1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015, 2016 Alex Kost <alezost@gmail.com>
4 ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
5 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
6 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
7 ;;; Copyright © 2016 David Craven <david@craven.ch>
8 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
10 ;;; This file is part of GNU Guix.
12 ;;; GNU Guix is free software; you can redistribute it and/or modify it
13 ;;; under the terms of the GNU General Public License as published by
14 ;;; the Free Software Foundation; either version 3 of the License, or (at
15 ;;; your option) any later version.
17 ;;; GNU Guix is distributed in the hope that it will be useful, but
18 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
19 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 ;;; GNU General Public License for more details.
22 ;;; You should have received a copy of the GNU General Public License
23 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
25 (define-module (gnu services base)
26 #:use-module (guix store)
27 #:use-module (gnu services)
28 #:use-module (gnu services shepherd)
29 #:use-module (gnu services networking)
30 #:use-module (gnu system pam)
31 #:use-module (gnu system shadow) ; 'user-account', etc.
32 #:use-module (gnu system file-systems) ; 'file-system', etc.
33 #:use-module (gnu system mapped-devices)
34 #:use-module (gnu packages admin)
35 #:use-module ((gnu packages linux)
36 #:select (alsa-utils crda eudev e2fsprogs fuse gpm kbd lvm2 rng-tools))
37 #:use-module ((gnu packages base)
38 #:select (canonical-package glibc))
39 #:use-module (gnu packages package-management)
40 #:use-module (gnu packages lsof)
41 #:use-module (gnu packages terminals)
42 #:use-module ((gnu build file-systems)
43 #:select (mount-flags->bit-mask))
44 #:use-module (guix gexp)
45 #:use-module (guix records)
46 #:use-module (srfi srfi-1)
47 #:use-module (srfi srfi-26)
48 #:use-module (ice-9 match)
49 #:use-module (ice-9 format)
50 #:export (fstab-service-type
51 root-file-system-service
52 file-system-service-type
55 user-processes-service
56 session-environment-service
57 session-environment-service-type
59 console-keymap-service
61 console-font-service-type
66 udev-configuration-rules
76 mingetty-configuration
77 mingetty-configuration?
82 %nscd-default-configuration
99 %default-authorized-guix-keys
103 guix-configuration-guix
104 guix-configuration-build-group
105 guix-configuration-build-accounts
106 guix-configuration-authorize-key?
107 guix-configuration-authorized-keys
108 guix-configuration-use-substitutes?
109 guix-configuration-substitute-urls
110 guix-configuration-extra-options
111 guix-configuration-log-file
112 guix-configuration-lsof
116 guix-publish-configuration
117 guix-publish-configuration?
119 guix-publish-service-type
126 urandom-seed-service-type
135 kmscon-configuration?
138 pam-limits-service-type
145 ;;; Base system services---i.e., services that 99% of the users will want to
155 (define (file-system->fstab-entry file-system)
156 "Return a @file{/etc/fstab} entry for @var{file-system}."
157 (string-append (case (file-system-title file-system)
159 (string-append "LABEL=" (file-system-device file-system)))
163 (uuid->string (file-system-device file-system))))
165 (file-system-device file-system)))
167 (file-system-mount-point file-system) "\t"
168 (file-system-type file-system) "\t"
169 (or (file-system-options file-system) "defaults") "\t"
171 ;; XXX: Omit the 'fs_freq' and 'fs_passno' fields because we
172 ;; don't have anything sensible to put in there.
175 (define (file-systems->fstab file-systems)
176 "Return a @file{/etc} entry for an @file{fstab} describing
178 `(("fstab" ,(plain-file "fstab"
181 # This file was generated from your GuixSD configuration. Any changes
182 # will be lost upon reboot or reconfiguration.\n\n"
183 (string-join (map file-system->fstab-entry
188 (define fstab-service-type
189 ;; The /etc/fstab service.
190 (service-type (name 'fstab)
192 (list (service-extension etc-service-type
193 file-systems->fstab)))
194 (compose concatenate)
197 (define %root-file-system-shepherd-service
199 (documentation "Take care of the root file system.")
200 (provision '(root-file-system))
203 ;; Return #f if successfully stopped.
206 (call-with-blocked-asyncs
208 (let ((null (%make-void-port "w")))
209 ;; Close 'shepherd.log'.
210 (display "closing log\n")
211 ((@ (shepherd comm) stop-logging))
213 ;; Redirect the default output ports..
214 (set-current-output-port null)
215 (set-current-error-port null)
217 ;; Close /dev/console.
218 (for-each close-fdes '(0 1 2))
220 ;; At this point, there are no open files left, so the
221 ;; root file system can be re-mounted read-only.
223 (logior MS_REMOUNT MS_RDONLY)
229 (define root-file-system-service-type
230 (shepherd-service-type 'root-file-system
231 (const %root-file-system-shepherd-service)))
233 (define (root-file-system-service)
234 "Return a service whose sole purpose is to re-mount read-only the root file
235 system upon shutdown (aka. cleanly \"umounting\" root.)
237 This service must be the root of the service dependency graph so that its
238 'stop' action is invoked when shepherd is the only process left."
239 (service root-file-system-service-type #f))
241 (define (file-system->shepherd-service-name file-system)
242 "Return the symbol that denotes the service mounting and unmounting
244 (symbol-append 'file-system-
245 (string->symbol (file-system-mount-point file-system))))
247 (define (mapped-device->shepherd-service-name md)
248 "Return the symbol that denotes the shepherd service of MD, a <mapped-device>."
249 (symbol-append 'device-mapping-
250 (string->symbol (mapped-device-target md))))
252 (define dependency->shepherd-service-name
254 ((? mapped-device? md)
255 (mapped-device->shepherd-service-name md))
257 (file-system->shepherd-service-name fs))))
259 (define (file-system-shepherd-service file-system)
260 "Return the shepherd service for @var{file-system}, or @code{#f} if
261 @var{file-system} is not auto-mounted upon boot."
