1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
5 ;;; This file is part of GNU Guix.
7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
8 ;;; under the terms of the GNU General Public License as published by
9 ;;; the Free Software Foundation; either version 3 of the License, or (at
10 ;;; your option) any later version.
12 ;;; GNU Guix is distributed in the hope that it will be useful, but
13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 ;;; GNU General Public License for more details.
17 ;;; You should have received a copy of the GNU General Public License
18 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
20 (define-module (gnu services networking)
21 #:use-module (gnu services)
22 #:use-module (gnu services dmd)
23 #:use-module (gnu services dbus)
24 #:use-module (gnu system shadow)
25 #:use-module (gnu system linux) ;PAM
26 #:use-module (gnu packages admin)
27 #:use-module (gnu packages linux)
28 #:use-module (gnu packages tor)
29 #:use-module (gnu packages messaging)
30 #:use-module (gnu packages ntp)
31 #:use-module (gnu packages wicd)
32 #:use-module (guix gexp)
33 #:use-module (guix records)
34 #:use-module (srfi srfi-26)
35 #:use-module (ice-9 match)
36 #:export (%facebook-host-aliases
37 static-networking-service
47 ;;; Networking services.
51 (define %facebook-host-aliases
52 ;; This is the list of known Facebook hosts to be added to /etc/hosts if you
55 # Block Facebook IPv4.
56 127.0.0.1 www.facebook.com
57 127.0.0.1 facebook.com
58 127.0.0.1 login.facebook.com
59 127.0.0.1 www.login.facebook.com
61 127.0.0.1 www.fbcdn.net
63 127.0.0.1 www.fbcdn.com
64 127.0.0.1 static.ak.fbcdn.net
65 127.0.0.1 static.ak.connect.facebook.com
66 127.0.0.1 connect.facebook.net
67 127.0.0.1 www.connect.facebook.net
68 127.0.0.1 apps.facebook.com
70 # Block Facebook IPv6.
71 fe80::1%lo0 facebook.com
72 fe80::1%lo0 login.facebook.com
73 fe80::1%lo0 www.login.facebook.com
75 fe80::1%lo0 www.fbcdn.net
77 fe80::1%lo0 www.fbcdn.com
78 fe80::1%lo0 static.ak.fbcdn.net
79 fe80::1%lo0 static.ak.connect.facebook.com
80 fe80::1%lo0 connect.facebook.net
81 fe80::1%lo0 www.connect.facebook.net
82 fe80::1%lo0 apps.facebook.com\n")
85 (define-record-type* <static-networking>
86 static-networking make-static-networking
88 (interface static-networking-interface)
89 (ip static-networking-ip)
90 (gateway static-networking-gateway)
91 (provision static-networking-provision)
92 (name-servers static-networking-name-servers)
93 (net-tools static-networking-net-tools))
95 (define static-networking-service-type
99 (($ <static-networking> interface ip gateway provision
100 name-servers net-tools)
101 (let ((loopback? (memq 'loopback provision)))
103 ;; TODO: Eventually replace 'route' with bindings for the appropriate
107 ;; Unless we're providing the loopback interface, wait for udev to be up
108 ;; and running so that INTERFACE is actually usable.
109 (requirement (if loopback? '() '(udev)))
112 "Bring up the networking interface using a static IP address.")
113 (provision provision)
115 ;; Return #t if successfully started.
116 (let* ((addr (inet-pton AF_INET #$ip))
117 (sockaddr (make-socket-address AF_INET addr 0)))
118 (configure-network-interface #$interface sockaddr
124 #~(zero? (system* (string-append #$net-tools
126 "add" "-net" "default"
129 #$(if (pair? name-servers)
130 #~(call-with-output-file "/etc/resolv.conf"
133 "# Generated by 'static-networking-service'.\n"
135 (for-each (lambda (server)
136 (format port "nameserver ~a~%"
141 ;; Return #f is successfully stopped.
142 (let ((sock (socket AF_INET SOCK_STREAM 0)))
143 (set-network-interface-flags sock #$interface 0)
146 #~(system* (string-append #$net-tools
148 "del" "-net" "default")
152 (define* (static-networking-service interface ip
155 (provision '(networking))
157 (net-tools net-tools))
158 "Return a service that starts @var{interface} with address @var{ip}. If
159 @var{gateway} is true, it must be a string specifying the default network
161 (service static-networking-service-type
162 (static-networking (interface interface) (ip ip)
164 (provision provision)
165 (name-servers name-servers)
166 (net-tools net-tools))))
168 (define dhcp-client-service-type
173 #~(string-append #$dhcp "/sbin/dhclient"))
176 "/var/run/dhclient.pid")
179 (documentation "Set up networking via DHCP.")
