1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
5 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
6 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
7 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
8 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
9 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
10 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
11 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
13 ;;; This file is part of GNU Guix.
15 ;;; GNU Guix is free software; you can redistribute it and/or modify it
16 ;;; under the terms of the GNU General Public License as published by
17 ;;; the Free Software Foundation; either version 3 of the License, or (at
18 ;;; your option) any later version.
20 ;;; GNU Guix is distributed in the hope that it will be useful, but
21 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
22 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 ;;; GNU General Public License for more details.
25 ;;; You should have received a copy of the GNU General Public License
26 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
28 (define-module (gnu services networking)
29 #:use-module (gnu services)
30 #:use-module (gnu services base)
31 #:use-module (gnu services shepherd)
32 #:use-module (gnu services dbus)
33 #:use-module (gnu system shadow)
34 #:use-module (gnu system pam)
35 #:use-module (gnu packages admin)
36 #:use-module (gnu packages connman)
37 #:use-module (gnu packages freedesktop)
38 #:use-module (gnu packages linux)
39 #:use-module (gnu packages tor)
40 #:use-module (gnu packages messaging)
41 #:use-module (gnu packages networking)
42 #:use-module (gnu packages ntp)
43 #:use-module (gnu packages wicd)
44 #:use-module (gnu packages gnome)
45 #:use-module (guix gexp)
46 #:use-module (guix records)
47 #:use-module (guix modules)
48 #:use-module (srfi srfi-1)
49 #:use-module (srfi srfi-9)
50 #:use-module (srfi srfi-26)
51 #:use-module (ice-9 match)
52 #:re-export (static-networking-service
53 static-networking-service-type)
54 #:export (%facebook-host-aliases
56 dhcp-client-service-type
61 dhcpd-configuration-package
62 dhcpd-configuration-config-file
63 dhcpd-configuration-version
64 dhcpd-configuration-run-directory
65 dhcpd-configuration-lease-file
66 dhcpd-configuration-pid-file
67 dhcpd-configuration-interfaces
76 openntpd-configuration
77 openntpd-configuration?
93 network-manager-configuration
94 network-manager-configuration?
95 network-manager-configuration-dns
96 network-manager-service-type
99 connman-configuration?
102 modem-manager-configuration
103 modem-manager-configuration?
104 modem-manager-service-type
106 <wpa-supplicant-configuration>
107 wpa-supplicant-configuration
108 wpa-supplicant-configuration?
109 wpa-supplicant-configuration-wpa-supplicant
110 wpa-supplicant-configuration-pid-file
111 wpa-supplicant-configuration-dbus?
112 wpa-supplicant-configuration-interface
113 wpa-supplicant-configuration-config-file
114 wpa-supplicant-configuration-extra-options
115 wpa-supplicant-service-type
117 openvswitch-service-type
118 openvswitch-configuration
120 iptables-configuration
121 iptables-configuration?
122 iptables-configuration-iptables
123 iptables-configuration-ipv4-rules
124 iptables-configuration-ipv6-rules
125 iptables-service-type))
129 ;;; Networking services.
133 (define %facebook-host-aliases
134 ;; This is the list of known Facebook hosts to be added to /etc/hosts if you
137 # Block Facebook IPv4.
138 127.0.0.1 www.facebook.com
139 127.0.0.1 facebook.com
140 127.0.0.1 login.facebook.com
141 127.0.0.1 www.login.facebook.com
143 127.0.0.1 www.fbcdn.net
145 127.0.0.1 www.fbcdn.com
146 127.0.0.1 static.ak.fbcdn.net
147 127.0.0.1 static.ak.connect.facebook.com
148 127.0.0.1 connect.facebook.net
149 127.0.0.1 www.connect.facebook.net
150 127.0.0.1 apps.facebook.com
152 # Block Facebook IPv6.
153 fe80::1%lo0 facebook.com
154 fe80::1%lo0 login.facebook.com
155 fe80::1%lo0 www.login.facebook.com
156 fe80::1%lo0 fbcdn.net
157 fe80::1%lo0 www.fbcdn.net
158 fe80::1%lo0 fbcdn.com
159 fe80::1%lo0 www.fbcdn.com
160 fe80::1%lo0 static.ak.fbcdn.net
161 fe80::1%lo0 static.ak.connect.facebook.com
162 fe80::1%lo0 connect.facebook.net
163 fe80::1%lo0 www.connect.facebook.net
164 fe80::1%lo0 apps.facebook.com\n")
166 (define dhcp-client-service-type
167 (shepherd-service-type
171 (file-append dhcp "/sbin/dhclient"))
174 "/var/run/dhclient.pid")
177 (documentation "Set up networking via DHCP.")