262 (let ((target (file-system-mount-point file-system))
263 (device (file-system-device file-system))
264 (type (file-system-type file-system))
265 (title (file-system-title file-system))
266 (flags (file-system-flags file-system))
267 (options (file-system-options file-system))
268 (check? (file-system-check? file-system))
269 (create? (file-system-create-mount-point? file-system))
270 (dependencies (file-system-dependencies file-system)))
271 (and (file-system-mount? file-system)
272 (with-imported-modules '((gnu build file-systems)
273 (guix build bournish))
275 (provision (list (file-system->shepherd-service-name file-system)))
276 (requirement `(root-file-system
277 ,@(map dependency->shepherd-service-name dependencies)))
278 (documentation "Check, mount, and unmount the given file system.")
279 (start #~(lambda args
284 (let (($PATH (getenv "PATH")))
285 ;; Make sure fsck.ext2 & co. can be found.
291 "/run/current-system/profile/sbin:"
295 `(#$device #$title #$target #$type #$flags
299 (setenv "PATH" $PATH)))
302 ;; Normally there are no processes left at this point, so
303 ;; TARGET can be safely unmounted.
305 ;; Make sure PID 1 doesn't keep TARGET busy.
311 ;; We need an additional module.
312 (modules `(((gnu build file-systems)
313 #:select (mount-file-system))
314 ,@%default-modules)))))))
316 (define (file-system-shepherd-services file-systems)
317 "Return the list of Shepherd services for FILE-SYSTEMS."
318 (let* ((file-systems (filter file-system-mount? file-systems)))
321 (provision '(file-systems))
322 (requirement (cons* 'root-file-system 'user-file-systems
323 (map file-system->shepherd-service-name
325 (documentation "Target for all the initially-mounted file systems")
327 (stop #~(const #f))))
329 (cons sink (map file-system-shepherd-service file-systems))))
331 (define file-system-service-type
332 (service-type (name 'file-systems)
334 (list (service-extension shepherd-root-service-type
335 file-system-shepherd-services)
336 (service-extension fstab-service-type
338 (compose concatenate)
341 (define user-unmount-service-type
342 (shepherd-service-type
344 (lambda (known-mount-points)
346 (documentation "Unmount manually-mounted file systems.")
347 (provision '(user-file-systems))
350 (define (known? mount-point)
352 (cons* "/proc" "/sys" '#$known-mount-points)))
354 ;; Make sure we don't keep the user's mount points busy.
357 (for-each (lambda (mount-point)
358 (format #t "unmounting '~a'...~%" mount-point)
361 (umount mount-point))
363 (let ((errno (system-error-errno args)))
364 (format #t "failed to unmount '~a': ~a~%"
365 mount-point (strerror errno))))))
366 (filter (negate known?) (mount-points)))
369 (define (user-unmount-service known-mount-points)
370 "Return a service whose sole purpose is to unmount file systems not listed
371 in KNOWN-MOUNT-POINTS when it is stopped."
372 (service user-unmount-service-type known-mount-points))
374 (define %do-not-kill-file
375 ;; Name of the file listing PIDs of processes that must survive when halting
376 ;; the system. Typical example is user-space file systems.
377 "/etc/shepherd/do-not-kill")
379 (define user-processes-service-type
380 (shepherd-service-type
382 (lambda (grace-delay)
384 (documentation "When stopped, terminate all user processes.")
385 (provision '(user-processes))
386 (requirement '(file-systems))
389 (define (kill-except omit signal)
390 ;; Kill all the processes with SIGNAL except those listed
391 ;; in OMIT and the current process.
392 (let ((omit (cons (getpid) omit)))
393 (for-each (lambda (pid)
394 (unless (memv pid omit)
400 ;; List of PIDs that must not be killed.
401 (if (file-exists? #$%do-not-kill-file)
403 (call-with-input-file #$%do-not-kill-file
404 (compose string-tokenize
405 (@ (ice-9 rdelim) read-string))))
409 (car (gettimeofday)))
412 ;; Really sleep N seconds.
413 ;; Work around <http://bugs.gnu.org/19581>.
415 (let loop ((elapsed 0))
417 (sleep (- n elapsed))
418 (loop (- (now) start)))))
420 (define lset= (@ (srfi srfi-1) lset=))
422 (display "sending all processes the TERM signal\n")
424 (if (null? omitted-pids)
426 ;; Easy: terminate all of them.
428 (sleep* #$grace-delay)
431 ;; Kill them all except OMITTED-PIDS. XXX: We would
432 ;; like to (kill -1 SIGSTOP) to get a fixed list of
433 ;; processes, like 'killall5' does, but that seems
435 (kill-except omitted-pids SIGTERM)
436 (sleep* #$grace-delay)
437 (kill-except omitted-pids SIGKILL)
438 (delete-file #$%do-not-kill-file)))
441 (let ((pids (processes)))
442 (unless (lset= = pids (cons 1 omitted-pids))
443 (format #t "waiting for process termination\
444 (processes left: ~s)~%"
449 (display "all processes have been terminated\n")
453 (define* (user-processes-service #:key (grace-delay 4))
454 "Return the service that is responsible for terminating all the processes so
455 that the root file system can be re-mounted read-only, just before
456 rebooting/halting. Processes still running GRACE-DELAY seconds after SIGTERM
457 has been sent are terminated with SIGKILL.
459 The returned service will depend on 'file-systems', meaning that it is
460 considered started after all the auto-mount file systems have been mounted.
462 All the services that spawn processes must depend on this one so that they are
463 stopped before 'kill' is called."
