1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
5 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
6 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
7 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
8 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
9 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
10 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
11 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
12 ;;; Copyright © 2019 Florian Pelz <pelzflorian@pelzflorian.de>
13 ;;; Copyright © 2019 Maxim Cournoyer <maxim.cournoyer@gmail.com>
14 ;;; Copyright © 2019 Sou Bunnbu <iyzsong@member.fsf.org>
15 ;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
17 ;;; This file is part of GNU Guix.
19 ;;; GNU Guix is free software; you can redistribute it and/or modify it
20 ;;; under the terms of the GNU General Public License as published by
21 ;;; the Free Software Foundation; either version 3 of the License, or (at
22 ;;; your option) any later version.
24 ;;; GNU Guix is distributed in the hope that it will be useful, but
25 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 ;;; GNU General Public License for more details.
29 ;;; You should have received a copy of the GNU General Public License
30 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
32 (define-module (gnu services networking)
33 #:use-module (gnu services)
34 #:use-module (gnu services base)
35 #:use-module (gnu services configuration)
36 #:use-module (gnu services shepherd)
37 #:use-module (gnu services dbus)
38 #:use-module (gnu system shadow)
39 #:use-module (gnu system pam)
40 #:use-module (gnu packages admin)
41 #:use-module (gnu packages base)
42 #:use-module (gnu packages bash)
43 #:use-module (gnu packages connman)
44 #:use-module (gnu packages freedesktop)
45 #:use-module (gnu packages linux)
46 #:use-module (gnu packages tor)
47 #:use-module (gnu packages usb-modeswitch)
48 #:use-module (gnu packages messaging)
49 #:use-module (gnu packages networking)
50 #:use-module (gnu packages ntp)
51 #:use-module (gnu packages wicd)
52 #:use-module (gnu packages gnome)
53 #:use-module (guix gexp)
54 #:use-module (guix records)
55 #:use-module (guix modules)
56 #:use-module (guix packages)
57 #:use-module (guix deprecation)
58 #:use-module (rnrs enums)
59 #:use-module (srfi srfi-1)
60 #:use-module (srfi srfi-9)
61 #:use-module (srfi srfi-26)
62 #:use-module (ice-9 match)
63 #:re-export (static-networking-service
64 static-networking-service-type)
65 #:export (%facebook-host-aliases
67 dhcp-client-service-type
72 dhcpd-configuration-package
73 dhcpd-configuration-config-file
74 dhcpd-configuration-version
75 dhcpd-configuration-run-directory
76 dhcpd-configuration-lease-file
77 dhcpd-configuration-pid-file
78 dhcpd-configuration-interfaces
83 ntp-configuration-servers
84 ntp-allow-large-adjustment?
96 openntpd-configuration
97 openntpd-configuration?
113 network-manager-configuration
114 network-manager-configuration?
115 network-manager-configuration-dns
116 network-manager-configuration-vpn-plugins
117 network-manager-service-type
119 connman-configuration
120 connman-configuration?
123 modem-manager-configuration
124 modem-manager-configuration?
125 modem-manager-service-type
127 usb-modeswitch-configuration
128 usb-modeswitch-configuration?
129 usb-modeswitch-configuration-usb-modeswitch
130 usb-modeswitch-configuration-usb-modeswitch-data
131 usb-modeswitch-service-type
133 <wpa-supplicant-configuration>
134 wpa-supplicant-configuration
135 wpa-supplicant-configuration?
136 wpa-supplicant-configuration-wpa-supplicant
137 wpa-supplicant-configuration-pid-file
138 wpa-supplicant-configuration-dbus?
139 wpa-supplicant-configuration-interface
140 wpa-supplicant-configuration-config-file
141 wpa-supplicant-configuration-extra-options
142 wpa-supplicant-service-type
144 hostapd-configuration
145 hostapd-configuration?
146 hostapd-configuration-package
147 hostapd-configuration-interface
148 hostapd-configuration-ssid
149 hostapd-configuration-broadcast-ssid?
150 hostapd-configuration-channel
151 hostapd-configuration-driver
154 simulated-wifi-service-type
156 openvswitch-service-type
157 openvswitch-configuration
159 iptables-configuration
160 iptables-configuration?
161 iptables-configuration-iptables
162 iptables-configuration-ipv4-rules
163 iptables-configuration-ipv6-rules
164 iptables-service-type
166 nftables-service-type
167 nftables-configuration
168 nftables-configuration?
169 nftables-configuration-package
170 nftables-configuration-ruleset
171 %default-nftables-ruleset
173 pagekite-service-type
174 pagekite-configuration
175 pagekite-configuration?
176 pagekite-configuration-package
177 pagekite-configuration-kitename
178 pagekite-configuration-kitesecret
179 pagekite-configuration-frontend
180 pagekite-configuration-kites
181 pagekite-configuration-extra-file))
185 ;;; Networking services.
189 (define %facebook-host-aliases
190 ;; This is the list of known Facebook hosts to be added to /etc/hosts if you
193 # Block Facebook IPv4.
194 127.0.0.1 www.facebook.com
195 127.0.0.1 facebook.com
196 127.0.0.1 login.facebook.com
197 127.0.0.1 www.login.facebook.com
199 127.0.0.1 www.fbcdn.net
201 127.0.0.1 www.fbcdn.com
202 127.0.0.1 static.ak.fbcdn.net
203 127.0.0.1 static.ak.connect.facebook.com
204 127.0.0.1 connect.facebook.net
205 127.0.0.1 www.connect.facebook.net
206 127.0.0.1 apps.facebook.com
208 # Block Facebook IPv6.
209 fe80::1%lo0 facebook.com
210 fe80::1%lo0 login.facebook.com
211 fe80::1%lo0 www.login.facebook.com
212 fe80::1%lo0 fbcdn.net
213 fe80::1%lo0 www.fbcdn.net
214 fe80::1%lo0 fbcdn.com
215 fe80::1%lo0 www.fbcdn.com
216 fe80::1%lo0 static.ak.fbcdn.net
217 fe80::1%lo0 static.ak.connect.facebook.com
218 fe80::1%lo0 connect.facebook.net
219 fe80::1%lo0 www.connect.facebook.net
220 fe80::1%lo0 apps.facebook.com\n")
222 (define dhcp-client-service-type
223 (shepherd-service-type
227 (file-append dhcp "/sbin/dhclient"))
230 "/var/run/dhclient.pid")
233 (documentation "Set up networking via DHCP.")
234 (requirement '(user-processes udev))
236 ;; XXX: Running with '-nw' ("no wait") avoids blocking for a minute when
237 ;; networking is unavailable, but also means that the interface is not up
238 ;; yet when 'start' completes. To wait for the interface to be ready, one
239 ;; should instead monitor udev events.
