service-extension profile-service-type config->package)))
1518 (description "Run the WPA Supplicant daemon, a service that
1519 implements authentication, key negotiation and more for wireless networks.")
1520 (default-value (wpa-supplicant-configuration)))))
1527 (define-record-type* <hostapd-configuration>
1528 hostapd-configuration make-hostapd-configuration
1529 hostapd-configuration?
1530 (package hostapd-configuration-package
1532 (interface hostapd-configuration-interface ;string
1534 (ssid hostapd-configuration-ssid) ;string
1535 (broadcast-ssid? hostapd-configuration-broadcast-ssid? ;Boolean
1537 (channel hostapd-configuration-channel ;integer
1539 (driver hostapd-configuration-driver ;string
1540 (default "nl80211"))
1541 ;; See <https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf> for a list of
1542 ;; additional options we could add.
1543 (extra-settings hostapd-configuration-extra-settings ;string
1546 (define (hostapd-configuration-file config)
1547 "Return the configuration file for CONFIG, a <hostapd-configuration>."
1548 (match-record config <hostapd-configuration>
1549 (interface ssid broadcast-ssid? channel driver extra-settings)
1550 (plain-file "hostapd.conf"
1552 # Generated from your Guix configuration.
1554 interface=" interface "
1556 ignore_broadcast_ssid=" (if broadcast-ssid? "0" "1") "
1557 channel=" (number->string channel) "\n"
1558 extra-settings "\n"))))
1560 (define* (hostapd-shepherd-services config #:key (requirement '()))
1561 "Return Shepherd services for hostapd."
1562 (list (shepherd-service
1563 (provision '(hostapd))
1564 (requirement `(user-processes ,@requirement))
1565 (documentation "Run the hostapd WiFi access point daemon.")
1566 (start #~(make-forkexec-constructor
1567 (list #$(file-append (hostapd-configuration-package config)
1569 #$(hostapd-configuration-file config))
1570 #:log-file "/var/log/hostapd.log"))
1571 (stop #~(make-kill-destructor)))))
1573 (define hostapd-service-type
1577 (list (service-extension shepherd-root-service-type
1578 hostapd-shepherd-services)))
1580 "Run the @uref{https://w1.fi/hostapd/, hostapd} daemon for Wi-Fi access
1581 points and authentication servers.")))
1583 (define (simulated-wifi-shepherd-services config)
1584 "Return Shepherd services to run hostapd with CONFIG, a
1585 <hostapd-configuration>, as well as services to set up WiFi hardware
1587 (append (hostapd-shepherd-services config
1590 kernel-module-loader))
1591 (list (shepherd-service
1592 (provision '(unblocked-wifi))
1593 (requirement '(file-systems kernel-module-loader))
1595 "Unblock WiFi devices for use by mac80211_hwsim.")
1597 (invoke #$(file-append util-linux "/sbin/rfkill")
1599 (invoke #$(file-append util-linux "/sbin/rfkill")
1603 (define simulated-wifi-service-type
1605 (name 'simulated-wifi)
1607 (list (service-extension shepherd-root-service-type
1608 simulated-wifi-shepherd-services)
1609 (service-extension kernel-module-loader-service-type
1610 (const '("mac80211_hwsim")))))
1611 (default-value (hostapd-configuration
1613 (ssid "Test Network")))
1614 (description "Run hostapd to simulate WiFi connectivity.")))
1621 (define-record-type* <openvswitch-configuration>
1622 openvswitch-configuration make-openvswitch-configuration
1623 openvswitch-configuration?
1624 (package openvswitch-configuration-package
1625 (default openvswitch)))
1627 (define openvswitch-activation
1629 (($ <openvswitch-configuration> package)
1630 (let ((ovsdb-tool (file-append package "/bin/ovsdb-tool")))
1631 (with-imported-modules '((guix build utils))
1633 (use-modules (guix build utils))
1634 (mkdir-p "/var/run/openvswitch")
1635 (mkdir-p "/var/lib/openvswitch")
1636 (let ((conf.db "/var/lib/openvswitch/conf.db"))
1637 (unless (file-exists? conf.db)
1638 (system* #$ovsdb-tool "create" conf.db)))))))))
1640 (define openvswitch-shepherd-service
1642 (($ <openvswitch-configuration> package)
1643 (let ((ovsdb-server (file-append package "/sbin/ovsdb-server"))
1644 (ovs-vswitchd (file-append package "/sbin/ovs-vswitchd")))
1647 (provision '(ovsdb))
1648 (documentation "Run the Open vSwitch database server.")