464 (service user-processes-service-type grace-delay))
468 ;;; Preserve entropy to seed /dev/urandom on boot.
471 (define %random-seed-file
472 "/var/lib/random-seed")
474 (define (urandom-seed-shepherd-service _)
475 "Return a shepherd service for the /dev/urandom seed."
476 (list (shepherd-service
477 (documentation "Preserve entropy across reboots for /dev/urandom.")
478 (provision '(urandom-seed))
479 (requirement '(user-processes))
481 ;; On boot, write random seed into /dev/urandom.
482 (when (file-exists? #$%random-seed-file)
483 (call-with-input-file #$%random-seed-file
485 (call-with-output-file "/dev/urandom"
487 (dump-port seed urandom))))))
488 ;; Immediately refresh the seed in case the system doesn't
489 ;; shut down cleanly.
490 (call-with-input-file "/dev/urandom"
492 (let ((previous-umask (umask #o077))
493 (buf (make-bytevector 512)))
494 (mkdir-p (dirname #$%random-seed-file))
495 (get-bytevector-n! urandom buf 0 512)
496 (call-with-output-file #$%random-seed-file
498 (put-bytevector seed buf)))
499 (umask previous-umask))))
502 ;; During shutdown, write from /dev/urandom into random seed.
503 (let ((buf (make-bytevector 512)))
504 (call-with-input-file "/dev/urandom"
506 (let ((previous-umask (umask #o077)))
507 (get-bytevector-n! urandom buf 0 512)
508 (mkdir-p (dirname #$%random-seed-file))
509 (call-with-output-file #$%random-seed-file
511 (put-bytevector seed buf)))
512 (umask previous-umask))
514 (modules `((rnrs bytevectors)
516 ,@%default-modules)))))
518 (define urandom-seed-service-type
519 (service-type (name 'urandom-seed)
521 (list (service-extension shepherd-root-service-type
522 urandom-seed-shepherd-service)))))
524 (define (urandom-seed-service)
525 (service urandom-seed-service-type #f))
529 ;;; Add hardware random number generator to entropy pool.
532 (define-record-type* <rngd-configuration>
533 rngd-configuration make-rngd-configuration
535 (rng-tools rngd-configuration-rng-tools) ;package
536 (device rngd-configuration-device)) ;string
538 (define rngd-service-type
539 (shepherd-service-type
542 (define rng-tools (rngd-configuration-rng-tools config))
543 (define device (rngd-configuration-device config))
546 (list (file-append rng-tools "/sbin/rngd")
550 (documentation "Add TRNG to entropy pool.")
551 (requirement '(udev))
553 (start #~(make-forkexec-constructor #$@rngd-command))
554 (stop #~(make-kill-destructor))))))
556 (define* (rngd-service #:key
557 (rng-tools rng-tools)
558 (device "/dev/hwrng"))
559 "Return a service that runs the @command{rngd} program from @var{rng-tools}
560 to add @var{device} to the kernel's entropy pool. The service will fail if
561 @var{device} does not exist."
562 (service rngd-service-type
564 (rng-tools rng-tools)
569 ;;; System-wide environment variables.
572 (define (environment-variables->environment-file vars)
573 "Return a file for pam_env(8) that contains environment variables VARS."
574 (apply mixed-text-file "environment"
575 (append-map (match-lambda
577 (list key "=" value "\n")))
580 (define session-environment-service-type
582 (name 'session-environment)
584 (list (service-extension
587 (list `("environment"
588 ,(environment-variables->environment-file vars)))))))
589 (compose concatenate)
592 (define (session-environment-service vars)
593 "Return a service that builds the @file{/etc/environment}, which can be read
594 by PAM-aware applications to set environment variables for sessions.
596 VARS should be an association list in which both the keys and the values are
597 strings or string-valued gexps."
598 (service session-environment-service-type vars))
605 (define host-name-service-type
606 (shepherd-service-type
610 (documentation "Initialize the machine's host name.")
611 (provision '(host-name))
613 (sethostname #$name)))
616 (define (host-name-service name)
617 "Return a service that sets the host name to @var{name}."
618 (service host-name-service-type name))
620 (define (unicode-start tty)
621 "Return a gexp to start Unicode support on @var{tty}."
623 ;; We have to run 'unicode_start' in a pipe so that when it invokes the
624 ;; 'tty' command, that command returns TTY.
626 (let ((pid (primitive-fork)))
630 (dup2 (open-fdes #$tty O_RDONLY) 0)
632 (dup2 (open-fdes #$tty O_WRONLY) 1)
633 (execl #$(file-append kbd "/bin/unicode_start")
636 (zero? (cdr (waitpid pid))))))))
638 (define console-keymap-service-type
639 (shepherd-service-type
643 (documentation (string-append "Load console keymap (loadkeys)."))
644 (provision '(console-keymap))
646 (zero? (system* #$(file-append kbd "/bin/loadkeys")
650 (define (console-keymap-service . files)
651 "Return a service to load console keymaps from @var{files}."
652 (service console-keymap-service-type files))
654 (define %default-console-font
655 ;; Note: 'LatGrkCyr-8x16' has the advantage of providing three common
656 ;; scripts as well as glyphs for em dash, quotation marks, and other Unicode
657 ;; codepoints notably found in the UTF-8 manual.
660 (define (console-font-shepherd-services tty+font)
661 "Return a list of Shepherd services for each pair in TTY+FONT."
664 (let ((device (string-append "/dev/" tty)))
666 (documentation "Load a Unicode console font.")