240 (provision '(networking))
243 ;; When invoked without any arguments, 'dhclient' discovers all
244 ;; non-loopback interfaces *that are up*. However, the relevant
245 ;; interfaces are typically down at this point. Thus we perform
246 ;; our own interface discovery here.
249 (and (arp-network-interface? interface)
250 (not (loopback-network-interface? interface))
251 ;; XXX: Make sure the interfaces are up so that
252 ;; 'dhclient' can actually send/receive over them.
253 ;; Ignore those that cannot be activated.
255 (set-network-interface-up interface)))))
257 (filter valid? (all-network-interface-names)))
259 (false-if-exception (delete-file #$pid-file))
260 (let ((pid (fork+exec-command
261 (cons* #$dhclient "-nw"
262 "-pf" #$pid-file ifaces))))
263 (and (zero? (cdr (waitpid pid)))
264 (read-pid-file #$pid-file)))))
265 (stop #~(make-kill-destructor))))
268 (define-deprecated (dhcp-client-service #:key (dhcp isc-dhcp))
269 dhcp-client-service-type
270 "Return a service that runs @var{dhcp}, a Dynamic Host Configuration
271 Protocol (DHCP) client, on all the non-loopback network interfaces."
272 (service dhcp-client-service-type dhcp))
274 (define-record-type* <dhcpd-configuration>
275 dhcpd-configuration make-dhcpd-configuration
277 (package dhcpd-configuration-package ;<package>
279 (config-file dhcpd-configuration-config-file ;file-like
281 (version dhcpd-configuration-version ;"4", "6", or "4o6"
283 (run-directory dhcpd-configuration-run-directory
284 (default "/run/dhcpd"))
285 (lease-file dhcpd-configuration-lease-file
286 (default "/var/db/dhcpd.leases"))
287 (pid-file dhcpd-configuration-pid-file
288 (default "/run/dhcpd/dhcpd.pid"))
289 ;; list of strings, e.g. (list "enp0s25")
290 (interfaces dhcpd-configuration-interfaces
293 (define dhcpd-shepherd-service
295 (($ <dhcpd-configuration> package config-file version run-directory
296 lease-file pid-file interfaces)
298 (error "Must supply a config-file"))
299 (list (shepherd-service
300 ;; Allow users to easily run multiple versions simultaneously.
301 (provision (list (string->symbol
302 (string-append "dhcpv" version "-daemon"))))
303 (documentation (string-append "Run the DHCPv" version " daemon"))
304 (requirement '(networking))
305 (start #~(make-forkexec-constructor
306 '(#$(file-append package "/sbin/dhcpd")
307 #$(string-append "-" version)
312 #:pid-file #$pid-file))
313 (stop #~(make-kill-destructor)))))))
315 (define dhcpd-activation
317 (($ <dhcpd-configuration> package config-file version run-directory
318 lease-file pid-file interfaces)
319 (with-imported-modules '((guix build utils))
321 (unless (file-exists? #$run-directory)
322 (mkdir #$run-directory))
323 ;; According to the DHCP manual (man dhcpd.leases), the lease
324 ;; database must be present for dhcpd to start successfully.
325 (unless (file-exists? #$lease-file)
326 (with-output-to-file #$lease-file
327 (lambda _ (display ""))))
328 ;; Validate the config.
330 #$(file-append package "/sbin/dhcpd") "-t" "-cf"
333 (define dhcpd-service-type
337 (list (service-extension shepherd-root-service-type dhcpd-shepherd-service)
338 (service-extension activation-service-type dhcpd-activation)))
339 (description "Run a DHCP (Dynamic Host Configuration Protocol) daemon. The
340 daemon is responsible for allocating IP addresses to its client.")))
347 (define ntp-server-types (make-enumeration
354 (define-record-type* <ntp-server>
355 ntp-server make-ntp-server
357 ;; The type can be one of the symbols of the NTP-SERVER-TYPE? enumeration.
358 (type ntp-server-type
360 (address ntp-server-address) ; a string
361 ;; The list of options can contain single option names or tuples in the form
363 (options ntp-server-options
366 (define (ntp-server->string ntp-server)
367 ;; Serialize the NTP server object as a string, ready to use in the NTP
368 ;; configuration file.
369 (define (flatten lst)
375 (cons (format #f "~a" x) res)))))
378 (($ <ntp-server> type address options)
379 ;; XXX: It'd be neater if fields were validated at the syntax level (for
380 ;; static ones at least). Perhaps the Guix record type could support a
381 ;; predicate property on a field?
382 (unless (enum-set-member? type ntp-server-types)
383 (error "Invalid NTP server type" type))
384 (string-join (cons* (symbol->string type)
386 (flatten options))))))
389 ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
390 ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
391 ;; for this NTP pool "zone".
395 (address "0.guix.pool.ntp.org")
396 (options '("iburst"))))) ;as recommended in the ntpd manual
398 (define-record-type* <ntp-configuration>
399 ntp-configuration make-ntp-configuration
401 (ntp ntp-configuration-ntp
403 (servers %ntp-configuration-servers ;list of <ntp-server> objects
404 (default %ntp-servers))
405 (allow-large-adjustment? ntp-allow-large-adjustment?
406 (default #t))) ;as recommended in the ntpd manual
408 (define (ntp-configuration-servers ntp-configuration)
409 ;; A wrapper to support the deprecated form of this field.
410 (let ((ntp-servers (%ntp-configuration-servers ntp-configuration)))
412 (((? string?) (? string?) ...)
413 (format (current-error-port) "warning: Defining NTP servers as strings is \
414 deprecated. Please use <ntp-server> records instead.\n")
419 (options '()))) ntp-servers))
420 ((($ <ntp-server>) ($ <ntp-server>) ...)
423 (define ntp-shepherd-service
426 (($ <ntp-configuration> ntp servers allow-large-adjustment?)
427 (let ((servers (ntp-configuration-servers config)))
428 ;; TODO: Add authentication support.
430 (string-append "driftfile /var/run/ntpd/ntp.drift\n"
431 (string-join (map ntp-server->string servers)
434 # Disable status queries as a workaround for CVE-2013-5211:
435 # <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
436 restrict default kod nomodify notrap nopeer noquery limited
437 restrict -6 default kod nomodify notrap nopeer noquery limited
439 # Yet, allow use of the local 'ntpq'.
443 # This is required to use servers from a pool directive when using the 'nopeer'
444 # option by default, as documented in the 'ntp.conf' manual.
445 restrict source notrap nomodify noquery\n"))
448 (plain-file "ntpd.conf" config))
450 (list (shepherd-service
452 (documentation "Run the Network Time Protocol (NTP) daemon.")