1649 (start #~(make-forkexec-constructor
1650 (list #$ovsdb-server "--pidfile"
1651 "--remote=punix:/var/run/openvswitch/db.sock")
1652 #:pid-file "/var/run/openvswitch/ovsdb-server.pid"))
1653 (stop #~(make-kill-destructor)))
1655 (provision '(vswitchd))
1656 (requirement '(ovsdb))
1657 (documentation "Run the Open vSwitch daemon.")
1658 (start #~(make-forkexec-constructor
1659 (list #$ovs-vswitchd "--pidfile")
1660 #:pid-file "/var/run/openvswitch/ovs-vswitchd.pid"))
1661 (stop #~(make-kill-destructor))))))))
1663 (define openvswitch-service-type
1667 (list (service-extension activation-service-type
1668 openvswitch-activation)
1669 (service-extension profile-service-type
1670 (compose list openvswitch-configuration-package))
1671 (service-extension shepherd-root-service-type
1672 openvswitch-shepherd-service)))
1674 "Run @uref{http://www.openvswitch.org, Open vSwitch}, a multilayer virtual
1675 switch designed to enable massive network automation through programmatic
1677 (default-value (openvswitch-configuration))))
1683 (define %iptables-accept-all-rules
1684 (plain-file "iptables-accept-all.rules"
1692 (define-record-type* <iptables-configuration>
1693 iptables-configuration make-iptables-configuration iptables-configuration?
1694 (iptables iptables-configuration-iptables
1696 (ipv4-rules iptables-configuration-ipv4-rules
1697 (default %iptables-accept-all-rules))
1698 (ipv6-rules iptables-configuration-ipv6-rules
1699 (default %iptables-accept-all-rules)))
1701 (define iptables-shepherd-service
1703 (($ <iptables-configuration> iptables ipv4-rules ipv6-rules)
1704 (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
1705 (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")))
1707 (documentation "Packet filtering framework")
1708 (provision '(iptables))
1710 (invoke #$iptables-restore #$ipv4-rules)
1711 (invoke #$ip6tables-restore #$ipv6-rules)))
1713 (invoke #$iptables-restore #$%iptables-accept-all-rules)
1714 (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
1716 (define iptables-service-type
1720 "Run @command{iptables-restore}, setting up the specified rules.")
1722 (list (service-extension shepherd-root-service-type
1723 (compose list iptables-shepherd-service))))))
1729 (define %default-nftables-ruleset
1730 (plain-file "nftables.conf"
1731 "# A simple and safe firewall
1734 type filter hook input priority 0; policy drop;
1736 # early drop of invalid connections
1737 ct state invalid drop
1739 # allow established/related connections
1740 ct state { established, related } accept
1742 # allow from loopback
1746 ip protocol icmp accept
1747 ip6 nexthdr icmpv6 accept
1750 tcp dport ssh accept
1752 # reject everything else
1753 reject with icmpx type port-unreachable
1756 type filter hook forward priority 0; policy drop;
1759 type filter hook output priority 0; policy accept;
1764 (define-record-type* <nftables-configuration>
1765 nftables-configuration
1766 make-nftables-configuration
1767 nftables-configuration?
1768 (package nftables-configuration-package
1770 (ruleset nftables-configuration-ruleset ; file-like object
1771 (default %default-nftables-ruleset)))
1773 (define nftables-shepherd-service
1775 (($ <nftables-configuration> package ruleset)
1776 (let ((nft (file-append package "/sbin/nft")))
1778 (documentation "Packet filtering and classification")
1779 (provision '(nftables))
1781 (invoke #$nft "--file" #$ruleset)))
1783 (invoke #$nft "flush" "ruleset"))))))))
1785 (define nftables-service-type
1789 "Run @command{nft}, setting up the specified ruleset.")
1791 (list (service-extension shepherd-root-service-type
1792 (compose list nftables-shepherd-service))
1793 (service-extension profile-service-type
1794 (compose list nftables-configuration-package))))
1795 (default-value (nftables-configuration))))
1802 (define-record-type* <pagekite-configuration>
1803 pagekite-configuration
1804 make-pagekite-configuration
1805 pagekite-configuration?
1806 (package pagekite-configuration-package
1808 (kitename pagekite-configuration-kitename
1810 (kitesecret pagekite-configuration-kitesecret
1812 (frontend pagekite-configuration-frontend
1814 (kites pagekite-configuration-kites
1815 (default '("http:@kitename:localhost:80:@kitesecret")))
1816 (extra-file pagekite-configuration-extra-file
1819 (define (pagekite-configuration-file config)
1820 (match-record config <pagekite-configuration>
1821 (package kitename kitesecret frontend kites extra-file)
1822 (mixed-text-file "pagekite.rc"
1824 (string-append "optfile = " extra-file "\n")
1827 (string-append "kitename = " kitename "\n")
1830 (string-append "kitesecret = " kitesecret "\n")
1833 (string-append "frontend = " frontend "\n")
1835 (string-join (map (lambda (kite)
1836 (string-append "service_on = " kite))
1841 (define (pagekite-shepherd-service config)
1842 (match-record config <pagekite-configuration>
1843 (package kitename kitesecret frontend kites extra-file)
1844 (with-imported-modules (source-module-closure
1845 '((gnu build shepherd)
1846 (gnu system file-systems)))
1848 (documentation "Run the PageKite service.")
