1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
3 ;;; Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com>
5 ;;; This file is part of GNU Guix.
7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
8 ;;; under the terms of the GNU General Public License as published by
9 ;;; the Free Software Foundation; either version 3 of the License, or (at
10 ;;; your option) any later version.
12 ;;; GNU Guix is distributed in the hope that it will be useful, but
13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 ;;; GNU General Public License for more details.
17 ;;; You should have received a copy of the GNU General Public License
18 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
20 (define-module (gnu services dns)
21 #:use-module (gnu services)
22 #:use-module (gnu services configuration)
23 #:use-module (gnu services shepherd)
24 #:use-module (gnu system shadow)
25 #:use-module (gnu packages admin)
26 #:use-module (gnu packages dns)
27 #:use-module (guix packages)
28 #:use-module (guix records)
29 #:use-module (guix gexp)
30 #:use-module (srfi srfi-1)
31 #:use-module (srfi srfi-26)
32 #:use-module (srfi srfi-34)
33 #:use-module (srfi srfi-35)
34 #:use-module (ice-9 match)
35 #:use-module (ice-9 regex)
36 #:export (knot-service-type
37 knot-acl-configuration
38 knot-key-configuration
39 knot-keystore-configuration
40 knot-zone-configuration
41 knot-remote-configuration
42 knot-policy-configuration
48 knot-resolver-service-type
49 knot-resolver-configuration
55 ddclient-configuration))
61 (define-record-type* <knot-key-configuration>
62 knot-key-configuration make-knot-key-configuration
63 knot-key-configuration?
64 (id knot-key-configuration-id
66 (algorithm knot-key-configuration-algorithm
67 (default #f)); one of #f, or an algorithm name
68 (secret knot-key-configuration-secret
71 (define-record-type* <knot-acl-configuration>
72 knot-acl-configuration make-knot-acl-configuration
73 knot-acl-configuration?
74 (id knot-acl-configuration-id
76 (address knot-acl-configuration-address
78 (key knot-acl-configuration-key
80 (action knot-acl-configuration-action
82 (deny? knot-acl-configuration-deny?
85 (define-record-type* <zone-entry>
86 zone-entry make-zone-entry
92 (class zone-entry-class
99 (define-record-type* <zone-file>
100 zone-file make-zone-file
102 (entries zone-file-entries
104 (origin zone-file-origin
109 (default "hostmaster"))
110 (serial zone-file-serial
112 (refresh zone-file-refresh
113 (default (* 2 24 3600)))
114 (retry zone-file-retry
116 (expiry zone-file-expiry
117 (default (* 2 7 24 3600)))
120 (define-record-type* <knot-keystore-configuration>
121 knot-keystore-configuration make-knot-keystore-configuration
122 knot-keystore-configuration?
123 (id knot-keystore-configuration-id
125 (backend knot-keystore-configuration-backend
127 (config knot-keystore-configuration-config
128 (default "/var/lib/knot/keys/keys")))
130 (define-record-type* <knot-policy-configuration>
131 knot-policy-configuration make-knot-policy-configuration
132 knot-policy-configuration?
133 (id knot-policy-configuration-id
135 (keystore knot-policy-configuration-keystore
137 (manual? knot-policy-configuration-manual?
139 (single-type-signing? knot-policy-configuration-single-type-signing?
141 (algorithm knot-policy-configuration-algorithm
142 (default "ecdsap256sha256"))
143 (ksk-size knot-policy-configuration-ksk-size
145 (zsk-size knot-policy-configuration-zsk-size
147 (dnskey-ttl knot-policy-configuration-dnskey-ttl
149 (zsk-lifetime knot-policy-configuration-zsk-lifetime
150 (default (* 30 24 3600)))
151 (propagation-delay knot-policy-configuration-propagation-delay
152 (default (* 24 3600)))
153 (rrsig-lifetime knot-policy-configuration-rrsig-lifetime
154 (default (* 14 24 3600)))
155 (rrsig-refresh knot-policy-configuration-rrsig-refresh
156 (default (* 7 24 3600)))
157 (nsec3? knot-policy-configuration-nsec3?