453 (requirement '(user-processes networking))
454 (start #~(make-forkexec-constructor
455 (list (string-append #$ntp "/bin/ntpd") "-n"
456 "-c" #$ntpd.conf "-u" "ntpd"
457 #$@(if allow-large-adjustment?
460 (stop #~(make-kill-destructor)))))))))
462 (define %ntp-accounts
467 (comment "NTP daemon user")
468 (home-directory "/var/empty")
469 (shell (file-append shadow "/sbin/nologin")))))
472 (define (ntp-service-activation config)
473 "Return the activation gexp for CONFIG."
474 (with-imported-modules '((guix build utils))
476 (use-modules (guix build utils))
480 (let ((directory "/var/run/ntpd"))
482 (chown directory (passwd:uid %user) (passwd:gid %user))))))
484 (define ntp-service-type
485 (service-type (name 'ntp)
487 (list (service-extension shepherd-root-service-type
488 ntp-shepherd-service)
489 (service-extension account-service-type
490 (const %ntp-accounts))
491 (service-extension activation-service-type
492 ntp-service-activation)))
494 "Run the @command{ntpd}, the Network Time Protocol (NTP)
495 daemon of the @uref{http://www.ntp.org, Network Time Foundation}. The daemon
496 will keep the system clock synchronized with that of the given servers.")
497 (default-value (ntp-configuration))))
499 (define-deprecated (ntp-service #:key (ntp ntp)
500 (servers %ntp-servers)
501 allow-large-adjustment?)
503 "Return a service that runs the daemon from @var{ntp}, the
504 @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will
505 keep the system clock synchronized with that of @var{servers}.
506 @var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
507 make an initial adjustment of more than 1,000 seconds."
508 (service ntp-service-type
509 (ntp-configuration (ntp ntp)
511 (allow-large-adjustment?
512 allow-large-adjustment?))))
519 (define %openntpd-servers
520 (map ntp-server-address %ntp-servers))
522 (define-record-type* <openntpd-configuration>
523 openntpd-configuration make-openntpd-configuration
524 openntpd-configuration?
525 (openntpd openntpd-configuration-openntpd
527 (listen-on openntpd-listen-on
528 (default '("127.0.0.1"
530 (query-from openntpd-query-from
532 (sensor openntpd-sensor
534 (server openntpd-server
536 (servers openntpd-servers
537 (default %openntpd-servers))
538 (constraint-from openntpd-constraint-from
540 (constraints-from openntpd-constraints-from
542 (allow-large-adjustment? openntpd-allow-large-adjustment?
543 (default #f))) ; upstream default
545 (define (openntpd-configuration->string config)
547 (define (quote-field? name)
548 (member name '("constraints from")))
550 (match-record config <openntpd-configuration>
551 (listen-on query-from sensor server servers constraint-from
556 (filter-map (lambda (field values)
558 (() #f) ;discard entry with filter-map
559 ((val ...) ;validate value type
561 (if (quote-field? field)
562 (format #f "~a \"~a\"" field value)
563 (format #f "~a ~a" field value)))
566 '("listen on" "query from" "sensor" "server" "servers"
567 "constraint from" "constraints from")
568 ;; The corresponding entry values.
569 (list listen-on query-from sensor server servers
570 constraint-from constraints-from)))
572 "\n"))) ;add a trailing newline
574 (define (openntpd-shepherd-service config)
575 (let ((openntpd (openntpd-configuration-openntpd config))
576 (allow-large-adjustment? (openntpd-allow-large-adjustment? config)))
579 (plain-file "ntpd.conf" (openntpd-configuration->string config)))
581 (list (shepherd-service
583 (documentation "Run the Network Time Protocol (NTP) daemon.")
584 (requirement '(user-processes networking))
585 (start #~(make-forkexec-constructor
586 (list (string-append #$openntpd "/sbin/ntpd")
588 "-d" ;; don't daemonize
589 #$@(if allow-large-adjustment?
592 ;; When ntpd is daemonized it repeatedly tries to respawn
593 ;; while running, leading shepherd to disable it. To
594 ;; prevent spamming stderr, redirect output to logfile.
595 #:log-file "/var/log/ntpd"))
596 (stop #~(make-kill-destructor))))))
598 (define (openntpd-service-activation config)
599 "Return the activation gexp for CONFIG."
600 (with-imported-modules '((guix build utils))
602 (use-modules (guix build utils))
606 (unless (file-exists? "/var/db/ntpd.drift")
607 (with-output-to-file "/var/db/ntpd.drift"
609 (format #t "0.0")))))))
611 (define openntpd-service-type
612 (service-type (name 'openntpd)
614 (list (service-extension shepherd-root-service-type
615 openntpd-shepherd-service)
616 (service-extension account-service-type
617 (const %ntp-accounts))
618 (service-extension profile-service-type
619 (compose list openntpd-configuration-openntpd))
620 (service-extension activation-service-type
621 openntpd-service-activation)))
622 (default-value (openntpd-configuration))
624 "Run the @command{ntpd}, the Network Time Protocol (NTP)
625 daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The
626 daemon will keep the system clock synchronized with that of the given servers.")))
633 (define-record-type* <inetd-configuration> inetd-configuration
634 make-inetd-configuration
636 (program inetd-configuration-program ;file-like
637 (default (file-append inetutils "/libexec/inetd")))
638 (entries inetd-configuration-entries ;list of <inetd-entry>
641 (define-record-type* <inetd-entry> inetd-entry make-inetd-entry
643 (node inetd-entry-node ;string or #f
645 (name inetd-entry-name) ;string, from /etc/services
647 (socket-type inetd-entry-socket-type) ;stream | dgram | raw |
649 (protocol inetd-entry-protocol) ;string, from /etc/protocols
651 (wait? inetd-entry-wait? ;Boolean
653 (user inetd-entry-user) ;string
655 (program inetd-entry-program ;string or file-like object
656 (default "internal"))
657 (arguments inetd-entry-arguments ;list of strings or file-like objects
660 (define (inetd-config-file entries)
661 (apply mixed-text-file "inetd.conf"
664 (let* ((node (inetd-entry-node entry))
665 (name (inetd-entry-name entry))
667 (if node (string-append node ":" name) name))
669 (match (inetd-entry-socket-type entry)
670 ((or 'stream 'dgram 'raw 'rdm 'seqpacket)
671 (symbol->string (inetd-entry-socket-type entry)))))
672 (protocol (inetd-entry-protocol entry))
673 (wait (if (inetd-entry-wait? entry) "wait" "nowait"))
674 (user (inetd-entry-user entry))
675 (program (inetd-entry-program entry))
676 (args (inetd-entry-arguments entry)))
679 (list #$@(list socket type protocol wait user program) #$@args)
683 (define inetd-shepherd-service
685 (($ <inetd-configuration> program ()) '()) ; empty list of entries -> do nothing
686 (($ <inetd-configuration> program entries)
689 (documentation "Run inetd.")