1849 (provision '(pagekite))
1850 (requirement '(networking))
1851 (modules '((gnu build shepherd)
1852 (gnu system file-systems)))
1853 (start #~(make-forkexec-constructor/container
1854 (list #$(file-append package "/bin/pagekite")
1858 "--runas=pagekite:pagekite"
1859 (string-append "--optfile="
1860 #$(pagekite-configuration-file config)))
1861 #:log-file "/var/log/pagekite.log"
1862 #:mappings #$(if extra-file
1863 #~(list (file-system-mapping
1864 (source #$extra-file)
1867 ;; SIGTERM doesn't always work for some reason.
1868 (stop #~(make-kill-destructor SIGINT))))))
1870 (define %pagekite-accounts
1871 (list (user-group (name "pagekite") (system? #t))
1876 (comment "PageKite user")
1877 (home-directory "/var/empty")
1878 (shell (file-append shadow "/sbin/nologin")))))
1880 (define pagekite-service-type
1883 (default-value (pagekite-configuration))
1885 (list (service-extension shepherd-root-service-type
1886 (compose list pagekite-shepherd-service))
1887 (service-extension account-service-type
1888 (const %pagekite-accounts))))
1890 "Run @url{https://pagekite.net/,PageKite}, a tunneling solution to make
1891 local servers publicly accessible on the web, even behind NATs and firewalls.")))
1898 (define-record-type* <yggdrasil-configuration>
1899 yggdrasil-configuration
1900 make-yggdrasil-configuration
1901 yggdrasil-configuration?
1902 (package yggdrasil-configuration-package
1903 (default yggdrasil))
1904 (json-config yggdrasil-configuration-json-config
1906 (config-file yggdrasil-config-file
1907 (default "/etc/yggdrasil-private.conf"))
1908 (autoconf? yggdrasil-configuration-autoconf?
1910 (log-level yggdrasil-configuration-log-level
1912 (log-to yggdrasil-configuration-log-to
1915 (define (yggdrasil-configuration-file config)
1916 (define (scm->yggdrasil-json x)
1919 (define (param->camel str)
1923 (string-split str (cut eqv? <> #\-)))))
1930 (param->camel (symbol->string k))
1933 ((list? x) (map scm->yggdrasil-json x))
1934 ((vector? x) (vector-map scm->yggdrasil-json x))
1938 #~(call-with-output-file #$output
1940 ;; it's HJSON, so comments are a-okay
1941 (display "# Generated by yggdrasil-service\n" port)
1942 (display #$(scm->json-string
1943 (scm->yggdrasil-json
1944 (yggdrasil-configuration-json-config config)))
1947 (define (yggdrasil-shepherd-service config)
1948 "Return a <shepherd-service> for yggdrasil with CONFIG."
1949 (define yggdrasil-command
1951 (list (string-append
1952 #$(yggdrasil-configuration-package config)
1955 #$(yggdrasil-configuration-file config))
1956 (if #$(yggdrasil-configuration-autoconf? config)
1959 (let ((extraconf #$(yggdrasil-config-file config)))
1961 (list "-extraconffile" extraconf)
1965 (yggdrasil-configuration-log-level config))
1968 (yggdrasil-configuration-log-to config)))))
1969 (list (shepherd-service
1970 (documentation "Connect to the Yggdrasil mesh network")
1971 (provision '(yggdrasil))
1972 (requirement '(networking))
1973 (start #~(make-forkexec-constructor
1975 #:log-file "/var/log/yggdrasil.log"
1976 #:group "yggdrasil"))
1977 (stop #~(make-kill-destructor)))))
1979 (define %yggdrasil-accounts
1980 (list (user-group (name "yggdrasil") (system? #t))))
1982 (define yggdrasil-service-type
1986 "Connect to the Yggdrasil mesh network.