159 (nsec3-iterations knot-policy-configuration-nsec3-iterations
161 (nsec3-salt-length knot-policy-configuration-nsec3-salt-length
163 (nsec3-salt-lifetime knot-policy-configuration-nsec3-salt-lifetime
164 (default (* 30 24 3600))))
166 (define-record-type* <knot-zone-configuration>
167 knot-zone-configuration make-knot-zone-configuration
168 knot-zone-configuration?
169 (domain knot-zone-configuration-domain
171 (file knot-zone-configuration-file
172 (default "")) ; the file where this zone is saved.
173 (zone knot-zone-configuration-zone
174 (default (zone-file))) ; initial content of the zone file
175 (master knot-zone-configuration-master
177 (ddns-master knot-zone-configuration-ddns-master
179 (notify knot-zone-configuration-notify
181 (acl knot-zone-configuration-acl
183 (semantic-checks? knot-zone-configuration-semantic-checks?
185 (disable-any? knot-zone-configuration-disable-any?
187 (zonefile-sync knot-zone-configuration-zonefile-sync
189 (zonefile-load knot-zone-configuration-zonefile-load
191 (journal-content knot-zone-configuration-journal-content
193 (max-journal-usage knot-zone-configuration-max-journal-usage
195 (max-journal-depth knot-zone-configuration-max-journal-depth
197 (max-zone-size knot-zone-configuration-max-zone-size
199 (dnssec-policy knot-zone-configuration-dnssec-policy
201 (serial-policy knot-zone-configuration-serial-policy
202 (default 'increment)))
204 (define-record-type* <knot-remote-configuration>
205 knot-remote-configuration make-knot-remote-configuration
206 knot-remote-configuration?
207 (id knot-remote-configuration-id
209 (address knot-remote-configuration-address
211 (via knot-remote-configuration-via
213 (key knot-remote-configuration-key
216 (define-record-type* <knot-configuration>
217 knot-configuration make-knot-configuration
219 (knot knot-configuration-knot
221 (run-directory knot-configuration-run-directory
222 (default "/var/run/knot"))
223 (includes knot-configuration-includes
225 (listen-v4 knot-configuration-listen-v4
227 (listen-v6 knot-configuration-listen-v6
229 (listen-port knot-configuration-listen-port
231 (keys knot-configuration-keys
233 (keystores knot-configuration-keystores
235 (acls knot-configuration-acls
237 (remotes knot-configuration-remotes
239 (policies knot-configuration-policies
241 (zones knot-configuration-zones
244 (define-syntax define-zone-entries
246 ((_ id (name ttl class type data) ...)
247 (define id (list (make-zone-entry name ttl class type data) ...)))))
249 (define (error-out msg)
250 (raise (condition (&message (message msg)))))
252 (define (verify-knot-key-configuration key)
253 (unless (knot-key-configuration? key)
254 (error-out "keys must be a list of only knot-key-configuration."))
255 (let ((id (knot-key-configuration-id key)))
256 (unless (and (string? id) (not (equal? id "")))
257 (error-out "key id must be a non empty string.")))
258 (unless (memq '(#f hmac-md5 hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha384 hmac-sha512)
259 (knot-key-configuration-algorithm key))
260 (error-out "algorithm must be one of: #f, 'hmac-md5, 'hmac-sha1,
261 'hmac-sha224, 'hmac-sha256, 'hmac-sha384 or 'hmac-sha512")))
263 (define (verify-knot-keystore-configuration keystore)
264 (unless (knot-keystore-configuration? keystore)
265 (error-out "keystores must be a list of only knot-keystore-configuration."))
266 (let ((id (knot-keystore-configuration-id keystore)))
267 (unless (and (string? id) (not (equal? id "")))
268 (error-out "keystore id must be a non empty string.")))
269 (unless (memq '(pem pkcs11)
270 (knot-keystore-configuration-backend keystore))
271 (error-out "backend must be one of: 'pem or 'pkcs11")))
273 (define (verify-knot-policy-configuration policy)
274 (unless (knot-policy-configuration? policy)
275 (error-out "policies must be a list of only knot-policy-configuration."))
276 (let ((id (knot-policy-configuration-id policy)))
277 (unless (and (string? id) (not (equal? id "")))
278 (error-out "policy id must be a non empty string."))))