667 (provision (list (symbol-append 'console-font-
668 (string->symbol tty))))
670 ;; Start after mingetty has been started on TTY, otherwise the settings
672 (requirement (list (symbol-append 'term-
673 (string->symbol tty))))
676 (and #$(unicode-start device)
678 (system* #$(file-append kbd "/bin/setfont")
679 "-C" #$device #$font)))))
684 (define console-font-service-type
685 (service-type (name 'console-fonts)
687 (list (service-extension shepherd-root-service-type
688 console-font-shepherd-services)))
689 (compose concatenate)
692 (define* (console-font-service tty #:optional (font "LatGrkCyr-8x16"))
693 "This procedure is deprecated in favor of @code{console-font-service-type}.
695 Return a service that sets up Unicode support in @var{tty} and loads
696 @var{font} for that tty (fonts are per virtual console in Linux.)"
697 (simple-service (symbol-append 'console-font- (string->symbol tty))
698 console-font-service-type `((,tty . ,font))))
700 (define %default-motd
701 (plain-file "motd" "This is the GNU operating system, welcome!\n\n"))
703 (define-record-type* <login-configuration>
704 login-configuration make-login-configuration
706 (motd login-configuration-motd ;file-like
707 (default %default-motd))
708 ;; Allow empty passwords by default so that first-time users can log in when
709 ;; the 'root' account has just been created.
710 (allow-empty-passwords? login-configuration-allow-empty-passwords?
711 (default #t))) ;Boolean
713 (define (login-pam-service config)
714 "Return the list of PAM service needed for CONF."
715 ;; Let 'login' be known to PAM.
716 (list (unix-pam-service "login"
717 #:allow-empty-passwords?
718 (login-configuration-allow-empty-passwords? config)
720 (login-configuration-motd config))))
722 (define login-service-type
723 (service-type (name 'login)
724 (extensions (list (service-extension pam-root-service-type
725 login-pam-service)))))
727 (define* (login-service #:optional (config (login-configuration)))
728 "Return a service configure login according to @var{config}, which specifies
729 the message of the day, among other things."
730 (service login-service-type config))
732 (define-record-type* <mingetty-configuration>
733 mingetty-configuration make-mingetty-configuration
734 mingetty-configuration?
735 (mingetty mingetty-configuration-mingetty ;<package>
737 (tty mingetty-configuration-tty) ;string
738 (auto-login mingetty-auto-login ;string | #f
740 (login-program mingetty-login-program ;gexp
742 (login-pause? mingetty-login-pause? ;Boolean
745 (define mingetty-shepherd-service
747 (($ <mingetty-configuration> mingetty tty auto-login login-program
751 (documentation "Run mingetty on an tty.")
752 (provision (list (symbol-append 'term- (string->symbol tty))))
754 ;; Since the login prompt shows the host name, wait for the 'host-name'
755 ;; service to be done. Also wait for udev essentially so that the tty
756 ;; text is not lost in the middle of kernel messages (XXX).
757 (requirement '(user-processes host-name udev))
759 (start #~(make-forkexec-constructor
760 (list #$(file-append mingetty "/sbin/mingetty")
763 #~("--autologin" #$auto-login)
766 #~("--loginprog" #$login-program)
771 (stop #~(make-kill-destructor)))))))
773 (define mingetty-service-type
774 (service-type (name 'mingetty)
775 (extensions (list (service-extension shepherd-root-service-type
776 mingetty-shepherd-service)))))
778 (define* (mingetty-service config)
779 "Return a service to run mingetty according to @var{config}, which specifies
780 the tty to run, among other things."
781 (service mingetty-service-type config))
783 (define-record-type* <nscd-configuration> nscd-configuration
784 make-nscd-configuration
786 (log-file nscd-configuration-log-file ;string
787 (default "/var/log/nscd.log"))
788 (debug-level nscd-debug-level ;integer
790 ;; TODO: See nscd.conf in glibc for other options to add.
791 (caches nscd-configuration-caches ;list of <nscd-cache>
792 (default %nscd-default-caches))
793 (name-services nscd-configuration-name-services ;list of <packages>
795 (glibc nscd-configuration-glibc ;<package>
796 (default (canonical-package glibc))))
798 (define-record-type* <nscd-cache> nscd-cache make-nscd-cache
800 (database nscd-cache-database) ;symbol
801 (positive-time-to-live nscd-cache-positive-time-to-live) ;integer
802 (negative-time-to-live nscd-cache-negative-time-to-live
803 (default 20)) ;integer
804 (suggested-size nscd-cache-suggested-size ;integer ("default module
807 (check-files? nscd-cache-check-files? ;Boolean
809 (persistent? nscd-cache-persistent? ;Boolean
811 (shared? nscd-cache-shared? ;Boolean
813 (max-database-size nscd-cache-max-database-size ;integer
814 (default (* 32 (expt 2 20))))
815 (auto-propagate? nscd-cache-auto-propagate? ;Boolean
818 (define %nscd-default-caches
819 ;; Caches that we want to enable by default. Note that when providing an
820 ;; empty nscd.conf, all caches are disabled.
821 (list (nscd-cache (database 'hosts)
823 ;; Aggressively cache the host name cache to improve
824 ;; privacy and resilience.
825 (positive-time-to-live (* 3600 12))
826 (negative-time-to-live 20)
829 (nscd-cache (database 'services)
831 ;; Services are unlikely to change, so we can be even more
833 (positive-time-to-live (* 3600 24))
834 (negative-time-to-live 3600)
835 (check-files? #t) ;check /etc/services changes
838 (define %nscd-default-configuration
839 ;; Default nscd configuration.
840 (nscd-configuration))
842 (define (nscd.conf-file config)
843 "Return the @file{nscd.conf} configuration file for @var{config}, an
844 @code{<nscd-configuration>} object."
845 (define cache->config
847 (($ <nscd-cache> (= symbol->string database)
848 positive-ttl negative-ttl size check-files?
849 persistent? shared? max-size propagate?)