691 (requirement '(user-processes networking syslogd))
692 (start #~(make-forkexec-constructor
693 (list #$program #$(inetd-config-file entries))
694 #:pid-file "/var/run/inetd.pid"))
695 (stop #~(make-kill-destructor)))))))
697 (define-public inetd-service-type
701 (list (service-extension shepherd-root-service-type
702 inetd-shepherd-service)))
704 ;; The service can be extended with additional lists of entries.
705 (compose concatenate)
706 (extend (lambda (config entries)
709 (entries (append (inetd-configuration-entries config)
712 "Start @command{inetd}, the @dfn{Internet superserver}. It is responsible
713 for listening on Internet sockets and spawning the corresponding services on
721 (define-record-type* <tor-configuration>
722 tor-configuration make-tor-configuration
724 (tor tor-configuration-tor
726 (config-file tor-configuration-config-file
727 (default (plain-file "empty" "")))
728 (hidden-services tor-configuration-hidden-services
730 (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
733 (define %tor-accounts
734 ;; User account and groups for Tor.
735 (list (user-group (name "tor") (system? #t))
740 (comment "Tor daemon user")
741 (home-directory "/var/empty")
742 (shell (file-append shadow "/sbin/nologin")))))
744 (define-record-type <hidden-service>
745 (hidden-service name mapping)
747 (name hidden-service-name) ;string
748 (mapping hidden-service-mapping)) ;list of port/address tuples
750 (define (tor-configuration->torrc config)
751 "Return a 'torrc' file for CONFIG."
753 (($ <tor-configuration> tor config-file services socks-socket-type)
756 (with-imported-modules '((guix build utils))
758 (use-modules (guix build utils)
761 (call-with-output-file #$output
764 ### These lines were generated from your system configuration:
766 DataDirectory /var/lib/tor
767 PidFile /var/run/tor/tor.pid
768 Log notice syslog\n" port)
769 (when (eq? 'unix '#$socks-socket-type)
771 SocksPort unix:/var/run/tor/socks-sock
772 UnixSocksGroupWritable 1\n" port))
774 (for-each (match-lambda
775 ((service (ports hosts) ...)
777 HiddenServiceDir /var/lib/tor/hidden-services/~a~%"
779 (for-each (lambda (tcp-port host)
781 HiddenServicePort ~a ~a~%"
784 '#$(map (match-lambda
785 (($ <hidden-service> name mapping)
786 (cons name mapping)))
790 ### End of automatically generated lines.\n\n" port)
792 ;; Append the user's config file.
793 (call-with-input-file #$config-file
795 (dump-port input port)))
798 (define (tor-shepherd-service config)
799 "Return a <shepherd-service> running Tor."
801 (($ <tor-configuration> tor)
802 (let ((torrc (tor-configuration->torrc config)))
803 (with-imported-modules (source-module-closure
804 '((gnu build shepherd)
805 (gnu system file-systems)))
806 (list (shepherd-service
809 ;; Tor needs at least one network interface to be up, hence the
810 ;; dependency on 'loopback'.
811 (requirement '(user-processes loopback syslogd))
813 (modules '((gnu build shepherd)
814 (gnu system file-systems)))
816 (start #~(make-forkexec-constructor/container
817 (list #$(file-append tor "/bin/tor") "-f" #$torrc)
819 #:mappings (list (file-system-mapping
820 (source "/var/lib/tor")
824 (source "/dev/log") ;for syslog
827 (source "/var/run/tor")
830 #:pid-file "/var/run/tor/tor.pid"))
831 (stop #~(make-kill-destructor))
832 (documentation "Run the Tor anonymous network overlay."))))))))
834 (define (tor-activation config)
835 "Set up directories for Tor and its hidden services, if any."
837 (use-modules (guix build utils))
842 (define (initialize service)
843 (let ((directory (string-append "/var/lib/tor/hidden-services/"
846 (chown directory (passwd:uid %user) (passwd:gid %user))
848 ;; The daemon bails out if we give wider permissions.
849 (chmod directory #o700)))
851 ;; Allow Tor to write its PID file.
852 (mkdir-p "/var/run/tor")
853 (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
854 ;; Set the group permissions to rw so that if the system administrator
855 ;; has specified UnixSocksGroupWritable=1 in their torrc file, members
856 ;; of the "tor" group will be able to use the SOCKS socket.
857 (chmod "/var/run/tor" #o750)
859 ;; Allow Tor to access the hidden services' directories.
860 (mkdir-p "/var/lib/tor")
861 (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
862 (chmod "/var/lib/tor" #o700)
864 ;; Make sure /var/lib is accessible to the 'tor' user.
865 (chmod "/var/lib" #o755)
868 '#$(map hidden-service-name
869 (tor-configuration-hidden-services config)))))
871 (define tor-service-type
872 (service-type (name 'tor)
874 (list (service-extension shepherd-root-service-type
875 tor-shepherd-service)
876 (service-extension account-service-type
877 (const %tor-accounts))
878 (service-extension activation-service-type
881 ;; This can be extended with hidden services.
882 (compose concatenate)
883 (extend (lambda (config services)
887 (append (tor-configuration-hidden-services config)
889 (default-value (tor-configuration))
891 "Run the @uref{https://torproject.org, Tor} anonymous
892 networking daemon.")))
894 (define-deprecated (tor-service #:optional
895 (config-file (plain-file "empty" ""))
898 "Return a service to run the @uref{https://torproject.org, Tor} anonymous
901 The daemon runs as the @code{tor} unprivileged user. It is passed
902 @var{config-file}, a file-like object, with an additional @code{User tor} line
903 and lines for hidden services added via @code{tor-hidden-service}. Run
904 @command{man tor} for information about the configuration file."
905 (service tor-service-type
906 (tor-configuration (tor tor)
907 (config-file config-file))))
909 (define tor-hidden-service-type
910 ;; A type that extends Tor with hidden services.
911 (service-type (name 'tor-hidden-service)
913 (list (service-extension tor-service-type list)))
915 "Define a new Tor @dfn{hidden service}.")))
917 (define (tor-hidden-service name mapping)
918 "Define a new Tor @dfn{hidden service} called @var{name} and implementing
919 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
922 '((22 \"127.0.0.1:22\")
923 (80 \"127.0.0.1:8080\"))
926 In this example, port 22 of the hidden service is mapped to local port 22, and
927 port 80 is mapped to local port 8080.