280 (define (verify-knot-acl-configuration acl)
281 (unless (knot-acl-configuration? acl)
282 (error-out "acls must be a list of only knot-acl-configuration."))
283 (let ((id (knot-acl-configuration-id acl))
284 (address (knot-acl-configuration-address acl))
285 (key (knot-acl-configuration-key acl))
286 (action (knot-acl-configuration-action acl)))
287 (unless (and (string? id) (not (equal? id "")))
288 (error-out "acl id must be a non empty string."))
289 (unless (and (list? address)
290 (fold (lambda (x1 x2) (and (string? x1) (string? x2))) "" address))
291 (error-out "acl address must be a list of strings.")))
292 (unless (boolean? (knot-acl-configuration-deny? acl))
293 (error-out "deny? must be #t or #f.")))
295 (define (verify-knot-zone-configuration zone)
296 (unless (knot-zone-configuration? zone)
297 (error-out "zones must be a list of only knot-zone-configuration."))
298 (let ((domain (knot-zone-configuration-domain zone)))
299 (unless (and (string? domain) (not (equal? domain "")))
300 (error-out "zone domain must be a non empty string."))))
302 (define (verify-knot-remote-configuration remote)
303 (unless (knot-remote-configuration? remote)
304 (error-out "remotes must be a list of only knot-remote-configuration."))
305 (let ((id (knot-remote-configuration-id remote)))
306 (unless (and (string? id) (not (equal? id "")))
307 (error-out "remote id must be a non empty string."))))
309 (define (verify-knot-configuration config)
310 (unless (package? (knot-configuration-knot config))
311 (error-out "knot configuration field must be a package."))
312 (unless (string? (knot-configuration-run-directory config))
313 (error-out "run-directory must be a string."))
314 (unless (list? (knot-configuration-includes config))
315 (error-out "includes must be a list of strings or file-like objects."))
316 (unless (list? (knot-configuration-keys config))
317 (error-out "keys must be a list of knot-key-configuration."))
318 (for-each (lambda (key) (verify-knot-key-configuration key))
319 (knot-configuration-keys config))
320 (unless (list? (knot-configuration-keystores config))
321 (error-out "keystores must be a list of knot-keystore-configuration."))
322 (for-each (lambda (keystore) (verify-knot-keystore-configuration keystore))
323 (knot-configuration-keystores config))
324 (unless (list? (knot-configuration-acls config))
325 (error-out "acls must be a list of knot-acl-configuration."))
326 (for-each (lambda (acl) (verify-knot-acl-configuration acl))
327 (knot-configuration-acls config))
328 (unless (list? (knot-configuration-zones config))
329 (error-out "zones must be a list of knot-zone-configuration."))
330 (for-each (lambda (zone) (verify-knot-zone-configuration zone))
331 (knot-configuration-zones config))
332 (unless (list? (knot-configuration-policies config))
333 (error-out "policies must be a list of knot-policy-configuration."))
334 (for-each (lambda (policy) (verify-knot-policy-configuration policy))
335 (knot-configuration-policies config))
336 (unless (list? (knot-configuration-remotes config))
337 (error-out "remotes must be a list of knot-remote-configuration."))