180 (requirement '(user-processes udev))
182 ;; XXX: Running with '-nw' ("no wait") avoids blocking for a minute when
183 ;; networking is unavailable, but also means that the interface is not up
184 ;; yet when 'start' completes. To wait for the interface to be ready, one
185 ;; should instead monitor udev events.
186 (provision '(networking))
189 ;; When invoked without any arguments, 'dhclient' discovers all
190 ;; non-loopback interfaces *that are up*. However, the relevant
191 ;; interfaces are typically down at this point. Thus we perform
192 ;; our own interface discovery here.
194 (negate loopback-network-interface?))
196 (filter valid? (all-network-interface-names)))
198 ;; XXX: Make sure the interfaces are up so that 'dhclient' can
199 ;; actually send/receive over them.
200 (for-each set-network-interface-up ifaces)
202 (false-if-exception (delete-file #$pid-file))
203 (let ((pid (fork+exec-command
204 (cons* #$dhclient "-nw"
205 "-pf" #$pid-file ifaces))))
206 (and (zero? (cdr (waitpid pid)))
210 (call-with-input-file #$pid-file read))
212 ;; 'dhclient' returned before PID-FILE was created,
214 (let ((errno (system-error-errno args)))
219 (apply throw args))))))))))
220 (stop #~(make-kill-destructor))))))
222 (define* (dhcp-client-service #:key (dhcp isc-dhcp))
223 "Return a service that runs @var{dhcp}, a Dynamic Host Configuration
224 Protocol (DHCP) client, on all the non-loopback network interfaces."
225 (service dhcp-client-service-type dhcp))
228 ;; Default set of NTP servers.
239 (define-record-type* <ntp-configuration>
240 ntp-configuration make-ntp-configuration
242 (ntp ntp-configuration-ntp
244 (servers ntp-configuration-servers))
246 (define ntp-dmd-service
248 (($ <ntp-configuration> ntp servers)
250 ;; TODO: Add authentication support.
252 (string-append "driftfile /var/run/ntp.drift\n"
253 (string-join (map (cut string-append "server " <>)
257 # Disable status queries as a workaround for CVE-2013-5211:
258 # <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
259 restrict default kod nomodify notrap nopeer noquery
260 restrict -6 default kod nomodify notrap nopeer noquery
262 # Yet, allow use of the local 'ntpq'.
267 (plain-file "ntpd.conf" config))
271 (documentation "Run the Network Time Protocol (NTP) daemon.")
272 (requirement '(user-processes networking))
273 (start #~(make-forkexec-constructor
274 (list (string-append #$ntp "/bin/ntpd") "-n"
275 "-c" #$ntpd.conf "-u" "ntpd")))
276 (stop #~(make-kill-destructor))))))))
278 (define %ntp-accounts
283 (comment "NTP daemon user")
284 (home-directory "/var/empty")
285 (shell #~(string-append #$shadow "/sbin/nologin")))))
287 (define ntp-service-type
288 (service-type (name 'ntp)
290 (list (service-extension dmd-root-service-type
292 (service-extension account-service-type
293 (const %ntp-accounts))))))
295 (define* (ntp-service #:key (ntp ntp)
296 (servers %ntp-servers))
297 "Return a service that runs the daemon from @var{ntp}, the
298 @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will
299 keep the system clock synchronized with that of @var{servers}."
300 (service ntp-service-type
301 (ntp-configuration (ntp ntp) (servers servers))))
308 (define %tor-accounts
309 ;; User account and groups for Tor.
310 (list (user-group (name "tor") (system? #t))
315 (comment "Tor daemon user")
316 (home-directory "/var/empty")
317 (shell #~(string-append #$shadow "/sbin/nologin")))))
319 (define (tor-dmd-service tor)
320 "Return a <dmd-service> running TOR."
321 (let ((torrc (plain-file "torrc" "User tor\n")))
325 ;; Tor needs at least one network interface to be up, hence the
326 ;; dependency on 'loopback'.
327 (requirement '(user-processes loopback))
329 (start #~(make-forkexec-constructor
330 (list (string-append #$tor "/bin/tor") "-f" #$torrc)))
331 (stop #~(make-kill-destructor))
332 (documentation "Run the Tor anonymous network overlay.")))))