850 (string-append "\nenable-cache\t" database "\tyes\n"
852 "positive-time-to-live\t" database "\t"
853 (number->string positive-ttl) "\n"
854 "negative-time-to-live\t" database "\t"
855 (number->string negative-ttl) "\n"
856 "suggested-size\t" database "\t"
857 (number->string size) "\n"
858 "check-files\t" database "\t"
859 (if check-files? "yes\n" "no\n")
860 "persistent\t" database "\t"
861 (if persistent? "yes\n" "no\n")
862 "shared\t" database "\t"
863 (if shared? "yes\n" "no\n")
864 "max-db-size\t" database "\t"
865 (number->string max-size) "\n"
866 "auto-propagate\t" database "\t"
867 (if propagate? "yes\n" "no\n")))))
870 (($ <nscd-configuration> log-file debug-level caches)
871 (plain-file "nscd.conf"
873 # Configuration of libc's name service cache daemon (nscd).\n\n"
875 (string-append "logfile\t" log-file)
879 (string-append "debug-level\t"
880 (number->string debug-level))
884 (map cache->config caches)))))))
886 (define (nscd-shepherd-service config)
887 "Return a shepherd service for CONFIG, an <nscd-configuration> object."
888 (let ((nscd.conf (nscd.conf-file config))
889 (name-services (nscd-configuration-name-services config)))
890 (list (shepherd-service
891 (documentation "Run libc's name service cache daemon (nscd).")
893 (requirement '(user-processes))
894 (start #~(make-forkexec-constructor
895 (list #$(file-append (nscd-configuration-glibc config)
897 "-f" #$nscd.conf "--foreground")
899 ;; Wait for the PID file. However, the PID file is
900 ;; written before nscd is actually listening on its
902 #:pid-file "/var/run/nscd/nscd.pid"
904 #:environment-variables
905 (list (string-append "LD_LIBRARY_PATH="
908 (string-append dir "/lib"))
909 (list #$@name-services))
911 (stop #~(make-kill-destructor))))))
913 (define nscd-activation
914 ;; Actions to take before starting nscd.
916 (use-modules (guix build utils))
917 (mkdir-p "/var/run/nscd")
918 (mkdir-p "/var/db/nscd"))) ;for the persistent cache
920 (define nscd-service-type
921 (service-type (name 'nscd)
923 (list (service-extension activation-service-type
924 (const nscd-activation))
925 (service-extension shepherd-root-service-type
926 nscd-shepherd-service)))
928 ;; This can be extended by providing additional name services
930 (compose concatenate)
931 (extend (lambda (config name-services)
934 (name-services (append
935 (nscd-configuration-name-services config)
938 (define* (nscd-service #:optional (config %nscd-default-configuration))
939 "Return a service that runs libc's name service cache daemon (nscd) with the
940 given @var{config}---an @code{<nscd-configuration>} object. @xref{Name
941 Service Switch}, for an example."
942 (service nscd-service-type config))
945 (define-record-type* <syslog-configuration>
946 syslog-configuration make-syslog-configuration
947 syslog-configuration?
948 (syslogd syslog-configuration-syslogd
949 (default (file-append inetutils "/libexec/syslogd")))
950 (config-file syslog-configuration-config-file
951 (default %default-syslog.conf)))
953 (define syslog-service-type
954 (shepherd-service-type
958 (documentation "Run the syslog daemon (syslogd).")
959 (provision '(syslogd))
960 (requirement '(user-processes))
961 (start #~(make-forkexec-constructor
962 (list #$(syslog-configuration-syslogd config)
963 "--rcfile" #$(syslog-configuration-config-file config))
964 #:pid-file "/var/run/syslog.pid"))
965 (stop #~(make-kill-destructor))))))
967 ;; Snippet adapted from the GNU inetutils manual.
968 (define %default-syslog.conf
969 (plain-file "syslog.conf" "
970 # Log all error messages, authentication messages of
971 # level notice or higher and anything of level err or
972 # higher to the console.
973 # Don't log private authentication messages!
974 *.alert;auth.notice;authpriv.none /dev/console
976 # Log anything (except mail) of level info or higher.
977 # Don't log private authentication messages!
978 *.info;mail.none;authpriv.none /var/log/messages
980 # Same, in a different place.
981 *.info;mail.none;authpriv.none /dev/tty12
983 # The authpriv file has restricted access.
984 authpriv.* /var/log/secure
986 # Log all the mail messages in one place.
987 mail.* /var/log/maillog
990 (define* (syslog-service #:optional (config (syslog-configuration)))
991 "Return a service that runs @command{syslogd} and takes
992 @var{<syslog-configuration>} as a parameter.
994 @xref{syslogd invocation,,, inetutils, GNU Inetutils}, for more
995 information on the configuration file syntax."
996 (service syslog-service-type config))
999 (define pam-limits-service-type
1000 (let ((security-limits
1001 ;; Create /etc/security containing the provided "limits.conf" file.
1002 (lambda (limits-file)
1008 (stat #$limits-file)
1009 (symlink #$limits-file
1010 (string-append #$output "/limits.conf"))))))))
1013 (let ((pam-limits (pam-entry
1014 (control "required")
1015 (module "pam_limits.so")
1016 (arguments '("conf=/etc/security/limits.conf")))))
1017 (if (member (pam-service-name pam)
1018 '("login" "su" "slim"))
1021 (session (cons pam-limits
1022 (pam-service-session pam))))
1027 (list (service-extension etc-service-type security-limits)
1028 (service-extension pam-root-service-type
1029 (lambda _ (list pam-extension))))))))
1031 (define* (pam-limits-service #:optional (limits '()))
1032 "Return a service that makes selected programs respect the list of
1033 pam-limits-entry specified in LIMITS via pam_limits.so."