338 (for-each (lambda (remote) (verify-knot-remote-configuration remote))
339 (knot-configuration-remotes config))
342 (define (format-string-list l)
343 "Formats a list of string in YAML"
346 (let ((l (reverse l)))
349 (fold (lambda (x1 x2)
350 (string-append (if (symbol? x1) (symbol->string x1) x1) ", "
351 (if (symbol? x2) (symbol->string x2) x2)))
352 (if (symbol? (car l)) (symbol->string (car l)) (car l)) (cdr l))
355 (define (knot-acl-config acls)
356 (with-output-to-string
360 (let ((id (knot-acl-configuration-id acl-config))
361 (address (knot-acl-configuration-address acl-config))
362 (key (knot-acl-configuration-key acl-config))
363 (action (knot-acl-configuration-action acl-config))
364 (deny? (knot-acl-configuration-deny? acl-config)))
365 (format #t " - id: ~a\n" id)
366 (unless (eq? address '())
367 (format #t " address: ~a\n" (format-string-list address)))
368 (unless (eq? key '())
369 (format #t " key: ~a\n" (format-string-list key)))
370 (unless (eq? action '())
371 (format #t " action: ~a\n" (format-string-list action)))
372 (format #t " deny: ~a\n" (if deny? "on" "off"))))
375 (define (knot-key-config keys)
376 (with-output-to-string
380 (let ((id (knot-key-configuration-id key-config))
381 (algorithm (knot-key-configuration-algorithm key-config))
382 (secret (knot-key-configuration-secret key-config)))
383 (format #t " - id: ~a\n" id)
385 (format #t " algorithm: ~a\n" (symbol->string algorithm)))
386 (format #t " secret: ~a\n" secret)))
389 (define (knot-keystore-config keystores)
390 (with-output-to-string
393 (lambda (keystore-config)
394 (let ((id (knot-keystore-configuration-id keystore-config))
395 (backend (knot-keystore-configuration-backend keystore-config))
396 (config (knot-keystore-configuration-config keystore-config)))
397 (format #t " - id: ~a\n" id)
398 (format #t " backend: ~a\n" (symbol->string backend))
399 (format #t " config: \"~a\"\n" config)))
402 (define (knot-policy-config policies)
403 (with-output-to-string
406 (lambda (policy-config)
407 (let ((id (knot-policy-configuration-id policy-config))
408 (keystore (knot-policy-configuration-keystore policy-config))
409 (manual? (knot-policy-configuration-manual? policy-config))
410 (single-type-signing? (knot-policy-configuration-single-type-signing?
412 (algorithm (knot-policy-configuration-algorithm policy-config))
413 (ksk-size (knot-policy-configuration-ksk-size policy-config))
414 (zsk-size (knot-policy-configuration-zsk-size policy-config))
415 (dnskey-ttl (knot-policy-configuration-dnskey-ttl policy-config))
416 (zsk-lifetime (knot-policy-configuration-zsk-lifetime policy-config))
417 (propagation-delay (knot-policy-configuration-propagation-delay
419 (rrsig-lifetime (knot-policy-configuration-rrsig-lifetime
421 (nsec3? (knot-policy-configuration-nsec3? policy-config))
422 (nsec3-iterations (knot-policy-configuration-nsec3-iterations
424 (nsec3-salt-length (knot-policy-configuration-nsec3-salt-length
426 (nsec3-salt-lifetime (knot-policy-configuration-nsec3-salt-lifetime
428 (format #t " - id: ~a\n" id)
429 (format #t " keystore: ~a\n" keystore)
430 (format #t " manual: ~a\n" (if manual? "on" "off"))
431 (format #t " single-type-signing: ~a\n" (if single-type-signing?
433 (format #t " algorithm: ~a\n" algorithm)
434 (format #t " ksk-size: ~a\n" (number->string ksk-size))
435 (format #t " zsk-size: ~a\n" (number->string zsk-size))
436 (unless (eq? dnskey-ttl 'default)
437 (format #t " dnskey-ttl: ~a\n" dnskey-ttl))
438 (format #t " zsk-lifetime: ~a\n" zsk-lifetime)
439 (format #t " propagation-delay: ~a\n" propagation-delay)
440 (format #t " rrsig-lifetime: ~a\n" rrsig-lifetime)
441 (format #t " nsec3: ~a\n" (if nsec3? "on" "off"))
442 (format #t " nsec3-iterations: ~a\n"
443 (number->string nsec3-iterations))
444 (format #t " nsec3-salt-length: ~a\n"
445 (number->string nsec3-salt-length))
446 (format #t " nsec3-salt-lifetime: ~a\n" nsec3-salt-lifetime)))
449 (define (knot-remote-config remotes)