178 (requirement '(user-processes udev))
180 ;; XXX: Running with '-nw' ("no wait") avoids blocking for a minute when
181 ;; networking is unavailable, but also means that the interface is not up
182 ;; yet when 'start' completes. To wait for the interface to be ready, one
183 ;; should instead monitor udev events.
184 (provision '(networking))
187 ;; When invoked without any arguments, 'dhclient' discovers all
188 ;; non-loopback interfaces *that are up*. However, the relevant
189 ;; interfaces are typically down at this point. Thus we perform
190 ;; our own interface discovery here.
192 (negate loopback-network-interface?))
194 (filter valid? (all-network-interface-names)))
196 ;; XXX: Make sure the interfaces are up so that 'dhclient' can
197 ;; actually send/receive over them.
198 (for-each set-network-interface-up ifaces)
200 (false-if-exception (delete-file #$pid-file))
201 (let ((pid (fork+exec-command
202 (cons* #$dhclient "-nw"
203 "-pf" #$pid-file ifaces))))
204 (and (zero? (cdr (waitpid pid)))
205 (read-pid-file #$pid-file)))))
206 (stop #~(make-kill-destructor))))
209 (define* (dhcp-client-service #:key (dhcp isc-dhcp)) ;deprecated
210 "Return a service that runs @var{dhcp}, a Dynamic Host Configuration
211 Protocol (DHCP) client, on all the non-loopback network interfaces."
212 (service dhcp-client-service-type dhcp))
214 (define-record-type* <dhcpd-configuration>
215 dhcpd-configuration make-dhcpd-configuration
217 (package dhcpd-configuration-package ;<package>
219 (config-file dhcpd-configuration-config-file ;file-like
221 (version dhcpd-configuration-version ;"4", "6", or "4o6"
223 (run-directory dhcpd-configuration-run-directory
224 (default "/run/dhcpd"))
225 (lease-file dhcpd-configuration-lease-file
226 (default "/var/db/dhcpd.leases"))
227 (pid-file dhcpd-configuration-pid-file
228 (default "/run/dhcpd/dhcpd.pid"))
229 ;; list of strings, e.g. (list "enp0s25")
230 (interfaces dhcpd-configuration-interfaces
233 (define dhcpd-shepherd-service
235 (($ <dhcpd-configuration> package config-file version run-directory
236 lease-file pid-file interfaces)
238 (error "Must supply a config-file"))
239 (list (shepherd-service
240 ;; Allow users to easily run multiple versions simultaneously.
241 (provision (list (string->symbol
242 (string-append "dhcpv" version "-daemon"))))
243 (documentation (string-append "Run the DHCPv" version " daemon"))
244 (requirement '(networking))
245 (start #~(make-forkexec-constructor
246 '(#$(file-append package "/sbin/dhcpd")
247 #$(string-append "-" version)
252 #:pid-file #$pid-file))
253 (stop #~(make-kill-destructor)))))))
255 (define dhcpd-activation
257 (($ <dhcpd-configuration> package config-file version run-directory
258 lease-file pid-file interfaces)
259 (with-imported-modules '((guix build utils))
261 (unless (file-exists? #$run-directory)
262 (mkdir #$run-directory))
263 ;; According to the DHCP manual (man dhcpd.leases), the lease
264 ;; database must be present for dhcpd to start successfully.
265 (unless (file-exists? #$lease-file)
266 (with-output-to-file #$lease-file
267 (lambda _ (display ""))))
268 ;; Validate the config.
270 #$(file-append package "/sbin/dhcpd") "-t" "-cf"
273 (define dhcpd-service-type
277 (list (service-extension shepherd-root-service-type dhcpd-shepherd-service)
278 (service-extension activation-service-type dhcpd-activation)))))
281 ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
282 ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
283 ;; for this NTP pool "zone".
284 '("0.guix.pool.ntp.org"
285 "1.guix.pool.ntp.org"
286 "2.guix.pool.ntp.org"
287 "3.guix.pool.ntp.org"))
295 (define-record-type* <ntp-configuration>
296 ntp-configuration make-ntp-configuration
298 (ntp ntp-configuration-ntp
300 (servers ntp-configuration-servers
301 (default %ntp-servers))
302 (allow-large-adjustment? ntp-allow-large-adjustment?