929 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
930 the @file{hostname} file contains the @code{.onion} host name for the hidden
933 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
934 project's documentation} for more information."
935 (service tor-hidden-service-type
936 (hidden-service name mapping)))
943 (define %wicd-activation
944 ;; Activation gexp for Wicd.
946 (use-modules (guix build utils))
948 (mkdir-p "/etc/wicd")
949 (let ((file-name "/etc/wicd/dhclient.conf.template.default"))
950 (unless (file-exists? file-name)
951 (copy-file (string-append #$wicd file-name)
954 ;; Wicd invokes 'wpa_supplicant', which needs this directory for its
955 ;; named socket files.
956 (mkdir-p "/var/run/wpa_supplicant")
957 (chmod "/var/run/wpa_supplicant" #o750)))
959 (define (wicd-shepherd-service wicd)
960 "Return a shepherd service for WICD."
961 (list (shepherd-service
962 (documentation "Run the Wicd network manager.")
963 (provision '(networking))
964 (requirement '(user-processes dbus-system loopback))
965 (start #~(make-forkexec-constructor
966 (list (string-append #$wicd "/sbin/wicd")
968 (stop #~(make-kill-destructor)))))
970 (define wicd-service-type
971 (service-type (name 'wicd)
973 (list (service-extension shepherd-root-service-type
974 wicd-shepherd-service)
975 (service-extension dbus-root-service-type
977 (service-extension activation-service-type
978 (const %wicd-activation))
980 ;; Add Wicd to the global profile.
981 (service-extension profile-service-type list)))
983 "Run @url{https://launchpad.net/wicd,Wicd}, a network
984 management daemon that aims to simplify wired and wireless networking.")))
986 (define* (wicd-service #:key (wicd wicd))
987 "Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
988 management daemon that aims to simplify wired and wireless networking.
990 This service adds the @var{wicd} package to the global profile, providing
991 several commands to interact with the daemon and configure networking:
992 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
993 and @command{wicd-curses} user interfaces."
994 (service wicd-service-type wicd))
1001 (define-record-type* <modem-manager-configuration>
1002 modem-manager-configuration make-modem-manager-configuration
1003 modem-manager-configuration?
1004 (modem-manager modem-manager-configuration-modem-manager
1005 (default modem-manager)))
1012 (define-record-type* <network-manager-configuration>
1013 network-manager-configuration make-network-manager-configuration
1014 network-manager-configuration?
1015 (network-manager network-manager-configuration-network-manager
1016 (default network-manager))
1017 (dns network-manager-configuration-dns
1018 (default "default"))
1019 (vpn-plugins network-manager-configuration-vpn-plugins ;list of <package>
1022 (define network-manager-activation
1023 ;; Activation gexp for NetworkManager
1025 (($ <network-manager-configuration> network-manager dns vpn-plugins)
1027 (use-modules (guix build utils))
1028 (mkdir-p "/etc/NetworkManager/system-connections")
1029 #$@(if (equal? dns "dnsmasq")
1030 ;; create directory to store dnsmasq lease file
1031 '((mkdir-p "/var/lib/misc"))
1034 (define (vpn-plugin-directory plugins)
1035 "Return a directory containing PLUGINS, the NM VPN plugins."
1036 (directory-union "network-manager-vpn-plugins" plugins))
1038 (define (network-manager-accounts config)
1039 "Return the list of <user-account> and <user-group> for CONFIG."
1041 (file-append shadow "/sbin/nologin"))
1044 (append-map (lambda (package)
1046 (user-account (system? #t)
1048 (group "network-manager")
1049 (comment "NetworkManager helper")
1050 (home-directory "/var/empty")
1051 (create-home-directory? #f)
1053 (or (assoc-ref (package-properties package)
1056 (network-manager-configuration-vpn-plugins config)))
1062 (cons (user-group (name "network-manager") (system? #t))
1065 (define network-manager-environment
1067 (($ <network-manager-configuration> network-manager dns vpn-plugins)
1068 ;; Define this variable in the global environment such that
1069 ;; "nmcli connection import type openvpn file foo.ovpn" works.
1070 `(("NM_VPN_PLUGIN_DIR"
1071 . ,(file-append (vpn-plugin-directory vpn-plugins)
1072 "/lib/NetworkManager/VPN"))))))
1074 (define network-manager-shepherd-service
1076 (($ <network-manager-configuration> network-manager dns vpn-plugins)
1077 (let ((conf (plain-file "NetworkManager.conf"
1078 (string-append "[main]\ndns=" dns "\n")))
1079 (vpn (vpn-plugin-directory vpn-plugins)))
1080 (list (shepherd-service
1081 (documentation "Run the NetworkManager.")
1082 (provision '(networking))
1083 (requirement '(user-processes dbus-system wpa-supplicant loopback))
1084 (start #~(make-forkexec-constructor
1085 (list (string-append #$network-manager
1086 "/sbin/NetworkManager")
1087 (string-append "--config=" #$conf)
1089 #:environment-variables
1090 (list (string-append "NM_VPN_PLUGIN_DIR=" #$vpn
1091 "/lib/NetworkManager/VPN")
1092 ;; Override non-existent default users
1094 "NM_OPENVPN_GROUP=")))
1095 (stop #~(make-kill-destructor))))))))
1097 (define network-manager-service-type
1101 (($ <network-manager-configuration> network-manager _ vpn-plugins)
1102 `(,network-manager ,@vpn-plugins)))))
1105 (name 'network-manager)
1107 (list (service-extension shepherd-root-service-type
1108 network-manager-shepherd-service)
1109 (service-extension dbus-root-service-type config->packages)
1110 (service-extension polkit-service-type
1113 network-manager-configuration-network-manager))
1114 (service-extension account-service-type
1115 network-manager-accounts)
1116 (service-extension activation-service-type
1117 network-manager-activation)
1118 (service-extension session-environment-service-type
1119 network-manager-environment)
1120 ;; Add network-manager to the system profile.
1121 (service-extension profile-service-type config->packages)))
1122 (default-value (network-manager-configuration))
1124 "Run @uref{https://wiki.gnome.org/Projects/NetworkManager,
1125 NetworkManager}, a network management daemon that aims to simplify wired and
1126 wireless networking."))))
1133 (define-record-type* <connman-configuration>
1134 connman-configuration make-connman-configuration
1135 connman-configuration?
1136 (connman connman-configuration-connman
1138 (disable-vpn? connman-configuration-disable-vpn?