450 (with-output-to-string
453 (lambda (remote-config)
454 (let ((id (knot-remote-configuration-id remote-config))
455 (address (knot-remote-configuration-address remote-config))
456 (via (knot-remote-configuration-via remote-config))
457 (key (knot-remote-configuration-key remote-config)))
458 (format #t " - id: ~a\n" id)
459 (unless (eq? address '())
460 (format #t " address: ~a\n" (format-string-list address)))
461 (unless (eq? via '())
462 (format #t " via: ~a\n" (format-string-list via)))
464 (format #t " key: ~a\n" key))))
467 (define (serialize-zone-entries entries)
468 (with-output-to-string
472 (let ((name (zone-entry-name entry))
473 (ttl (zone-entry-ttl entry))
474 (class (zone-entry-class entry))
475 (type (zone-entry-type entry))
476 (data (zone-entry-data entry)))
477 (format #t "~a ~a ~a ~a ~a\n" name ttl class type data)))
480 (define (serialize-zone-file zone domain)
481 (computed-file (string-append domain ".zone")
483 (call-with-output-file #$output
485 (format port "$ORIGIN ~a.\n"
486 #$(zone-file-origin zone))
487 (format port "@ IN SOA ~a ~a (~a ~a ~a ~a ~a)\n"
488 #$(zone-file-ns zone)
489 #$(zone-file-mail zone)
490 #$(zone-file-serial zone)
491 #$(zone-file-refresh zone)
492 #$(zone-file-retry zone)
493 #$(zone-file-expiry zone)
494 #$(zone-file-nx zone))
496 #$(serialize-zone-entries (zone-file-entries zone))))))))
498 (define (knot-zone-config zone)
499 (let ((content (knot-zone-configuration-zone zone)))
500 #~(with-output-to-string
502 (let ((domain #$(knot-zone-configuration-domain zone))
503 (file #$(knot-zone-configuration-file zone))
504 (master (list #$@(knot-zone-configuration-master zone)))
505 (ddns-master #$(knot-zone-configuration-ddns-master zone))
506 (notify (list #$@(knot-zone-configuration-notify zone)))
507 (acl (list #$@(knot-zone-configuration-acl zone)))
508 (semantic-checks? #$(knot-zone-configuration-semantic-checks? zone))
509 (disable-any? #$(knot-zone-configuration-disable-any? zone))
510 (zonefile-sync #$(knot-zone-configuration-zonefile-sync zone))
511 (zonefile-load '#$(knot-zone-configuration-zonefile-load zone))
512 (journal-content #$(knot-zone-configuration-journal-content zone))
513 (max-journal-usage #$(knot-zone-configuration-max-journal-usage zone))
514 (max-journal-depth #$(knot-zone-configuration-max-journal-depth zone))
515 (max-zone-size #$(knot-zone-configuration-max-zone-size zone))
516 (dnssec-policy #$(knot-zone-configuration-dnssec-policy zone))
517 (serial-policy '#$(knot-zone-configuration-serial-policy zone)))
518 (format #t " - domain: ~a\n" domain)
520 ;; This server is a master
522 (format #t " file: ~a\n"
523 #$(serialize-zone-file content
524 (knot-zone-configuration-domain zone)))
525 (format #t " file: ~a\n" file))
526 ;; This server is a slave (has masters)
528 (format #t " master: ~a\n"
529 #$(format-string-list
530 (knot-zone-configuration-master zone)))
531 (if ddns-master (format #t " ddns-master ~a\n" ddns-master))))
532 (unless (eq? notify '())
533 (format #t " notify: ~a\n"
534 #$(format-string-list
535 (knot-zone-configuration-notify zone))))
536 (unless (eq? acl '())
537 (format #t " acl: ~a\n"
538 #$(format-string-list
539 (knot-zone-configuration-acl zone))))
540 (format #t " semantic-checks: ~a\n" (if semantic-checks? "on" "off"))
541 (format #t " disable-any: ~a\n" (if disable-any? "on" "off"))
543 (format #t " zonefile-sync: ~a\n" zonefile-sync))
545 (format #t " zonefile-load: ~a\n"
546 (symbol->string zonefile-load)))
548 (format #t " journal-content: ~a\n"
549 (symbol->string journal-content)))
550 (if max-journal-usage
551 (format #t " max-journal-usage: ~a\n" max-journal-usage))
552 (if max-journal-depth
553 (format #t " max-journal-depth: ~a\n" max-journal-depth))
555 (format #t " max-zone-size: ~a\n" max-zone-size))
558 (format #t " dnssec-signing: on\n")
559 (format #t " dnssec-policy: ~a\n" dnssec-policy)))
560 (format #t " serial-policy: ~a\n"
561 (symbol->string serial-policy)))))))
563 (define (knot-config-file config)