1987 See @command{yggdrasil -genconf} for config options.")
1989 (list (service-extension shepherd-root-service-type
1990 yggdrasil-shepherd-service)
1991 (service-extension account-service-type
1992 (const %yggdrasil-accounts))
1993 (service-extension profile-service-type
1994 (compose list yggdrasil-configuration-package))))))
2001 (define-record-type* <ipfs-configuration>
2003 make-ipfs-configuration
2005 (package ipfs-configuration-package
2007 (gateway ipfs-configuration-gateway
2008 (default "/ip4/127.0.0.1/tcp/8082"))
2009 (api ipfs-configuration-api
2010 (default "/ip4/127.0.0.1/tcp/5001")))
2012 (define %ipfs-home "/var/lib/ipfs")
2014 (define %ipfs-accounts
2019 (comment "IPFS daemon user")
2020 (home-directory "/var/lib/ipfs")
2021 (shell (file-append shadow "/sbin/nologin")))
2026 (define (ipfs-binary config)
2028 (file-append (ipfs-configuration-package config) "/bin/ipfs"))
2030 (least-authority-wrapper
2033 #:mappings (list %ipfs-home-mapping)
2034 #:namespaces (delq 'net %namespaces)))
2036 (define %ipfs-home-mapping
2037 (file-system-mapping
2042 (define %ipfs-environment
2043 #~(list #$(string-append "HOME=" %ipfs-home)))
2045 (define (ipfs-shepherd-service config)
2046 "Return a <shepherd-service> for IPFS with CONFIG."
2047 (define ipfs-daemon-command
2048 #~(list #$(ipfs-binary config) "daemon"))
2050 (list (shepherd-service
2052 ;; While IPFS is most useful when the machine is connected
2053 ;; to the network, only loopback is required for starting
2055 (requirement '(loopback))
2056 (documentation "Connect to the IPFS network")
2057 (start #~(make-forkexec-constructor
2058 #$ipfs-daemon-command
2059 #:log-file "/var/log/ipfs.log"
2060 #:user "ipfs" #:group "ipfs"
2061 #:environment-variables #$%ipfs-environment))
2062 (stop #~(make-kill-destructor)))))
2064 (define (%ipfs-activation config)
2065 "Return an activation gexp for IPFS with CONFIG"
2066 (define (exec-command . args)
2067 ;; Exec the given ifps command with the right authority.
2068 #~(let ((pid (primitive-fork)))
2073 ;; Run ipfs init and ipfs config from a container,
2074 ;; in case the IPFS daemon was compromised at some point
2075 ;; and ~/.ipfs is now a symlink to somewhere outside
2077 (let ((pw (getpwnam "ipfs")))
2079 (setgid (passwd:gid pw))
2080 (setuid (passwd:uid pw))
2081 (environ #$%ipfs-environment)
2082 (execl #$(ipfs-binary config) #$@args)))
2084 (primitive-exit 127)))
2088 `(("Addresses.API" ,(ipfs-configuration-api config))
2089 ("Addresses.Gateway" ,(ipfs-configuration-gateway config))))
2094 ;; Create $HOME/.ipfs structure
2095 #$(exec-command "ipfs" "init")
2097 #$@(map (match-lambda
2099 (exec-command "ipfs" "config" setting value)))
2102 (define inner-script
2103 (program-file "ipfs-activation-inner" inner-gexp))
2105 ;; The activation may happen from the initrd, which uses
2106 ;; a statically-linked guile, while the guix container
2107 ;; procedures require a working dynamic-link.
2108 #~(system* #$inner-script))
2110 (define ipfs-service-type
2114 (list (service-extension account-service-type
2115 (const %ipfs-accounts))
2116 (service-extension activation-service-type
2118 (service-extension shepherd-root-service-type
2119 ipfs-shepherd-service)))
2120 (default-value (ipfs-configuration))
2122 "Run @command{ipfs daemon}, the reference implementation
2123 of the IPFS peer-to-peer storage network.")))
2130 (define-record-type* <keepalived-configuration>
2131 keepalived-configuration make-keepalived-configuration
2132 keepalived-configuration?
2133 (keepalived keepalived-configuration-keepalived ;file-like
2134 (default keepalived))
2135 (config-file keepalived-configuration-config-file ;file-like
2138 (define keepalived-shepherd-service
2140 (($ <keepalived-configuration> keepalived config-file)
2143 (provision '(keepalived))
2144 (documentation "Run keepalived.")
2145 (requirement '(loopback))
2146 (start #~(make-forkexec-constructor
2147 (list (string-append #$keepalived "/sbin/keepalived")
2148 "--dont-fork" "--log-console" "--log-detail"
2149 "--pid=/var/run/keepalived.pid"
2150 (string-append "--use-file=" #$config-file))
2151 #:pid-file "/var/run/keepalived.pid"
2152 #:log-file "/var/log/keepalived.log"))
2154 (stop #~(make-kill-destructor)))))))
2156 (define keepalived-service-type
2157 (service-type (name 'keepalived)
2158 (extensions (list (service-extension shepherd-root-service-type
2159 keepalived-shepherd-service)))
2161 "Run @uref{https://www.keepalived.org/, Keepalived}
2162 routing software.")))
2164 ;;; networking.scm ends here