1034 (service pam-limits-service-type
1035 (plain-file "limits.conf"
1036 (string-join (map pam-limits-entry->string limits)
1044 (define* (guix-build-accounts count #:key
1048 "Return a list of COUNT user accounts for Guix build users, with UIDs
1049 starting at FIRST-UID, and under GID."
1050 (unfold (cut > <> count)
1053 (name (format #f "guixbuilder~2,'0d" n))
1055 (uid (+ first-uid n -1))
1058 ;; guix-daemon expects GROUP to be listed as a
1059 ;; supplementary group too:
1060 ;; <http://lists.gnu.org/archive/html/bug-guix/2013-01/msg00239.html>.
1061 (supplementary-groups (list group "kvm"))
1063 (comment (format #f "Guix Build User ~2d" n))
1064 (home-directory "/var/empty")
1065 (shell (file-append shadow "/sbin/nologin"))))
1069 (define (hydra-key-authorization key guix)
1070 "Return a gexp with code to register KEY, a file containing a 'guix archive'
1071 public key, with GUIX."
1072 #~(unless (file-exists? "/etc/guix/acl")
1073 (let ((pid (primitive-fork)))
1077 (port (open-file key "r0b")))
1078 (format #t "registering public key '~a'...~%" key)
1079 (close-port (current-input-port))
1081 (execl #$(file-append guix "/bin/guix")
1082 "guix" "archive" "--authorize")
1085 (let ((status (cdr (waitpid pid))))
1086 (unless (zero? status)
1087 (format (current-error-port) "warning: \
1088 failed to register hydra.gnu.org public key: ~a~%" status))))))))
1090 (define %default-authorized-guix-keys
1091 ;; List of authorized substitute keys.
1092 (list (file-append guix "/share/guix/hydra.gnu.org.pub")))
1094 (define-record-type* <guix-configuration>
1095 guix-configuration make-guix-configuration
1097 (guix guix-configuration-guix ;<package>
1099 (build-group guix-configuration-build-group ;string
1100 (default "guixbuild"))
1101 (build-accounts guix-configuration-build-accounts ;integer
1103 (authorize-key? guix-configuration-authorize-key? ;Boolean
1105 (authorized-keys guix-configuration-authorized-keys ;list of gexps
1106 (default %default-authorized-guix-keys))
1107 (use-substitutes? guix-configuration-use-substitutes? ;Boolean
1109 (substitute-urls guix-configuration-substitute-urls ;list of strings
1110 (default %default-substitute-urls))
1111 (extra-options guix-configuration-extra-options ;list of strings
1113 (log-file guix-configuration-log-file ;string
1114 (default "/var/log/guix-daemon.log"))
1115 (lsof guix-configuration-lsof ;<package>
1118 (define %default-guix-configuration
1119 (guix-configuration))
1121 (define (guix-shepherd-service config)
1122 "Return a <shepherd-service> for the Guix daemon service with CONFIG."
1124 (($ <guix-configuration> guix build-group build-accounts
1126 use-substitutes? substitute-urls extra-options
1128 (list (shepherd-service
1129 (documentation "Run the Guix daemon.")
1130 (provision '(guix-daemon))
1131 (requirement '(user-processes))
1133 #~(make-forkexec-constructor
1134 (list #$(file-append guix "/bin/guix-daemon")
1135 "--build-users-group" #$build-group
1136 #$@(if use-substitutes?
1138 '("--no-substitutes"))
1139 "--substitute-urls" #$(string-join substitute-urls)
1142 ;; Add 'lsof' (for the GC) to the daemon's $PATH.
1143 #:environment-variables
1144 (list (string-append "PATH=" #$lsof "/bin"))
1146 #:log-file #$log-file))
1147 (stop #~(make-kill-destructor)))))))
1149 (define (guix-accounts config)
1150 "Return the user accounts and user groups for CONFIG."
1152 (($ <guix-configuration> _ build-group build-accounts)
1157 ;; Use a fixed GID so that we can create the store with the right
1160 (guix-build-accounts build-accounts
1161 #:group build-group)))))
1163 (define (guix-activation config)
1164 "Return the activation gexp for CONFIG."
1166 (($ <guix-configuration> guix build-group build-accounts authorize-key? keys)
1167 ;; Assume that the store has BUILD-GROUP as its group. We could
1168 ;; otherwise call 'chown' here, but the problem is that on a COW unionfs,
1169 ;; chown leads to an entire copy of the tree, which is a bad idea.
1171 ;; Optionally authorize hydra.gnu.org's key.
1174 #$@(map (cut hydra-key-authorization <> guix) keys))
1177 (define guix-service-type
1181 (list (service-extension shepherd-root-service-type guix-shepherd-service)
1182 (service-extension account-service-type guix-accounts)
1183 (service-extension activation-service-type guix-activation)
1184 (service-extension profile-service-type
1185 (compose list guix-configuration-guix))))))
1187 (define* (guix-service #:optional (config %default-guix-configuration))
1188 "Return a service that runs the Guix build daemon according to
1190 (service guix-service-type config))
1193 (define-record-type* <guix-publish-configuration>
1194 guix-publish-configuration make-guix-publish-configuration
1195 guix-publish-configuration?