564 (verify-knot-configuration config)
565 (computed-file "knot.conf"
567 (call-with-output-file #$output
569 (for-each (lambda (inc)
570 (format port "include: ~a\n" inc))
571 '#$(knot-configuration-includes config))
572 (format port "server:\n")
573 (format port " rundir: ~a\n" #$(knot-configuration-run-directory config))
574 (format port " user: knot\n")
575 (format port " listen: ~a@~a\n"
576 #$(knot-configuration-listen-v4 config)
577 #$(knot-configuration-listen-port config))
578 (format port " listen: ~a@~a\n"
579 #$(knot-configuration-listen-v6 config)
580 #$(knot-configuration-listen-port config))
581 (format port "\nkey:\n")
582 (format port #$(knot-key-config (knot-configuration-keys config)))
583 (format port "\nkeystore:\n")
584 (format port #$(knot-keystore-config (knot-configuration-keystores config)))
585 (format port "\nacl:\n")
586 (format port #$(knot-acl-config (knot-configuration-acls config)))
587 (format port "\nremote:\n")
588 (format port #$(knot-remote-config (knot-configuration-remotes config)))
589 (format port "\npolicy:\n")
590 (format port #$(knot-policy-config (knot-configuration-policies config)))
591 (unless #$(eq? (knot-configuration-zones config) '())
592 (format port "\nzone:\n")
595 (list #$@(map knot-zone-config
596 (knot-configuration-zones config)))))))))))
598 (define %knot-accounts
599 (list (user-group (name "knot") (system? #t))
604 (comment "knot dns server user")
605 (home-directory "/var/empty")
606 (shell (file-append shadow "/sbin/nologin")))))
608 (define (knot-activation config)
610 (use-modules (guix build utils))
611 (define (mkdir-p/perms directory owner perms)
613 (chown directory (passwd:uid owner) (passwd:gid owner))
614 (chmod directory perms))
615 (mkdir-p/perms #$(knot-configuration-run-directory config)
616 (getpwnam "knot") #o755)
617 (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755)
618 (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755)
619 (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755)))
621 (define (knot-shepherd-service config)
622 (let* ((config-file (knot-config-file config))
623 (knot (knot-configuration-knot config)))
624 (list (shepherd-service
625 (documentation "Run the Knot DNS daemon.")
626 (provision '(knot dns))
627 (requirement '(networking))
628 (start #~(make-forkexec-constructor
629 (list (string-append #$knot "/sbin/knotd")
630 "-c" #$config-file)))
631 (stop #~(make-kill-destructor))))))
633 (define knot-service-type
634 (service-type (name 'knot)
636 (list (service-extension shepherd-root-service-type
637 knot-shepherd-service)
638 (service-extension activation-service-type
640 (service-extension account-service-type
641 (const %knot-accounts))))))
648 (define-record-type* <knot-resolver-configuration>
649 knot-resolver-configuration
650 make-knot-resolver-configuration
651 knot-resolver-configuration?
652 (package knot-resolver-configuration-package
653 (default knot-resolver))
654 (kresd-config-file knot-resolver-kresd-config-file
655 (default %kresd.conf))
656 (garbage-collection-interval knot-resolver-garbage-collection-interval
660 (plain-file "kresd.conf" "-- -*- mode: lua -*-
661 net = { '127.0.0.1', '::1' }
662 user('knot-resolver', 'knot-resolver')
663 modules = { 'hints > iterate', 'stats', 'predict' }
664 cache.size = 100 * MB
667 (define %knot-resolver-accounts
669 (name "knot-resolver")
672 (name "knot-resolver")
673 (group "knot-resolver")
675 (home-directory "/var/cache/knot-resolver")
676 (shell (file-append shadow "/sbin/nologin")))))
678 (define (knot-resolver-activation config)
680 (use-modules (guix build utils))
681 (let ((rundir "/var/cache/knot-resolver")
682 (owner (getpwnam "knot-resolver")))
684 (chown rundir (passwd:uid owner) (passwd:gid owner)))))
686 (define knot-resolver-shepherd-services
688 (($ <knot-resolver-configuration> package
690 garbage-collection-interval)
694 (requirement '(networking))
695 (documentation "Run the Knot Resolver daemon.")