305 (define ntp-shepherd-service
307 (($ <ntp-configuration> ntp servers allow-large-adjustment?)
309 ;; TODO: Add authentication support.
311 (string-append "driftfile /var/run/ntpd/ntp.drift\n"
312 (string-join (map (cut string-append "server " <>)
316 # Disable status queries as a workaround for CVE-2013-5211:
317 # <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
318 restrict default kod nomodify notrap nopeer noquery
319 restrict -6 default kod nomodify notrap nopeer noquery
321 # Yet, allow use of the local 'ntpq'.
326 (plain-file "ntpd.conf" config))
328 (list (shepherd-service
330 (documentation "Run the Network Time Protocol (NTP) daemon.")
331 (requirement '(user-processes networking))
332 (start #~(make-forkexec-constructor
333 (list (string-append #$ntp "/bin/ntpd") "-n"
334 "-c" #$ntpd.conf "-u" "ntpd"
335 #$@(if allow-large-adjustment?
338 (stop #~(make-kill-destructor))))))))
340 (define %ntp-accounts
345 (comment "NTP daemon user")
346 (home-directory "/var/empty")
347 (shell (file-append shadow "/sbin/nologin")))))
350 (define (ntp-service-activation config)
351 "Return the activation gexp for CONFIG."
352 (with-imported-modules '((guix build utils))
354 (use-modules (guix build utils))
358 (let ((directory "/var/run/ntpd"))
360 (chown directory (passwd:uid %user) (passwd:gid %user))))))
362 (define ntp-service-type
363 (service-type (name 'ntp)
365 (list (service-extension shepherd-root-service-type
366 ntp-shepherd-service)
367 (service-extension account-service-type
368 (const %ntp-accounts))
369 (service-extension activation-service-type
370 ntp-service-activation)))
372 "Run the @command{ntpd}, the Network Time Protocol (NTP)
373 daemon of the @uref{http://www.ntp.org, Network Time Foundation}. The daemon
374 will keep the system clock synchronized with that of the given servers.")
375 (default-value (ntp-configuration))))
377 (define* (ntp-service #:key (ntp ntp) ;deprecated
378 (servers %ntp-servers)
379 allow-large-adjustment?)
380 "Return a service that runs the daemon from @var{ntp}, the
381 @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will
382 keep the system clock synchronized with that of @var{servers}.
383 @var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
384 make an initial adjustment of more than 1,000 seconds."
385 (service ntp-service-type
386 (ntp-configuration (ntp ntp)
388 (allow-large-adjustment?
389 allow-large-adjustment?))))
396 (define-record-type* <openntpd-configuration>
397 openntpd-configuration make-openntpd-configuration
398 openntpd-configuration?
399 (openntpd openntpd-configuration-openntpd
401 (listen-on openntpd-listen-on
402 (default '("127.0.0.1"
404 (query-from openntpd-query-from
406 (sensor openntpd-sensor
408 (server openntpd-server
409 (default %ntp-servers))
410 (servers openntpd-servers
412 (constraint-from openntpd-constraint-from
414 (constraints-from openntpd-constraints-from
416 (allow-large-adjustment? openntpd-allow-large-adjustment?
417 (default #f))) ; upstream default
419 (define (openntpd-shepherd-service config)
420 (match-record config <openntpd-configuration>
421 (openntpd listen-on query-from sensor server servers constraint-from
422 constraints-from allow-large-adjustment?)
427 (lambda (field value)
429 (map (cut string-append field <> "\n")
431 '("listen on " "query from " "sensor " "server " "servers "
433 (list listen-on query-from sensor server servers constraint-from))
434 ;; The 'constraints from' field needs to be enclosed in double quotes.
436 (map (cut string-append "constraints from \"" <> "\"\n")
440 (plain-file "ntpd.conf" config))
442 (list (shepherd-service
444 (documentation "Run the Network Time Protocol (NTP) daemon.")
445 (requirement '(user-processes networking))
446 (start #~(make-forkexec-constructor
447 (list (string-append #$openntpd "/sbin/ntpd")
449 "-d" ;; don't daemonize
450 #$@(if allow-large-adjustment?
453 ;; When ntpd is daemonized it repeatedly tries to respawn
454 ;; while running, leading shepherd to disable it. To
455 ;; prevent spamming stderr, redirect output to logfile.
456 #:log-file "/var/log/ntpd"))
457 (stop #~(make-kill-destructor)))))))
459 (define (openntpd-service-activation config)
460 "Return the activation gexp for CONFIG."