1196 (guix guix-publish-configuration-guix ;package
1198 (port guix-publish-configuration-port ;number
1200 (host guix-publish-configuration-host ;string
1201 (default "localhost")))
1203 (define guix-publish-shepherd-service
1205 (($ <guix-publish-configuration> guix port host)
1206 (list (shepherd-service
1207 (provision '(guix-publish))
1208 (requirement '(guix-daemon))
1209 (start #~(make-forkexec-constructor
1210 (list #$(file-append guix "/bin/guix")
1211 "publish" "-u" "guix-publish"
1212 "-p" #$(number->string port)
1213 (string-append "--listen=" #$host))))
1214 (stop #~(make-kill-destructor)))))))
1216 (define %guix-publish-accounts
1217 (list (user-group (name "guix-publish") (system? #t))
1219 (name "guix-publish")
1220 (group "guix-publish")
1222 (comment "guix publish user")
1223 (home-directory "/var/empty")
1224 (shell (file-append shadow "/sbin/nologin")))))
1226 (define guix-publish-service-type
1227 (service-type (name 'guix-publish)
1229 (list (service-extension shepherd-root-service-type
1230 guix-publish-shepherd-service)
1231 (service-extension account-service-type
1232 (const %guix-publish-accounts))))))
1234 (define* (guix-publish-service #:key (guix guix) (port 80) (host "localhost"))
1235 "Return a service that runs @command{guix publish} listening on @var{host}
1236 and @var{port} (@pxref{Invoking guix publish}).
1238 This assumes that @file{/etc/guix} already contains a signing key pair as
1239 created by @command{guix archive --generate-key} (@pxref{Invoking guix
1240 archive}). If that is not the case, the service will fail to start."
1241 (service guix-publish-service-type
1242 (guix-publish-configuration (guix guix) (port port) (host host))))
1249 (define-record-type* <udev-configuration>
1250 udev-configuration make-udev-configuration
1252 (udev udev-configuration-udev ;<package>
1254 (rules udev-configuration-rules ;list of <package>
1257 (define (udev-rules-union packages)
1258 "Return the union of the @code{lib/udev/rules.d} directories found in each
1259 item of @var{packages}."
1261 (with-imported-modules '((guix build union)
1264 (use-modules (guix build union)
1269 (define %standard-locations
1270 '("/lib/udev/rules.d" "/libexec/udev/rules.d"))
1272 (define (rules-sub-directory directory)
1273 ;; Return the sub-directory of DIRECTORY containing udev rules, or
1274 ;; #f if none was found.
1275 (find directory-exists?
1276 (map (cut string-append directory <>) %standard-locations)))
1278 (mkdir-p (string-append #$output "/lib/udev"))
1279 (union-build (string-append #$output "/lib/udev/rules.d")
1280 (filter-map rules-sub-directory '#$packages)))))
1282 (computed-file "udev-rules" build))
1284 (define (udev-rule file-name contents)
1285 "Return a directory with a udev rule file FILE-NAME containing CONTENTS."
1286 (computed-file file-name
1287 (with-imported-modules '((guix build utils))
1289 (use-modules (guix build utils))
1292 (string-append #$output "/lib/udev/rules.d"))
1295 (call-with-output-file
1296 (string-append rules.d "/" #$file-name)
1298 (display #$contents port)))))))
1300 (define kvm-udev-rule
1301 ;; Return a directory with a udev rule that changes the group of /dev/kvm to
1302 ;; "kvm" and makes it #o660. Apparently QEMU-KVM used to ship this rule,
1303 ;; but now we have to add it by ourselves.
1305 ;; Build users are part of the "kvm" group, so we can fearlessly make
1306 ;; /dev/kvm 660 (see <http://bugs.gnu.org/18994>, for background.)
1307 (udev-rule "90-kvm.rules"
1308 "KERNEL==\"kvm\", GROUP=\"kvm\", MODE=\"0660\"\n"))
1310 (define udev-shepherd-service
1311 ;; Return a <shepherd-service> for UDEV with RULES.
1313 (($ <udev-configuration> udev rules)
1314 (let* ((rules (udev-rules-union (cons* udev kvm-udev-rule rules)))
1315 (udev.conf (computed-file "udev.conf"
1316 #~(call-with-output-file #$output
1319 "udev_rules=\"~a/lib/udev/rules.d\"\n"
1325 ;; Udev needs /dev to be a 'devtmpfs' mount so that new device nodes can
1327 ;; <http://www.linuxfromscratch.org/lfs/view/development/chapter07/udev.html>.
1328 (requirement '(root-file-system))
1330 (documentation "Populate the /dev directory, dynamically.")
1333 (@ (srfi srfi-1) find))
1336 ;; Choose the right 'udevd'.
1338 (map (lambda (suffix)
1339 (string-append #$udev suffix))
1340 '("/libexec/udev/udevd" ;udev
1341 "/sbin/udevd")))) ;eudev
1343 (define (wait-for-udevd)
1344 ;; Wait until someone's listening on udevd's control
1346 (let ((sock (socket AF_UNIX SOCK_SEQPACKET 0)))
1348 (catch 'system-error
1350 (connect sock PF_UNIX "/run/udev/control")
1353 (format #t "waiting for udevd...~%")
1357 ;; Allow udev to find the modules.
1358 (setenv "LINUX_MODULE_DIRECTORY"
1359 "/run/booted-system/kernel/lib/modules")
1361 ;; The first one is for udev, the second one for eudev.
1362 (setenv "UDEV_CONFIG_FILE" #$udev.conf)
1363 (setenv "EUDEV_RULES_DIRECTORY"
1364 #$(file-append rules "/lib/udev/rules.d"))
1366 (let ((pid (primitive-fork)))
1369 (exec-command (list udevd)))
1371 ;; Wait until udevd is up and running. This
1372 ;; appears to be needed so that the events
1373 ;; triggered below are actually handled.
1376 ;; Trigger device node creation.
1377 (system* #$(file-append udev "/bin/udevadm")
1378 "trigger" "--action=add")
1380 ;; Wait for things to settle down.
1381 (system* #$(file-append udev "/bin/udevadm")
1384 (stop #~(make-kill-destructor))
1386 ;; When halting the system, 'udev' is actually killed by
1387 ;; 'user-processes', i.e., before its own 'stop' method was called.
1388 ;; Thus, make sure it is not respawned.
