[jackhill/guix/guix.git] / gnu / system / nss.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2018 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu system nss)
  #:use-module (rnrs enums)
  #:use-module (guix records)
  #:use-module (srfi srfi-9)
  #:use-module (ice-9 match)
  #:export (name-service-switch?
            name-service-switch
            name-service?
            name-service

            lookup-specification

            %default-nss
            %mdns-host-lookup-nss

            %files
            %compat
            %dns

            name-service-switch->string))

;;; Commentary:
;;;
;;; Bindings for libc's name service switch (NSS) configuration.
;;;
;;; Code:

(define-record-type* <name-service> name-service
  make-name-service
  name-service?
  (name     name-service-name)
  (reaction name-service-reaction
            (default (lookup-specification))))

;; Lookup specification (info "(libc) Actions in the NSS Configuration").

(define-enumeration lookup-action
  (return continue)
  make-lookup-action)

(define-enumeration lookup-status
  (success
   not-found
   unavailable
   try-again)
  make-lookup-status)

(define-record-type <lookup-status-negation>
  (lookup-status-negation status)
  lookup-status-negation?
  (status lookup-status-negation-status))

(define-record-type <lookup-reaction>
  (make-lookup-reaction status action)
  lookup-reaction?
  (status  lookup-reaction-status)
  (action  lookup-reaction-action))

(define-syntax lookup-reaction
  (syntax-rules (not =>)
    ((_ ((not status) => action))
     (make-lookup-reaction (lookup-status-negation (lookup-status status))
                           (lookup-action action)))
    ((_ (status => action))
     (make-lookup-reaction (lookup-status status)
                           (lookup-action action)))))

(define-syntax-rule (lookup-specification reaction ...)
  "Return an NSS lookup specification."
  (list (lookup-reaction reaction) ...))

\f
;;;
;;; Common name services and default NSS configuration.
;;;

(define %compat
  ;; Note: Starting from version 2.26, libc no longer provides libnss_compat
  ;; so this specification has become useless.
  (name-service
    (name "compat")
    (reaction (lookup-specification (not-found => return)))))

(define %files
  (name-service (name "files")))

(define %dns
  ;; DNS is supposed to be authoritative, so unless it's unavailable, return
  ;; what it finds.
  (name-service
    (name "dns")
    (reaction (lookup-specification ((not unavailable) => return)))))

;; The NSS.  We list all the databases here because that allows us to
;; statically ensure that the user's configuration refers to existing
;; databases.  See libc/nss/databases.def for the list of databases.  Default
;; values obtained by looking for "DEFAULT_CONFIG" in libc/nss/*.c.
;;
;; Although libc places 'dns' before 'files' in the default configurations of
;; the 'hosts' and 'networks' databases, we choose to put 'files' before 'dns'
;; by default, so that users can override host/address mappings in /etc/hosts
;; and bypass DNS to improve their privacy and escape NSA's MORECOWBELL.
(define-record-type* <name-service-switch> name-service-switch
  make-name-service-switch
  name-service-switch?
  (aliases    name-service-switch-aliases
              (default '()))
  (ethers     name-service-switch-ethers
              (default '()))
  (group      name-service-switch-group
              (default (list %files)))
  (gshadow    name-service-switch-gshadow
              (default '()))
  (hosts      name-service-switch-hosts
              (default (list %files %dns)))
  (initgroups name-service-switch-initgroups
              (default '()))
  (netgroup   name-service-switch-netgroup
              (default '()))
  (networks   name-service-switch-networks
              (default (list %files %dns)))
  (password   name-service-switch-password
              (default (list %files)))
  (public-key name-service-switch-public-key
              (default '()))
  (rpc        name-service-switch-rpc
              (default '()))
  (services   name-service-switch-services
              (default '()))
  (shadow     name-service-switch-shadow
              (default (list %files))))

(define %default-nss
  ;; Default NSS configuration.
  (name-service-switch))

(define %mdns-host-lookup-nss
  (name-service-switch
    (hosts (list %files                           ;first, check /etc/hosts

                 ;; If the above did not succeed, try with 'mdns_minimal'.
                 (name-service
                   (name "mdns_minimal")

                   ;; 'mdns_minimal' is authoritative for '.local'.  When it
                   ;; returns "not found", no need to try the next methods.
                   (reaction (lookup-specification
                              (not-found => return))))

                 ;; Then fall back to DNS.
                 (name-service
                   (name "dns"))

                 ;; Finally, try with the "full" 'mdns'.
                 (name-service
                   (name "mdns"))))))

\f
;;;
;;; Serialization.
;;;

(define (lookup-status->string status)
  (match status
    ('success     "SUCCESS")
    ('not-found   "NOTFOUND")
    ('unavailable "UNAVAIL")
    ('try-again   "TRYAGAIN")
    (($ <lookup-status-negation> status)
     (string-append "!" (lookup-status->string status)))))