334 (define tor-service-type
335 (service-type (name 'tor)
337 (list (service-extension dmd-root-service-type
339 (service-extension account-service-type
340 (const %tor-accounts))))))
342 (define* (tor-service #:key (tor tor))
343 "Return a service to run the @uref{https://torproject.org,Tor} daemon.
345 The daemon runs with the default settings (in particular the default exit
346 policy) as the @code{tor} unprivileged user."
347 (service tor-service-type tor))
354 (define-record-type* <bitlbee-configuration>
355 bitlbee-configuration make-bitlbee-configuration
356 bitlbee-configuration?
357 (bitlbee bitlbee-configuration-bitlbee
359 (interface bitlbee-configuration-interface)
360 (port bitlbee-configuration-port)
361 (extra-settings bitlbee-configuration-extra-settings))
363 (define bitlbee-dmd-service
365 (($ <bitlbee-configuration> bitlbee interface port extra-settings)
366 (let ((conf (plain-file "bitlbee.conf"
370 ConfigDir = /var/lib/bitlbee
371 DaemonInterface = " interface "
372 DaemonPort = " (number->string port) "
376 (provision '(bitlbee))
377 (requirement '(user-processes loopback))
378 (start #~(make-forkexec-constructor
379 (list (string-append #$bitlbee "/sbin/bitlbee")
380 "-n" "-F" "-u" "bitlbee" "-c" #$conf)))
381 (stop #~(make-kill-destructor))))))))
383 (define %bitlbee-accounts
384 ;; User group and account to run BitlBee.
385 (list (user-group (name "bitlbee") (system? #t))
390 (comment "BitlBee daemon user")
391 (home-directory "/var/empty")
392 (shell #~(string-append #$shadow "/sbin/nologin")))))
394 (define %bitlbee-activation
395 ;; Activation gexp for BitlBee.
397 (use-modules (guix build utils))
399 ;; This directory is used to store OTR data.
400 (mkdir-p "/var/lib/bitlbee")
401 (let ((user (getpwnam "bitlbee")))
402 (chown "/var/lib/bitlbee"
403 (passwd:uid user) (passwd:gid user)))))
405 (define bitlbee-service-type
406 (service-type (name 'bitlbee)
408 (list (service-extension dmd-root-service-type
410 (service-extension account-service-type
411 (const %bitlbee-accounts))
412 (service-extension activation-service-type
413 (const %bitlbee-activation))))))
415 (define* (bitlbee-service #:key (bitlbee bitlbee)
416 (interface "127.0.0.1") (port 6667)
418 "Return a service that runs @url{http://bitlbee.org,BitlBee}, a daemon that
419 acts as a gateway between IRC and chat networks.
421 The daemon will listen to the interface corresponding to the IP address
422 specified in @var{interface}, on @var{port}. @code{127.0.0.1} means that only
423 local clients can connect, whereas @code{0.0.0.0} means that connections can
424 come from any networking interface.
426 In addition, @var{extra-settings} specifies a string to append to the
428 (service bitlbee-service-type
429 (bitlbee-configuration
431 (interface interface) (port port)
432 (extra-settings extra-settings))))
439 (define %wicd-activation
440 ;; Activation gexp for Wicd.
442 (use-modules (guix build utils))
444 (mkdir-p "/etc/wicd")
445 (let ((file-name "/etc/wicd/dhclient.conf.template.default"))
446 (unless (file-exists? file-name)
447 (copy-file (string-append #$wicd file-name)
450 (define (wicd-dmd-service wicd)
451 "Return a dmd service for WICD."
453 (documentation "Run the Wicd network manager.")
454 (provision '(networking))
455 (requirement '(user-processes dbus-system loopback))
456 (start #~(make-forkexec-constructor
457 (list (string-append #$wicd "/sbin/wicd")
459 (stop #~(make-kill-destructor)))))
461 (define wicd-service-type
462 (service-type (name 'wicd)
464 (list (service-extension dmd-root-service-type
466 (service-extension dbus-root-service-type
468 (service-extension activation-service-type
469 (const %wicd-activation))))))
471 (define* (wicd-service #:key (wicd wicd))
472 "Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
473 manager that aims to simplify wired and wireless networking."
474 (service wicd-service-type wicd))
476 ;;; networking.scm ends here