1391 (define udev-service-type
1392 (service-type (name 'udev)
1394 (list (service-extension shepherd-root-service-type
1395 udev-shepherd-service)))
1397 (compose concatenate) ;concatenate the list of rules
1398 (extend (lambda (config rules)
1400 (($ <udev-configuration> udev initial-rules)
1403 (rules (append initial-rules rules)))))))))
1405 (define* (udev-service #:key (udev eudev) (rules '()))
1406 "Run @var{udev}, which populates the @file{/dev} directory dynamically. Get
1407 extra rules from the packages listed in @var{rules}."
1408 (service udev-service-type
1409 (udev-configuration (udev udev) (rules rules))))
1411 (define swap-service-type
1412 (shepherd-service-type
1416 (if (string-prefix? "/dev/mapper/" device)
1417 (list (symbol-append 'device-mapping-
1418 (string->symbol (basename device))))
1422 (provision (list (symbol-append 'swap- (string->symbol device))))
1423 (requirement `(udev ,@requirement))
1424 (documentation "Enable the given swap device.")
1426 (restart-on-EINTR (swapon #$device))
1429 (restart-on-EINTR (swapoff #$device))
1433 (define (swap-service device)
1434 "Return a service that uses @var{device} as a swap device."
1435 (service swap-service-type device))
1437 (define-record-type* <gpm-configuration>
1438 gpm-configuration make-gpm-configuration gpm-configuration?
1439 (gpm gpm-configuration-gpm) ;package
1440 (options gpm-configuration-options)) ;list of strings
1442 (define gpm-shepherd-service
1444 (($ <gpm-configuration> gpm options)
1445 (list (shepherd-service
1446 (requirement '(udev))
1449 ;; 'gpm' runs in the background and sets a PID file.
1450 ;; Note that it requires running as "root".
1451 (false-if-exception (delete-file "/var/run/gpm.pid"))
1452 (fork+exec-command (list #$(file-append gpm "/sbin/gpm")
1455 ;; Wait for the PID file to appear; declare failure if
1456 ;; it doesn't show up.
1458 (or (file-exists? "/var/run/gpm.pid")
1466 ;; Return #f if successfully stopped.
1467 (not (zero? (system* #$(file-append gpm "/sbin/gpm")
1470 (define gpm-service-type
1471 (service-type (name 'gpm)
1473 (list (service-extension shepherd-root-service-type
1474 gpm-shepherd-service)))))
1476 (define* (gpm-service #:key (gpm gpm)
1477 (options '("-m" "/dev/input/mice" "-t" "ps2")))
1478 "Run @var{gpm}, the general-purpose mouse daemon, with the given
1479 command-line @var{options}. GPM allows users to use the mouse in the console,
1480 notably to select, copy, and paste text. The default value of @var{options}
1481 uses the @code{ps2} protocol, which works for both USB and PS/2 mice.
1483 This service is not part of @var{%base-services}."
1484 ;; To test in QEMU, use "-usbdevice mouse" and then, in the monitor, use
1485 ;; "info mice" and "mouse_set X" to use the right mouse.
1486 (service gpm-service-type
1487 (gpm-configuration (gpm gpm) (options options))))
1489 (define-record-type* <kmscon-configuration>
1490 kmscon-configuration make-kmscon-configuration
1491 kmscon-configuration?
1492 (kmscon kmscon-configuration-kmscon
1494 (virtual-terminal kmscon-configuration-virtual-terminal)
1495 (login-program kmscon-configuration-login-program
1496 (default (file-append shadow "/bin/login")))
1497 (login-arguments kmscon-configuration-login-arguments
1499 (hardware-acceleration? kmscon-configuration-hardware-acceleration?
1500 (default #f))) ; #t causes failure
1502 (define kmscon-service-type
1503 (shepherd-service-type
1506 (let ((kmscon (kmscon-configuration-kmscon config))
1507 (virtual-terminal (kmscon-configuration-virtual-terminal config))
1508 (login-program (kmscon-configuration-login-program config))
1509 (login-arguments (kmscon-configuration-login-arguments config))
1510 (hardware-acceleration? (kmscon-configuration-hardware-acceleration? config)))
1512 (define kmscon-command
1514 #$(file-append kmscon "/bin/kmscon") "--login"
1515 "--vt" #$virtual-terminal
1516 #$@(if hardware-acceleration? '("--hwaccel") '())
1517 "--" #$login-program #$@login-arguments))
1520 (documentation "kmscon virtual terminal")
1521 (requirement '(user-processes udev dbus-system))
1522 (provision (list (symbol-append 'term- (string->symbol virtual-terminal))))
1523 (start #~(make-forkexec-constructor #$kmscon-command))
1524 (stop #~(make-kill-destructor)))))))
1527 (define %base-services
1528 ;; Convenience variable holding the basic services.
1529 (list (login-service)
1531 (service console-font-service-type
1533 (cons tty %default-console-font))
1534 '("tty1" "tty2" "tty3" "tty4" "tty5" "tty6")))
1536 (mingetty-service (mingetty-configuration
1538 (mingetty-service (mingetty-configuration
1540 (mingetty-service (mingetty-configuration
1542 (mingetty-service (mingetty-configuration
1544 (mingetty-service (mingetty-configuration
1546 (mingetty-service (mingetty-configuration
1549 (service static-networking-service-type
1550 (list (static-networking (interface "lo")
1552 (provision '(loopback)))))
1554 (urandom-seed-service)
1558 ;; The LVM2 rules are needed as soon as LVM2 or the device-mapper is
1559 ;; used, so enable them by default. The FUSE and ALSA rules are
1560 ;; less critical, but handy.
1561 (udev-service #:rules (list lvm2 fuse alsa-utils crda))))
1563 ;;; base.scm ends here