696 (start #~(make-forkexec-constructor
697 '(#$(file-append package "/sbin/kresd")
698 "-c" #$kresd-config-file "-f" "1"
699 "/var/cache/knot-resolver")))
700 (stop #~(make-kill-destructor)))
702 (provision '(kres-cache-gc))
703 (requirement '(user-processes))
704 (documentation "Run the Knot Resolver Garbage Collector daemon.")
705 (start #~(make-forkexec-constructor
706 '(#$(file-append package "/sbin/kres-cache-gc")
707 "-d" #$(number->string garbage-collection-interval)
708 "-c" "/var/cache/knot-resolver")
709 #:user "knot-resolver"
710 #:group "knot-resolver"))
711 (stop #~(make-kill-destructor)))))))
713 (define knot-resolver-service-type
715 (name 'knot-resolver)
717 (list (service-extension shepherd-root-service-type
718 knot-resolver-shepherd-services)
719 (service-extension activation-service-type
720 knot-resolver-activation)
721 (service-extension account-service-type
722 (const %knot-resolver-accounts))))
723 (default-value (knot-resolver-configuration))
724 (description "Run the Knot DNS Resolver.")))
731 (define-record-type* <dnsmasq-configuration>
732 dnsmasq-configuration make-dnsmasq-configuration
733 dnsmasq-configuration?
734 (package dnsmasq-configuration-package
735 (default dnsmasq)) ;package
736 (no-hosts? dnsmasq-configuration-no-hosts?
737 (default #f)) ;boolean
738 (port dnsmasq-configuration-port
739 (default 53)) ;integer
740 (local-service? dnsmasq-configuration-local-service?
741 (default #t)) ;boolean
742 (listen-addresses dnsmasq-configuration-listen-address
743 (default '())) ;list of string
744 (resolv-file dnsmasq-configuration-resolv-file
745 (default "/etc/resolv.conf")) ;string
746 (no-resolv? dnsmasq-configuration-no-resolv?
747 (default #f)) ;boolean
748 (servers dnsmasq-configuration-servers
749 (default '())) ;list of string
750 (cache-size dnsmasq-configuration-cache-size
751 (default 150)) ;integer
752 (negative-cache? dnsmasq-configuration-negative-cache?
753 (default #t))) ;boolean
755 (define dnsmasq-shepherd-service
757 (($ <dnsmasq-configuration> package
759 port local-service? listen-addresses
760 resolv-file no-resolv? servers
761 cache-size negative-cache?)
763 (provision '(dnsmasq))
764 (requirement '(networking))
765 (documentation "Run the dnsmasq DNS server.")
766 (start #~(make-forkexec-constructor
767 '(#$(file-append package "/sbin/dnsmasq")
768 "--keep-in-foreground"
769 "--pid-file=/run/dnsmasq.pid"
773 #$(format #f "--port=~a" port)
774 #$@(if local-service?
777 #$@(map (cut format #f "--listen-address=~a" <>)
779 #$(format #f "--resolv-file=~a" resolv-file)
783 #$@(map (cut format #f "--server=~a" <>)
785 #$(format #f "--cache-size=~a" cache-size)
786 #$@(if negative-cache?
789 #:pid-file "/run/dnsmasq.pid"))
790 (stop #~(make-kill-destructor))))))
792 (define dnsmasq-service-type
796 (list (service-extension shepherd-root-service-type
797 (compose list dnsmasq-shepherd-service))))
798 (default-value (dnsmasq-configuration))
799 (description "Run the dnsmasq DNS server.")))
806 (define (uglify-field-name field-name)
807 (string-delete #\? (symbol->string field-name)))
809 (define (serialize-field field-name val)
810 (when (not (member field-name '(group secret-file user)))
811 (format #t "~a=~a\n" (uglify-field-name field-name) val)))
813 (define (serialize-boolean field-name val)
814 (serialize-field field-name (if val "yes" "no")))
816 (define (serialize-integer field-name val)
817 (serialize-field field-name (number->string val)))
819 (define (serialize-string field-name val)
820 (if (and (string? val) (string=? val ""))
822 (serialize-field field-name val)))
824 (define (serialize-list field-name val)
825 (if (null? val) "" (serialize-field field-name (string-join val))))
827 (define (serialize-extra-options extra-options)
828 (string-join extra-options "\n" 'suffix))
830 (define-configuration ddclient-configuration
833 "The ddclient package.")