1141 (define (connman-activation config)
1142 (let ((disable-vpn? (connman-configuration-disable-vpn? config)))
1143 (with-imported-modules '((guix build utils))
1145 (use-modules (guix build utils))
1146 (mkdir-p "/var/lib/connman/")
1147 (unless #$disable-vpn?
1148 (mkdir-p "/var/lib/connman-vpn/"))))))
1150 (define (connman-shepherd-service config)
1151 "Return a shepherd service for Connman"
1153 (connman-configuration? config)
1154 (let ((connman (connman-configuration-connman config))
1155 (disable-vpn? (connman-configuration-disable-vpn? config)))
1156 (list (shepherd-service
1157 (documentation "Run Connman")
1158 (provision '(networking))
1160 '(user-processes dbus-system loopback wpa-supplicant))
1161 (start #~(make-forkexec-constructor
1162 (list (string-append #$connman
1165 #$@(if disable-vpn? '("--noplugin=vpn") '()))
1167 ;; As connman(8) notes, when passing '-n', connman
1168 ;; "directs log output to the controlling terminal in
1169 ;; addition to syslog." Redirect stdout and stderr
1170 ;; to avoid spamming the console (XXX: for some reason
1171 ;; redirecting to /dev/null doesn't work.)
1172 #:log-file "/var/log/connman.log"))
1173 (stop #~(make-kill-destructor)))))))
1175 (define connman-service-type
1176 (let ((connman-package (compose list connman-configuration-connman)))
1177 (service-type (name 'connman)
1179 (list (service-extension shepherd-root-service-type
1180 connman-shepherd-service)
1181 (service-extension polkit-service-type
1183 (service-extension dbus-root-service-type
1185 (service-extension activation-service-type
1187 ;; Add connman to the system profile.
1188 (service-extension profile-service-type
1190 (default-value (connman-configuration))
1192 "Run @url{https://01.org/connman,Connman},
1193 a network connection manager."))))
1200 (define modem-manager-service-type
1201 (let ((config->package
1203 (($ <modem-manager-configuration> modem-manager)
1204 (list modem-manager)))))
1205 (service-type (name 'modem-manager)
1207 (list (service-extension dbus-root-service-type
1209 (service-extension udev-service-type
1211 (service-extension polkit-service-type
1213 (default-value (modem-manager-configuration))
1215 "Run @uref{https://wiki.gnome.org/Projects/ModemManager,
1216 ModemManager}, a modem management daemon that aims to simplify dialup
1224 (define-record-type* <usb-modeswitch-configuration>
1225 usb-modeswitch-configuration make-usb-modeswitch-configuration
1226 usb-modeswitch-configuration?
1227 (usb-modeswitch usb-modeswitch-configuration-usb-modeswitch
1228 (default usb-modeswitch))
1229 (usb-modeswitch-data usb-modeswitch-configuration-usb-modeswitch-data
1230 (default usb-modeswitch-data))
1231 (config-file usb-modeswitch-configuration-config-file
1232 (default #~(string-append #$usb-modeswitch:dispatcher
1233 "/etc/usb_modeswitch.conf"))))
1235 (define (usb-modeswitch-sh usb-modeswitch config-file)
1236 "Build a copy of usb_modeswitch.sh located in package USB-MODESWITCH,
1237 modified to pass the CONFIG-FILE in its calls to usb_modeswitch_dispatcher,
1238 and wrap it to actually find the dispatcher in USB-MODESWITCH. The script
1239 will be run by USB_ModeSwitch’s udev rules file when a modeswitchable USB
1240 device is detected."
1243 (with-imported-modules '((guix build utils))
1245 (use-modules (guix build utils))
1248 #~(string-append " --config-file=" #$config-file)
1251 (install-file (string-append #$usb-modeswitch:dispatcher
1252 "/lib/udev/usb_modeswitch")
1255 ;; insert CFG-PARAM into usb_modeswitch_dispatcher command-lines
1256 (substitute* (string-append #$output "/usb_modeswitch")
1257 (("(exec usb_modeswitch_dispatcher .*)( 2>>)" _ left right)
1258 (string-append left cfg-param right))
1259 (("(exec usb_modeswitch_dispatcher .*)( &)" _ left right)
1260 (string-append left cfg-param right)))
1262 ;; wrap-program needs bash in PATH:
1263 (putenv (string-append "PATH=" #$bash "/bin"))
1264 (wrap-program (string-append #$output "/usb_modeswitch")
1265 `("PATH" ":" = (,(string-append #$coreutils "/bin")
1267 #$usb-modeswitch:dispatcher
1270 (define (usb-modeswitch-configuration->udev-rules config)
1271 "Build a rules file for extending udev-service-type from the rules in the
1272 usb-modeswitch package specified in CONFIG. The rules file will invoke
1273 usb_modeswitch.sh from the usb-modeswitch package, modified to pass the right
1276 (($ <usb-modeswitch-configuration> usb-modeswitch data config-file)
1278 "usb_modeswitch.rules"
1279 (with-imported-modules '((guix build utils))
1281 (use-modules (guix build utils))
1282 (let ((in (string-append #$data "/udev/40-usb_modeswitch.rules"))
1283 (out (string-append #$output "/lib/udev/rules.d"))
1284 (script #$(usb-modeswitch-sh usb-modeswitch config-file)))
1287 (install-file in out)
1288 (substitute* "40-usb_modeswitch.rules"
1289 (("PROGRAM=\"usb_modeswitch")
1290 (string-append "PROGRAM=\"" script "/usb_modeswitch"))
1291 (("RUN\\+=\"usb_modeswitch")
1292 (string-append "RUN+=\"" script "/usb_modeswitch"))))))))))
1294 (define usb-modeswitch-service-type
1296 (name 'usb-modeswitch)
1302 (let ((rules (usb-modeswitch-configuration->udev-rules config)))
1304 (default-value (usb-modeswitch-configuration))
1305 (description "Run @uref{http://www.draisberghof.de/usb_modeswitch/,
1306 USB_ModeSwitch}, a mode switching tool for controlling USB devices with
1307 multiple @dfn{modes}. When plugged in for the first time many USB
1308 devices (primarily high-speed WAN modems) act like a flash storage containing
1309 installers for Windows drivers. USB_ModeSwitch replays the sequence the
1310 Windows drivers would send to switch their mode from storage to modem (or
1311 whatever the thing is supposed to do).")))
1318 (define-record-type* <wpa-supplicant-configuration>
1319 wpa-supplicant-configuration make-wpa-supplicant-configuration
1320 wpa-supplicant-configuration?