461 (with-imported-modules '((guix build utils))
463 (use-modules (guix build utils))
467 (unless (file-exists? "/var/db/ntpd.drift")
468 (with-output-to-file "/var/db/ntpd.drift"
470 (format #t "0.0")))))))
472 (define openntpd-service-type
473 (service-type (name 'openntpd)
475 (list (service-extension shepherd-root-service-type
476 openntpd-shepherd-service)
477 (service-extension account-service-type
478 (const %ntp-accounts))
479 (service-extension profile-service-type
480 (compose list openntpd-configuration-openntpd))
481 (service-extension activation-service-type
482 openntpd-service-activation)))
483 (default-value (openntpd-configuration))
485 "Run the @command{ntpd}, the Network Time Protocol (NTP)
486 daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The
487 daemon will keep the system clock synchronized with that of the given servers.")))
494 (define-record-type* <inetd-configuration> inetd-configuration
495 make-inetd-configuration
497 (program inetd-configuration-program ;file-like
498 (default (file-append inetutils "/libexec/inetd")))
499 (entries inetd-configuration-entries ;list of <inetd-entry>
502 (define-record-type* <inetd-entry> inetd-entry make-inetd-entry
504 (node inetd-entry-node ;string or #f
506 (name inetd-entry-name) ;string, from /etc/services
508 (socket-type inetd-entry-socket-type) ;stream | dgram | raw |
510 (protocol inetd-entry-protocol) ;string, from /etc/protocols
512 (wait? inetd-entry-wait? ;Boolean
514 (user inetd-entry-user) ;string
516 (program inetd-entry-program ;string or file-like object
517 (default "internal"))
518 (arguments inetd-entry-arguments ;list of strings or file-like objects
521 (define (inetd-config-file entries)
522 (apply mixed-text-file "inetd.conf"
525 (let* ((node (inetd-entry-node entry))
526 (name (inetd-entry-name entry))
528 (if node (string-append node ":" name) name))
530 (match (inetd-entry-socket-type entry)
531 ((or 'stream 'dgram 'raw 'rdm 'seqpacket)
532 (symbol->string (inetd-entry-socket-type entry)))))
533 (protocol (inetd-entry-protocol entry))
534 (wait (if (inetd-entry-wait? entry) "wait" "nowait"))
535 (user (inetd-entry-user entry))
536 (program (inetd-entry-program entry))
537 (args (inetd-entry-arguments entry)))
540 (list #$@(list socket type protocol wait user program) #$@args)
544 (define inetd-shepherd-service
546 (($ <inetd-configuration> program ()) '()) ; empty list of entries -> do nothing
547 (($ <inetd-configuration> program entries)
550 (documentation "Run inetd.")
552 (requirement '(user-processes networking syslogd))
553 (start #~(make-forkexec-constructor
554 (list #$program #$(inetd-config-file entries))
555 #:pid-file "/var/run/inetd.pid"))
556 (stop #~(make-kill-destructor)))))))
558 (define-public inetd-service-type
562 (list (service-extension shepherd-root-service-type
563 inetd-shepherd-service)))
565 ;; The service can be extended with additional lists of entries.
566 (compose concatenate)
567 (extend (lambda (config entries)
570 (entries (append (inetd-configuration-entries config)
573 "Start @command{inetd}, the @dfn{Internet superserver}. It is responsible
574 for listening on Internet sockets and spawning the corresponding services on
582 (define-record-type* <tor-configuration>
583 tor-configuration make-tor-configuration
585 (tor tor-configuration-tor
587 (config-file tor-configuration-config-file
588 (default (plain-file "empty" "")))
589 (hidden-services tor-configuration-hidden-services
591 (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
594 (define %tor-accounts
595 ;; User account and groups for Tor.
596 (list (user-group (name "tor") (system? #t))
601 (comment "Tor daemon user")
602 (home-directory "/var/empty")
603 (shell (file-append shadow "/sbin/nologin")))))
605 (define-record-type <hidden-service>
606 (hidden-service name mapping)
608 (name hidden-service-name) ;string
609 (mapping hidden-service-mapping)) ;list of port/address tuples
611 (define (tor-configuration->torrc config)
612 "Return a 'torrc' file for CONFIG."