836 "The period after which ddclient will retry to check IP and domain name.")
839 "Use syslog for the output.")
845 "Mail failed update to user.")
847 (string "/var/run/ddclient/ddclient.pid")
848 "The ddclient PID file.")
851 "Enable SSL support.")
854 "Specifies the user name or ID that is used when running ddclient
858 "Group of the user who will run the ddclient program.")
860 (string "/etc/ddclient/secrets.conf")
861 "Secret file which will be appended to @file{ddclient.conf} file. This
862 file contains credentials for use by ddclient. You are expected to create it
866 "Extra options will be appended to @file{ddclient.conf} file."))
868 (define (ddclient-account config)
869 "Return the user accounts and user groups for CONFIG."
870 (let ((ddclient-user (ddclient-configuration-user config))
871 (ddclient-group (ddclient-configuration-group config)))
873 (name ddclient-group)
878 (group ddclient-group)
879 (comment "ddclientd privilege separation user")
880 (home-directory (string-append "/var/run/" ddclient-user))))))
882 (define (ddclient-activation config)
883 "Return the activation GEXP for CONFIG."
884 (with-imported-modules '((guix build utils)
887 (use-modules (guix build utils)
890 (passwd:uid (getpw #$(ddclient-configuration-user config))))
892 (passwd:gid (getpw #$(ddclient-configuration-group config))))
893 (ddclient-secret-file
894 #$(ddclient-configuration-secret-file config)))
895 ;; 'ddclient' complains about ddclient.conf file permissions, which
896 ;; rules out /gnu/store. Thus we copy the ddclient.conf to /etc.
897 (for-each (lambda (dir)
900 (chown dir ddclient-user ddclient-group))
901 '("/var/cache/ddclient" "/var/run/ddclient"
903 (with-output-to-file "/etc/ddclient/ddclient.conf"
907 "# Generated by 'ddclient-service'.\n\n"
908 #$(with-output-to-string
910 (serialize-configuration config
911 ddclient-configuration-fields)))
912 (if (string-null? ddclient-secret-file)
914 (format #f "\n\n# Appended from '~a'.\n\n~a"
916 (with-input-from-file ddclient-secret-file
918 (chmod "/etc/ddclient/ddclient.conf" #o600)
919 (chown "/etc/ddclient/ddclient.conf"
920 ddclient-user ddclient-group)))))
922 (define (ddclient-shepherd-service config)
923 "Return a <shepherd-service> for ddclient with CONFIG."
924 (let ((ddclient (ddclient-configuration-ddclient config))
925 (ddclient-pid (ddclient-configuration-pid config))
926 (ddclient-user (ddclient-configuration-user config))
927 (ddclient-group (ddclient-configuration-group config)))
928 (list (shepherd-service
929 (provision '(ddclient))
930 (documentation "Run ddclient daemon.")
931 (start #~(make-forkexec-constructor
932 (list #$(file-append ddclient "/bin/ddclient")
934 "-file" "/etc/ddclient/ddclient.conf")
935 #:pid-file #$ddclient-pid
936 #:environment-variables
937 (list "SSL_CERT_DIR=/run/current-system/profile\
939 "SSL_CERT_FILE=/run/current-system/profile\
940 /etc/ssl/certs/ca-certificates.crt")
941 #:user #$ddclient-user
942 #:group #$ddclient-group))
943 (stop #~(make-kill-destructor))))))
945 (define ddclient-service-type
949 (list (service-extension account-service-type
951 (service-extension shepherd-root-service-type
952 ddclient-shepherd-service)
953 (service-extension activation-service-type
954 ddclient-activation)))
955 (default-value (ddclient-configuration))
956 (description "Configure address updating utility for dynamic DNS services,
959 (define (generate-ddclient-documentation)
960 (generate-documentation
961 `((ddclient-configuration ,ddclient-configuration-fields))
962 'ddclient-configuration))