1321 (wpa-supplicant wpa-supplicant-configuration-wpa-supplicant ;<package>
1322 (default wpa-supplicant))
1323 (pid-file wpa-supplicant-configuration-pid-file ;string
1324 (default "/var/run/wpa_supplicant.pid"))
1325 (dbus? wpa-supplicant-configuration-dbus? ;Boolean
1327 (interface wpa-supplicant-configuration-interface ;#f | string
1329 (config-file wpa-supplicant-configuration-config-file ;#f | <file-like>
1331 (extra-options wpa-supplicant-configuration-extra-options ;list of strings
1334 (define wpa-supplicant-shepherd-service
1336 (($ <wpa-supplicant-configuration> wpa-supplicant pid-file dbus? interface
1337 config-file extra-options)
1338 (list (shepherd-service
1339 (documentation "Run the WPA supplicant daemon")
1340 (provision '(wpa-supplicant))
1341 (requirement '(user-processes dbus-system loopback syslogd))
1342 (start #~(make-forkexec-constructor
1343 (list (string-append #$wpa-supplicant
1344 "/sbin/wpa_supplicant")
1345 (string-append "-P" #$pid-file)
1346 "-B" ;run in background
1347 "-s" ;log to syslogd
1352 #~((string-append "-i" #$interface))
1355 #~((string-append "-c" #$config-file))
1358 #:pid-file #$pid-file))
1359 (stop #~(make-kill-destructor)))))))
1361 (define wpa-supplicant-service-type
1362 (let ((config->package
1364 (($ <wpa-supplicant-configuration> wpa-supplicant)
1365 (list wpa-supplicant)))))
1366 (service-type (name 'wpa-supplicant)
1368 (list (service-extension shepherd-root-service-type
1369 wpa-supplicant-shepherd-service)
1370 (service-extension dbus-root-service-type config->package)
1371 (service-extension profile-service-type config->package)))
1372 (description "Run the WPA Supplicant daemon, a service that
1373 implements authentication, key negotiation and more for wireless networks.")
1374 (default-value (wpa-supplicant-configuration)))))
1381 (define-record-type* <hostapd-configuration>
1382 hostapd-configuration make-hostapd-configuration
1383 hostapd-configuration?
1384 (package hostapd-configuration-package
1386 (interface hostapd-configuration-interface ;string
1388 (ssid hostapd-configuration-ssid) ;string
1389 (broadcast-ssid? hostapd-configuration-broadcast-ssid? ;Boolean
1391 (channel hostapd-configuration-channel ;integer
1393 (driver hostapd-configuration-driver ;string
1394 (default "nl80211"))
1395 ;; See <https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf> for a list of
1396 ;; additional options we could add.
1397 (extra-settings hostapd-configuration-extra-settings ;string
1400 (define (hostapd-configuration-file config)
1401 "Return the configuration file for CONFIG, a <hostapd-configuration>."
1402 (match-record config <hostapd-configuration>
1403 (interface ssid broadcast-ssid? channel driver extra-settings)
1404 (plain-file "hostapd.conf"
1406 # Generated from your Guix configuration.
1408 interface=" interface "
1410 ignore_broadcast_ssid=" (if broadcast-ssid? "0" "1") "
1411 channel=" (number->string channel) "\n"
1412 extra-settings "\n"))))
1414 (define* (hostapd-shepherd-services config #:key (requirement '()))
1415 "Return Shepherd services for hostapd."
1416 (list (shepherd-service
1417 (provision '(hostapd))
1418 (requirement `(user-processes ,@requirement))
1419 (documentation "Run the hostapd WiFi access point daemon.")
1420 (start #~(make-forkexec-constructor
1421 (list #$(file-append hostapd "/sbin/hostapd")
1422 #$(hostapd-configuration-file config))
1423 #:log-file "/var/log/hostapd.log"))
1424 (stop #~(make-kill-destructor)))))
1426 (define hostapd-service-type
1430 (list (service-extension shepherd-root-service-type
1431 hostapd-shepherd-services)))
1433 "Run the @uref{https://w1.fi/hostapd/, hostapd} daemon for Wi-Fi access
1434 points and authentication servers.")))
1436 (define (simulated-wifi-shepherd-services config)
1437 "Return Shepherd services to run hostapd with CONFIG, a
1438 <hostapd-configuration>, as well as services to set up WiFi hardware
1440 (append (hostapd-shepherd-services config
1443 mac-simulation-module))
1444 (list (shepherd-service
1445 (provision '(unblocked-wifi))
1446 (requirement '(file-systems mac-simulation-module))
1448 "Unblock WiFi devices for use by mac80211_hwsim.")
1450 (invoke #$(file-append util-linux "/sbin/rfkill")
1452 (invoke #$(file-append util-linux "/sbin/rfkill")
1456 (provision '(mac-simulation-module))
1457 (requirement '(file-systems))
1458 (modules '((guix build utils)))
1460 "Load the mac80211_hwsim Linux kernel module.")
1461 (start (with-imported-modules '((guix build utils))
1463 ;; XXX: We can't use 'load-linux-module*' here because it
1464 ;; expects a flat module directory.
1465 (setenv "LINUX_MODULE_DIRECTORY"
1466 "/run/booted-system/kernel/lib/modules")
1467 (invoke #$(file-append kmod "/bin/modprobe")
1468 "mac80211_hwsim"))))
1471 (define simulated-wifi-service-type
1473 (name 'simulated-wifi)
1475 (list (service-extension shepherd-root-service-type
1476 simulated-wifi-shepherd-services)))
1477 (default-value (hostapd-configuration
1479 (ssid "Test Network")))
1480 (description "Run hostapd to simulate WiFi connectivity.")))
1487 (define-record-type* <openvswitch-configuration>
1488 openvswitch-configuration make-openvswitch-configuration
1489 openvswitch-configuration?
1490 (package openvswitch-configuration-package
1491 (default openvswitch)))
1493 (define openvswitch-activation
1495 (($ <openvswitch-configuration> package)
1496 (let ((ovsdb-tool (file-append package "/bin/ovsdb-tool")))
1497 (with-imported-modules '((guix build utils))
1499 (use-modules (guix build utils))
1500 (mkdir-p "/var/run/openvswitch")
1501 (mkdir-p "/var/lib/openvswitch")
1502 (let ((conf.db "/var/lib/openvswitch/conf.db"))
1503 (unless (file-exists? conf.db)
1504 (system* #$ovsdb-tool "create" conf.db)))))))))
1506 (define openvswitch-shepherd-service
1508 (($ <openvswitch-configuration> package)
1509 (let ((ovsdb-server (file-append package "/sbin/ovsdb-server"))
1510 (ovs-vswitchd (file-append package "/sbin/ovs-vswitchd")))
1513 (provision '(ovsdb))
1514 (documentation "Run the Open vSwitch database server.")