614 (($ <tor-configuration> tor config-file services socks-socket-type)
617 (with-imported-modules '((guix build utils))
619 (use-modules (guix build utils)
622 (call-with-output-file #$output
625 ### These lines were generated from your system configuration:
627 DataDirectory /var/lib/tor
628 PidFile /var/run/tor/tor.pid
629 Log notice syslog\n" port)
630 (when (eq? 'unix '#$socks-socket-type)
632 SocksPort unix:/var/run/tor/socks-sock
633 UnixSocksGroupWritable 1\n" port))
635 (for-each (match-lambda
636 ((service (ports hosts) ...)
638 HiddenServiceDir /var/lib/tor/hidden-services/~a~%"
640 (for-each (lambda (tcp-port host)
642 HiddenServicePort ~a ~a~%"
645 '#$(map (match-lambda
646 (($ <hidden-service> name mapping)
647 (cons name mapping)))
651 ### End of automatically generated lines.\n\n" port)
653 ;; Append the user's config file.
654 (call-with-input-file #$config-file
656 (dump-port input port)))
659 (define (tor-shepherd-service config)
660 "Return a <shepherd-service> running Tor."
662 (($ <tor-configuration> tor)
663 (let ((torrc (tor-configuration->torrc config)))
664 (with-imported-modules (source-module-closure
665 '((gnu build shepherd)
666 (gnu system file-systems)))
667 (list (shepherd-service
670 ;; Tor needs at least one network interface to be up, hence the
671 ;; dependency on 'loopback'.
672 (requirement '(user-processes loopback syslogd))
674 (modules '((gnu build shepherd)
675 (gnu system file-systems)))
677 (start #~(make-forkexec-constructor/container
678 (list #$(file-append tor "/bin/tor") "-f" #$torrc)
680 #:mappings (list (file-system-mapping
681 (source "/var/lib/tor")
685 (source "/dev/log") ;for syslog
688 (source "/var/run/tor")
691 #:pid-file "/var/run/tor/tor.pid"))
692 (stop #~(make-kill-destructor))
693 (documentation "Run the Tor anonymous network overlay."))))))))
695 (define (tor-activation config)
696 "Set up directories for Tor and its hidden services, if any."
698 (use-modules (guix build utils))
703 (define (initialize service)
704 (let ((directory (string-append "/var/lib/tor/hidden-services/"
707 (chown directory (passwd:uid %user) (passwd:gid %user))
709 ;; The daemon bails out if we give wider permissions.
710 (chmod directory #o700)))
712 ;; Allow Tor to write its PID file.
713 (mkdir-p "/var/run/tor")
714 (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
715 ;; Set the group permissions to rw so that if the system administrator
716 ;; has specified UnixSocksGroupWritable=1 in their torrc file, members
717 ;; of the "tor" group will be able to use the SOCKS socket.
718 (chmod "/var/run/tor" #o750)
720 ;; Allow Tor to access the hidden services' directories.
721 (mkdir-p "/var/lib/tor")
722 (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
723 (chmod "/var/lib/tor" #o700)
725 ;; Make sure /var/lib is accessible to the 'tor' user.
726 (chmod "/var/lib" #o755)
729 '#$(map hidden-service-name
730 (tor-configuration-hidden-services config)))))
732 (define tor-service-type
733 (service-type (name 'tor)
735 (list (service-extension shepherd-root-service-type
736 tor-shepherd-service)
737 (service-extension account-service-type
738 (const %tor-accounts))
739 (service-extension activation-service-type
742 ;; This can be extended with hidden services.
743 (compose concatenate)
744 (extend (lambda (config services)
748 (append (tor-configuration-hidden-services config)
750 (default-value (tor-configuration))
752 "Run the @uref{https://torproject.org, Tor} anonymous
753 networking daemon.")))
755 (define* (tor-service #:optional
756 (config-file (plain-file "empty" ""))
758 "Return a service to run the @uref{https://torproject.org, Tor} anonymous
761 The daemon runs as the @code{tor} unprivileged user. It is passed
762 @var{config-file}, a file-like object, with an additional @code{User tor} line
763 and lines for hidden services added via @code{tor-hidden-service}. Run
764 @command{man tor} for information about the configuration file."
765 (service tor-service-type
766 (tor-configuration (tor tor)
767 (config-file config-file))))
769 (define tor-hidden-service-type
770 ;; A type that extends Tor with hidden services.
771 (service-type (name 'tor-hidden-service)
773 (list (service-extension tor-service-type list)))
775 "Define a new Tor @dfn{hidden service}.")))