(define lookup-reaction->string
  (match-lambda
   (($ <lookup-reaction> status action)
    (string-append (lookup-status->string status) "="
                   (symbol->string action)))))

(define name-service->string
  (match-lambda
   (($ <name-service> name ())
    name)
   (($ <name-service> name reactions)
    (string-append name " ["
                   (string-join (map lookup-reaction->string reactions))
                   "]"))))

(define (name-service-switch->string nss)
  "Return the 'nsswitch.conf' contents for NSS as a string.  See \"NSS
Configuration File\" in the libc manual."
  (let-syntax ((->string
                (syntax-rules ()
                  ((_ name field)
                   (match (field nss)
                     (()                          ;keep the default config
                      "")
                     ((services (... ...))
                      (string-append name ":\t"
                                     (string-join
                                      (map name-service->string services))
                                     "\n")))))))
    (string-append (->string "aliases"    name-service-switch-aliases)
                   (->string "ethers"     name-service-switch-ethers)
                   (->string "group"      name-service-switch-group)
                   (->string "gshadow"    name-service-switch-gshadow)
                   (->string "hosts"      name-service-switch-hosts)
                   (->string "initgroups" name-service-switch-initgroups)
                   (->string "netgroup"   name-service-switch-netgroup)
                   (->string "networks"   name-service-switch-networks)
                   (->string "passwd"     name-service-switch-password)
                   (->string "publickey"  name-service-switch-public-key)
                   (->string "rpc"        name-service-switch-rpc)
                   (->string "services"   name-service-switch-services)
                   (->string "shadow"     name-service-switch-shadow))))

;;; Local Variables:
;;; eval: (put 'name-service 'scheme-indent-function 0)
;;; eval: (put 'name-service-switch 'scheme-indent-function 0)
;;; End:

;;; nss.scm ends here
Commit	Line	Data
996ed739	1	;;; GNU Guix --- Functional package management for GNU
f7a5cf7a	2	;;; Copyright © 2015, 2018 Ludovic Courtès <ludo@gnu.org>
996ed739 LC	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
	19	(define-module (gnu system nss)
	20	#:use-module (rnrs enums)
	21	#:use-module (guix records)
	22	#:use-module (srfi srfi-9)
	23	#:use-module (ice-9 match)
	24	#:export (name-service-switch?
	25	name-service-switch
	26	name-service?
	27	name-service
	28
	29	lookup-specification
	30
	31	%default-nss
15137a29 LC	32	%mdns-host-lookup-nss
15137a29 LC	33
996ed739 LC	34	%files
	35	%compat
	36	%dns
	37
	38	name-service-switch->string))
	39
	40	;;; Commentary:
	41	;;;
	42	;;; Bindings for libc's name service switch (NSS) configuration.
	43	;;;
	44	;;; Code:
	45
	46	(define-record-type* <name-service> name-service
	47	make-name-service
	48	name-service?
	49	(name name-service-name)
	50	(reaction name-service-reaction
	51	(default (lookup-specification))))
	52
	53	;; Lookup specification (info "(libc) Actions in the NSS Configuration").
	54
	55	(define-enumeration lookup-action
	56	(return continue)
	57	make-lookup-action)
	58
	59	(define-enumeration lookup-status
	60	(success
	61	not-found
	62	unavailable
	63	try-again)
	64	make-lookup-status)
	65
	66	(define-record-type <lookup-status-negation>
	67	(lookup-status-negation status)
	68	lookup-status-negation?
	69	(status lookup-status-negation-status))
	70
	71	(define-record-type <lookup-reaction>
	72	(make-lookup-reaction status action)
	73	lookup-reaction?
	74	(status lookup-reaction-status)
	75	(action lookup-reaction-action))
	76
	77	(define-syntax lookup-reaction
	78	(syntax-rules (not =>)
	79	((_ ((not status) => action))
	80	(make-lookup-reaction (lookup-status-negation (lookup-status status))
	81	(lookup-action action)))
	82	((_ (status => action))
	83	(make-lookup-reaction (lookup-status status)
	84	(lookup-action action)))))
	85
	86	(define-syntax-rule (lookup-specification reaction ...)
	87	"Return an NSS lookup specification."
	88	(list (lookup-reaction reaction) ...))
	89
	90	\f
	91	;;;
	92	;;; Common name services and default NSS configuration.
	93	;;;
	94
	95	(define %compat
f7a5cf7a LC	96	;; Note: Starting from version 2.26, libc no longer provides libnss_compat
f7a5cf7a LC	97	;; so this specification has become useless.
996ed739 LC	98	(name-service
	99	(name "compat")
	100	(reaction (lookup-specification (not-found => return)))))
	101
	102	(define %files
	103	(name-service (name "files")))
	104
	105	(define %dns
	106	;; DNS is supposed to be authoritative, so unless it's unavailable, return
	107	;; what it finds.
	108	(name-service
	109	(name "dns")
	110	(reaction (lookup-specification ((not unavailable) => return)))))
	111
	112	;; The NSS. We list all the databases here because that allows us to
	113	;; statically ensure that the user's configuration refers to existing
	114	;; databases. See libc/nss/databases.def for the list of databases. Default
	115	;; values obtained by looking for "DEFAULT_CONFIG" in libc/nss/*.c.
	116	;;
	117	;; Although libc places 'dns' before 'files' in the default configurations of
	118	;; the 'hosts' and 'networks' databases, we choose to put 'files' before 'dns'
	119	;; by default, so that users can override host/address mappings in /etc/hosts
	120	;; and bypass DNS to improve their privacy and escape NSA's MORECOWBELL.
	121	(define-record-type* <name-service-switch> name-service-switch
	122	make-name-service-switch
	123	name-service-switch?
	124	(aliases name-service-switch-aliases
	125	(default '()))
	126	(ethers name-service-switch-ethers
	127	(default '()))
	128	(group name-service-switch-group
f7a5cf7a	129	(default (list %files)))
996ed739 LC	130	(gshadow name-service-switch-gshadow
	131	(default '()))
	132	(hosts name-service-switch-hosts
	133	(default (list %files %dns)))
	134	(initgroups name-service-switch-initgroups
	135	(default '()))
	136	(netgroup name-service-switch-netgroup
	137	(default '()))
	138	(networks name-service-switch-networks
	139	(default (list %files %dns)))
	140	(password name-service-switch-password
f7a5cf7a	141	(default (list %files)))
996ed739 LC	142	(public-key name-service-switch-public-key
	143	(default '()))
	144	(rpc name-service-switch-rpc
	145	(default '()))
	146	(services name-service-switch-services
	147	(default '()))
	148	(shadow name-service-switch-shadow
f7a5cf7a	149	(default (list %files))))
996ed739 LC	150
	151	(define %default-nss
	152	;; Default NSS configuration.
	153	(name-service-switch))
	154
15137a29 LC	155	(define %mdns-host-lookup-nss
	156	(name-service-switch
	157	(hosts (list %files ;first, check /etc/hosts
	158
	159	;; If the above did not succeed, try with 'mdns_minimal'.
	160	(name-service
	161	(name "mdns_minimal")
	162
	163	;; 'mdns_minimal' is authoritative for '.local'. When it
	164	;; returns "not found", no need to try the next methods.
	165	(reaction (lookup-specification
	166	(not-found => return))))
	167
	168	;; Then fall back to DNS.
	169	(name-service
	170	(name "dns"))
	171
	172	;; Finally, try with the "full" 'mdns'.
	173	(name-service
	174	(name "mdns"))))))
	175
996ed739 LC	176	\f
	177	;;;
	178	;;; Serialization.
	179	;;;
	180
	181	(define (lookup-status->string status)
	182	(match status
	183	('success "SUCCESS")
	184	('not-found "NOTFOUND")
	185	('unavailable "UNAVAIL")
	186	('try-again "TRYAGAIN")
	187	(($ <lookup-status-negation> status)
	188	(string-append "!" (lookup-status->string status)))))
	189
	190	(define lookup-reaction->string
	191	(match-lambda
	192	(($ <lookup-reaction> status action)
	193	(string-append (lookup-status->string status) "="
	194	(symbol->string action)))))
	195
	196	(define name-service->string
	197	(match-lambda
	198	(($ <name-service> name ())
	199	name)
	200	(($ <name-service> name reactions)
	201	(string-append name " ["
	202	(string-join (map lookup-reaction->string reactions))
	203	"]"))))
	204
	205	(define (name-service-switch->string nss)
	206	"Return the 'nsswitch.conf' contents for NSS as a string. See \"NSS
	207	Configuration File\" in the libc manual."
	208	(let-syntax ((->string
	209	(syntax-rules ()
	210	((_ name field)
	211	(match (field nss)
	212	(() ;keep the default config
	213	"")
	214	((services (... ...))
	215	(string-append name ":\t"
	216	(string-join
	217	(map name-service->string services))
	218	"\n")))))))
	219	(string-append (->string "aliases" name-service-switch-aliases)
	220	(->string "ethers" name-service-switch-ethers)
	221	(->string "group" name-service-switch-group)
	222	(->string "gshadow" name-service-switch-gshadow)
	223	(->string "hosts" name-service-switch-hosts)
	224	(->string "initgroups" name-service-switch-initgroups)
	225	(->string "netgroup" name-service-switch-netgroup)
	226	(->string "networks" name-service-switch-networks)
	227	(->string "passwd" name-service-switch-password)
	228	(->string "publickey" name-service-switch-public-key)
	229	(->string "rpc" name-service-switch-rpc)
	230	(->string "services" name-service-switch-services)
	231	(->string "shadow" name-service-switch-shadow))))
	232
	233	;;; Local Variables:
	234	;;; eval: (put 'name-service 'scheme-indent-function 0)
	235	;;; eval: (put 'name-service-switch 'scheme-indent-function 0)
	236	;;; End:
	237
	238	;;; nss.scm ends here