1515 (start #~(make-forkexec-constructor
1516 (list #$ovsdb-server "--pidfile"
1517 "--remote=punix:/var/run/openvswitch/db.sock")
1518 #:pid-file "/var/run/openvswitch/ovsdb-server.pid"))
1519 (stop #~(make-kill-destructor)))
1521 (provision '(vswitchd))
1522 (requirement '(ovsdb))
1523 (documentation "Run the Open vSwitch daemon.")
1524 (start #~(make-forkexec-constructor
1525 (list #$ovs-vswitchd "--pidfile")
1526 #:pid-file "/var/run/openvswitch/ovs-vswitchd.pid"))
1527 (stop #~(make-kill-destructor))))))))
1529 (define openvswitch-service-type
1533 (list (service-extension activation-service-type
1534 openvswitch-activation)
1535 (service-extension profile-service-type
1536 (compose list openvswitch-configuration-package))
1537 (service-extension shepherd-root-service-type
1538 openvswitch-shepherd-service)))
1540 "Run @uref{http://www.openvswitch.org, Open vSwitch}, a multilayer virtual
1541 switch designed to enable massive network automation through programmatic
1543 (default-value (openvswitch-configuration))))
1549 (define %iptables-accept-all-rules
1550 (plain-file "iptables-accept-all.rules"
1558 (define-record-type* <iptables-configuration>
1559 iptables-configuration make-iptables-configuration iptables-configuration?
1560 (iptables iptables-configuration-iptables
1562 (ipv4-rules iptables-configuration-ipv4-rules
1563 (default %iptables-accept-all-rules))
1564 (ipv6-rules iptables-configuration-ipv6-rules
1565 (default %iptables-accept-all-rules)))
1567 (define iptables-shepherd-service
1569 (($ <iptables-configuration> iptables ipv4-rules ipv6-rules)
1570 (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
1571 (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")))
1573 (documentation "Packet filtering framework")
1574 (provision '(iptables))
1576 (invoke #$iptables-restore #$ipv4-rules)
1577 (invoke #$ip6tables-restore #$ipv6-rules)))
1579 (invoke #$iptables-restore #$%iptables-accept-all-rules)
1580 (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
1582 (define iptables-service-type
1586 "Run @command{iptables-restore}, setting up the specified rules.")
1588 (list (service-extension shepherd-root-service-type
1589 (compose list iptables-shepherd-service))))))
1595 (define %default-nftables-ruleset
1596 (plain-file "nftables.conf"
1597 "# A simple and safe firewall
1600 type filter hook input priority 0; policy drop;
1602 # early drop of invalid connections
1603 ct state invalid drop
1605 # allow established/related connections
1606 ct state { established, related } accept
1608 # allow from loopback
1612 ip protocol icmp accept
1613 ip6 nexthdr icmpv6 accept
1616 tcp dport ssh accept
1618 # reject everything else
1619 reject with icmpx type port-unreachable
1622 type filter hook forward priority 0; policy drop;
1625 type filter hook output priority 0; policy accept;
1630 (define-record-type* <nftables-configuration>
1631 nftables-configuration
1632 make-nftables-configuration
1633 nftables-configuration?
1634 (package nftables-configuration-package
1636 (ruleset nftables-configuration-ruleset ; file-like object
1637 (default %default-nftables-ruleset)))
1639 (define nftables-shepherd-service
1641 (($ <nftables-configuration> package ruleset)
1642 (let ((nft (file-append package "/sbin/nft")))
1644 (documentation "Packet filtering and classification")
1645 (provision '(nftables))
1647 (invoke #$nft "--file" #$ruleset)))
1649 (invoke #$nft "flush" "ruleset"))))))))
1651 (define nftables-service-type
1655 "Run @command{nft}, setting up the specified ruleset.")
1657 (list (service-extension shepherd-root-service-type
1658 (compose list nftables-shepherd-service))
1659 (service-extension profile-service-type
1660 (compose list nftables-configuration-package))))
1661 (default-value (nftables-configuration))))
1668 (define-record-type* <pagekite-configuration>
1669 pagekite-configuration
1670 make-pagekite-configuration
1671 pagekite-configuration?
1672 (package pagekite-configuration-package
1674 (kitename pagekite-configuration-kitename
1676 (kitesecret pagekite-configuration-kitesecret
1678 (frontend pagekite-configuration-frontend
1680 (kites pagekite-configuration-kites
1681 (default '("http:@kitename:localhost:80:@kitesecret")))
1682 (extra-file pagekite-configuration-extra-file
1685 (define (pagekite-configuration-file config)
1686 (match-record config <pagekite-configuration>
1687 (package kitename kitesecret frontend kites extra-file)
1688 (mixed-text-file "pagekite.rc"
1690 (string-append "optfile = " extra-file "\n")
1693 (string-append "kitename = " kitename "\n")
1696 (string-append "kitesecret = " kitesecret "\n")
1699 (string-append "frontend = " frontend "\n")
1701 (string-join (map (lambda (kite)
1702 (string-append "service_on = " kite))
1707 (define (pagekite-shepherd-service config)
1708 (match-record config <pagekite-configuration>
1709 (package kitename kitesecret frontend kites extra-file)
1710 (with-imported-modules (source-module-closure
1711 '((gnu build shepherd)
1712 (gnu system file-systems)))
1714 (documentation "Run the PageKite service.")
1715 (provision '(pagekite))
1716 (requirement '(networking))
1717 (modules '((gnu build shepherd)
1718 (gnu system file-systems)))
1719 (start #~(make-forkexec-constructor/container
1720 (list #$(file-append package "/bin/pagekite")
1724 "--runas=pagekite:pagekite"
1725 (string-append "--optfile="
1726 #$(pagekite-configuration-file config)))
1727 #:log-file "/var/log/pagekite.log"
1728 #:mappings #$(if extra-file
1729 #~(list (file-system-mapping
1730 (source #$extra-file)
1733 ;; SIGTERM doesn't always work for some reason.
1734 (stop #~(make-kill-destructor SIGINT))))))
1736 (define %pagekite-accounts
1737 (list (user-group (name "pagekite") (system? #t))
1742 (comment "PageKite user")
1743 (home-directory "/var/empty")
1744 (shell (file-append shadow "/sbin/nologin")))))
1746 (define pagekite-service-type
1749 (default-value (pagekite-configuration))
1751 (list (service-extension shepherd-root-service-type
1752 (compose list pagekite-shepherd-service))
1753 (service-extension account-service-type
1754 (const %pagekite-accounts))))
1756 "Run @url{https://pagekite.net/,PageKite}, a tunneling solution to make
1757 local servers publicly accessible on the web, even behind NATs and firewalls.")))
1759 ;;; networking.scm ends here