777 (define (tor-hidden-service name mapping)
778 "Define a new Tor @dfn{hidden service} called @var{name} and implementing
779 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
782 '((22 \"127.0.0.1:22\")
783 (80 \"127.0.0.1:8080\"))
786 In this example, port 22 of the hidden service is mapped to local port 22, and
787 port 80 is mapped to local port 8080.
789 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
790 the @file{hostname} file contains the @code{.onion} host name for the hidden
793 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
794 project's documentation} for more information."
795 (service tor-hidden-service-type
796 (hidden-service name mapping)))
803 (define %wicd-activation
804 ;; Activation gexp for Wicd.
806 (use-modules (guix build utils))
808 (mkdir-p "/etc/wicd")
809 (let ((file-name "/etc/wicd/dhclient.conf.template.default"))
810 (unless (file-exists? file-name)
811 (copy-file (string-append #$wicd file-name)
814 ;; Wicd invokes 'wpa_supplicant', which needs this directory for its
815 ;; named socket files.
816 (mkdir-p "/var/run/wpa_supplicant")
817 (chmod "/var/run/wpa_supplicant" #o750)))
819 (define (wicd-shepherd-service wicd)
820 "Return a shepherd service for WICD."
821 (list (shepherd-service
822 (documentation "Run the Wicd network manager.")
823 (provision '(networking))
824 (requirement '(user-processes dbus-system loopback))
825 (start #~(make-forkexec-constructor
826 (list (string-append #$wicd "/sbin/wicd")
828 (stop #~(make-kill-destructor)))))
830 (define wicd-service-type
831 (service-type (name 'wicd)
833 (list (service-extension shepherd-root-service-type
834 wicd-shepherd-service)
835 (service-extension dbus-root-service-type
837 (service-extension activation-service-type
838 (const %wicd-activation))
840 ;; Add Wicd to the global profile.
841 (service-extension profile-service-type list)))
843 "Run @url{https://launchpad.net/wicd,Wicd}, a network
844 management daemon that aims to simplify wired and wireless networking.")))
846 (define* (wicd-service #:key (wicd wicd))
847 "Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
848 management daemon that aims to simplify wired and wireless networking.
850 This service adds the @var{wicd} package to the global profile, providing
851 several commands to interact with the daemon and configure networking:
852 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
853 and @command{wicd-curses} user interfaces."
854 (service wicd-service-type wicd))
861 (define-record-type* <modem-manager-configuration>
862 modem-manager-configuration make-modem-manager-configuration
863 modem-manager-configuration?
864 (modem-manager modem-manager-configuration-modem-manager
865 (default modem-manager)))
872 (define-record-type* <network-manager-configuration>
873 network-manager-configuration make-network-manager-configuration
874 network-manager-configuration?
875 (network-manager network-manager-configuration-network-manager
876 (default network-manager))
877 (dns network-manager-configuration-dns
879 (vpn-plugins network-manager-vpn-plugins ;list of <package>
882 (define %network-manager-activation
883 ;; Activation gexp for NetworkManager.
885 (use-modules (guix build utils))
886 (mkdir-p "/etc/NetworkManager/system-connections")))
888 (define (vpn-plugin-directory plugins)
889 "Return a directory containing PLUGINS, the NM VPN plugins."
890 (directory-union "network-manager-vpn-plugins" plugins))
892 (define network-manager-environment
894 (($ <network-manager-configuration> network-manager dns vpn-plugins)
895 ;; Define this variable in the global environment such that
896 ;; "nmcli connection import type openvpn file foo.ovpn" works.
897 `(("NM_VPN_PLUGIN_DIR"
898 . ,(file-append (vpn-plugin-directory vpn-plugins)
899 "/lib/NetworkManager/VPN"))))))
901 (define network-manager-shepherd-service
903 (($ <network-manager-configuration> network-manager dns vpn-plugins)
904 (let ((conf (plain-file "NetworkManager.conf"
905 (string-append "[main]\ndns=" dns "\n")))
906 (vpn (vpn-plugin-directory vpn-plugins)))
907 (list (shepherd-service
908 (documentation "Run the NetworkManager.")
909 (provision '(networking))
910 (requirement '(user-processes dbus-system wpa-supplicant loopback))
911 (start #~(make-forkexec-constructor
912 (list (string-append #$network-manager
913 "/sbin/NetworkManager")
914 (string-append "--config=" #$conf)
916 #:environment-variables
917 (list (string-append "NM_VPN_PLUGIN_DIR=" #$vpn
918 "/lib/NetworkManager/VPN"))))
919 (stop #~(make-kill-destructor))))))))
921 (define network-manager-service-type
925 (($ <network-manager-configuration> network-manager)
926 (list network-manager)))))
929 (name 'network-manager)
931 (list (service-extension shepherd-root-service-type
932 network-manager-shepherd-service)
933 (service-extension dbus-root-service-type config->package)
934 (service-extension polkit-service-type config->package)
935 (service-extension activation-service-type
936 (const %network-manager-activation))
937 (service-extension session-environment-service-type
938 network-manager-environment)
939 ;; Add network-manager to the system profile.
940 (service-extension profile-service-type config->package)))
941 (default-value (network-manager-configuration))
943 "Run @uref{https://wiki.gnome.org/Projects/NetworkManager,
944 NetworkManager}, a network management daemon that aims to simplify wired and
945 wireless networking."))))
952 (define-record-type* <connman-configuration>
953 connman-configuration make-connman-configuration
954 connman-configuration?
955 (connman connman-configuration-connman
957 (disable-vpn? connman-configuration-disable-vpn?
960 (define (connman-activation config)
961 (let ((disable-vpn? (connman-configuration-disable-vpn? config)))
962 (with-imported-modules '((guix build utils))
964 (use-modules (guix build utils))
965 (mkdir-p "/var/lib/connman/")
966 (unless #$disable-vpn?
967 (mkdir-p "/var/lib/connman-vpn/"))))))
969 (define (connman-shepherd-service config)
970 "Return a shepherd service for Connman"
972 (connman-configuration? config)
973 (let ((connman (connman-configuration-connman config))
974 (disable-vpn? (connman-configuration-disable-vpn? config)))
975 (list (shepherd-service
976 (documentation "Run Connman")
977 (provision '(networking))
979 '(user-processes dbus-system loopback wpa-supplicant))
980 (start #~(make-forkexec-constructor
981 (list (string-append #$connman
984 #$@(if disable-vpn? '("--noplugin=vpn") '()))))
985 (stop #~(make-kill-destructor)))))))
987 (define connman-service-type
988 (let ((connman-package (compose list connman-configuration-connman)))
989 (service-type (name 'connman)
991 (list (service-extension shepherd-root-service-type
992 connman-shepherd-service)
993 (service-extension polkit-service-type
995 (service-extension dbus-root-service-type
997 (service-extension activation-service-type
999 ;; Add connman to the system profile.
1000 (service-extension profile-service-type
1002 (default-value (connman-configuration))
1004 "Run @url{https://01.org/connman,Connman},
1005 a network connection manager."))))
1012 (define modem-manager-service-type
1013 (let ((config->package
1015 (($ <modem-manager-configuration> modem-manager)
1016 (list modem-manager)))))
1017 (service-type (name 'modem-manager)
1019 (list (service-extension dbus-root-service-type
1021 (service-extension udev-service-type
1023 (service-extension polkit-service-type
1025 (default-value (modem-manager-configuration))
1027 "Run @uref{https://wiki.gnome.org/Projects/ModemManager,
1028 ModemManager}, a modem management daemon that aims to simplify dialup
1036 (define-record-type* <wpa-supplicant-configuration>
1037 wpa-supplicant-configuration make-wpa-supplicant-configuration
1038 wpa-supplicant-configuration?
1039 (wpa-supplicant wpa-supplicant-configuration-wpa-supplicant ;<package>
1040 (default wpa-supplicant))
1041 (pid-file wpa-supplicant-configuration-pid-file ;string
1042 (default "/var/run/wpa_supplicant.pid"))
1043 (dbus? wpa-supplicant-configuration-dbus? ;Boolean
1045 (interface wpa-supplicant-configuration-interface ;#f | string
1047 (config-file wpa-supplicant-configuration-config-file ;#f | <file-like>
1049 (extra-options wpa-supplicant-configuration-extra-options ;list of strings
1052 (define wpa-supplicant-shepherd-service
1054 (($ <wpa-supplicant-configuration> wpa-supplicant pid-file dbus? interface
1055 config-file extra-options)
1056 (list (shepherd-service
1057 (documentation "Run the WPA supplicant daemon")
1058 (provision '(wpa-supplicant))
1059 (requirement '(user-processes dbus-system loopback))
1060 (start #~(make-forkexec-constructor
1061 (list (string-append #$wpa-supplicant
1062 "/sbin/wpa_supplicant")
1063 (string-append "-P" #$pid-file)
1064 "-B" ;run in background
1069 #~((string-append "-i" #$interface))
1072 #~((string-append "-c" #$config-file))
1075 #:pid-file #$pid-file))
1076 (stop #~(make-kill-destructor)))))))
1078 (define wpa-supplicant-service-type
1079 (let ((config->package
1081 (($ <wpa-supplicant-configuration> wpa-supplicant)
1082 (list wpa-supplicant)))))
1083 (service-type (name 'wpa-supplicant)
1085 (list (service-extension shepherd-root-service-type
1086 wpa-supplicant-shepherd-service)
1087 (service-extension dbus-root-service-type config->package)
1088 (service-extension profile-service-type config->package)))
1089 (description "Run the WPA Supplicant daemon, a service that
1090 implements authentication, key negotiation and more for wireless networks.")
1091 (default-value (wpa-supplicant-configuration)))))
1098 (define-record-type* <openvswitch-configuration>
1099 openvswitch-configuration make-openvswitch-configuration
1100 openvswitch-configuration?
1101 (package openvswitch-configuration-package
1102 (default openvswitch)))
1104 (define openvswitch-activation
1106 (($ <openvswitch-configuration> package)
1107 (let ((ovsdb-tool (file-append package "/bin/ovsdb-tool")))
1108 (with-imported-modules '((guix build utils))
1110 (use-modules (guix build utils))
1111 (mkdir-p "/var/run/openvswitch")
1112 (mkdir-p "/var/lib/openvswitch")
1113 (let ((conf.db "/var/lib/openvswitch/conf.db"))
1114 (unless (file-exists? conf.db)
1115 (system* #$ovsdb-tool "create" conf.db)))))))))
1117 (define openvswitch-shepherd-service
1119 (($ <openvswitch-configuration> package)
1120 (let ((ovsdb-server (file-append package "/sbin/ovsdb-server"))
1121 (ovs-vswitchd (file-append package "/sbin/ovs-vswitchd")))
1124 (provision '(ovsdb))
1125 (documentation "Run the Open vSwitch database server.")
1126 (start #~(make-forkexec-constructor
1127 (list #$ovsdb-server "--pidfile"
1128 "--remote=punix:/var/run/openvswitch/db.sock")
1129 #:pid-file "/var/run/openvswitch/ovsdb-server.pid"))
1130 (stop #~(make-kill-destructor)))
1132 (provision '(vswitchd))
1133 (requirement '(ovsdb))
1134 (documentation "Run the Open vSwitch daemon.")
1135 (start #~(make-forkexec-constructor
1136 (list #$ovs-vswitchd "--pidfile")
1137 #:pid-file "/var/run/openvswitch/ovs-vswitchd.pid"))
1138 (stop #~(make-kill-destructor))))))))
1140 (define openvswitch-service-type
1144 (list (service-extension activation-service-type
1145 openvswitch-activation)
1146 (service-extension profile-service-type
1147 (compose list openvswitch-configuration-package))
1148 (service-extension shepherd-root-service-type
1149 openvswitch-shepherd-service)))
1151 "Run @uref{http://www.openvswitch.org, Open vSwitch}, a multilayer virtual
1152 switch designed to enable massive network automation through programmatic
1159 (define %iptables-accept-all-rules
1160 (plain-file "iptables-accept-all.rules"
1168 (define-record-type* <iptables-configuration>
1169 iptables-configuration make-iptables-configuration iptables-configuration?
1170 (iptables iptables-configuration-iptables
1172 (ipv4-rules iptables-configuration-ipv4-rules
1173 (default %iptables-accept-all-rules))
1174 (ipv6-rules iptables-configuration-ipv6-rules
1175 (default %iptables-accept-all-rules)))
1177 (define iptables-shepherd-service
1179 (($ <iptables-configuration> iptables ipv4-rules ipv6-rules)
1180 (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
1181 (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")))
1183 (documentation "Packet filtering framework")
1184 (provision '(iptables))
1186 (invoke #$iptables-restore #$ipv4-rules)
1187 (invoke #$ip6tables-restore #$ipv6-rules)))
1189 (invoke #$iptables-restore #$%iptables-accept-all-rules)
1190 (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
1192 (define iptables-service-type
1196 "Run @command{iptables-restore}, setting up the specified rules.")
1198 (list (service-extension shepherd-root-service-type
1199 (compose list iptables-shepherd-service))))))
1201 ;;; networking.scm ends here