1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
5 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
6 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
7 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
8 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
9 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
10 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
11 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
13 ;;; This file is part of GNU Guix.
15 ;;; GNU Guix is free software; you can redistribute it and/or modify it
16 ;;; under the terms of the GNU General Public License as published by
17 ;;; the Free Software Foundation; either version 3 of the License, or (at
18 ;;; your option) any later version.
20 ;;; GNU Guix is distributed in the hope that it will be useful, but
21 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
22 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 ;;; GNU General Public License for more details.
25 ;;; You should have received a copy of the GNU General Public License
26 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
28 (define-module (gnu services networking)
29 #:use-module (gnu services)
30 #:use-module (gnu services base)
31 #:use-module (gnu services shepherd)
32 #:use-module (gnu services dbus)
33 #:use-module (gnu system shadow)
34 #:use-module (gnu system pam)
35 #:use-module (gnu packages admin)
36 #:use-module (gnu packages connman)
37 #:use-module (gnu packages freedesktop)
38 #:use-module (gnu packages linux)
39 #:use-module (gnu packages tor)
40 #:use-module (gnu packages messaging)
41 #:use-module (gnu packages networking)
42 #:use-module (gnu packages ntp)
43 #:use-module (gnu packages wicd)
44 #:use-module (gnu packages gnome)
45 #:use-module (guix gexp)
46 #:use-module (guix records)
47 #:use-module (guix modules)
48 #:use-module (srfi srfi-1)
49 #:use-module (srfi srfi-9)
50 #:use-module (srfi srfi-26)
51 #:use-module (ice-9 match)
52 #:re-export (static-networking-service
53 static-networking-service-type)
54 #:export (%facebook-host-aliases
60 dhcpd-configuration-package
61 dhcpd-configuration-config-file
62 dhcpd-configuration-version
63 dhcpd-configuration-run-directory
64 dhcpd-configuration-lease-file
65 dhcpd-configuration-pid-file
66 dhcpd-configuration-interfaces
75 openntpd-configuration
76 openntpd-configuration?
92 network-manager-configuration
93 network-manager-configuration?
94 network-manager-configuration-dns
95 network-manager-service-type
98 connman-configuration?
101 modem-manager-configuration
102 modem-manager-configuration?
103 modem-manager-service-type
104 wpa-supplicant-service-type
106 openvswitch-service-type
107 openvswitch-configuration
109 iptables-configuration
110 iptables-configuration?
111 iptables-configuration-iptables
112 iptables-configuration-ipv4-rules
113 iptables-configuration-ipv6-rules
114 iptables-service-type))
118 ;;; Networking services.
122 (define %facebook-host-aliases
123 ;; This is the list of known Facebook hosts to be added to /etc/hosts if you
126 # Block Facebook IPv4.
127 127.0.0.1 www.facebook.com
128 127.0.0.1 facebook.com
129 127.0.0.1 login.facebook.com
130 127.0.0.1 www.login.facebook.com
132 127.0.0.1 www.fbcdn.net
134 127.0.0.1 www.fbcdn.com
135 127.0.0.1 static.ak.fbcdn.net
136 127.0.0.1 static.ak.connect.facebook.com
137 127.0.0.1 connect.facebook.net
138 127.0.0.1 www.connect.facebook.net
139 127.0.0.1 apps.facebook.com
141 # Block Facebook IPv6.
142 fe80::1%lo0 facebook.com
143 fe80::1%lo0 login.facebook.com
144 fe80::1%lo0 www.login.facebook.com
145 fe80::1%lo0 fbcdn.net
146 fe80::1%lo0 www.fbcdn.net
147 fe80::1%lo0 fbcdn.com
148 fe80::1%lo0 www.fbcdn.com
149 fe80::1%lo0 static.ak.fbcdn.net
150 fe80::1%lo0 static.ak.connect.facebook.com
151 fe80::1%lo0 connect.facebook.net
152 fe80::1%lo0 www.connect.facebook.net
153 fe80::1%lo0 apps.facebook.com\n")
155 (define dhcp-client-service-type
156 (shepherd-service-type
160 (file-append dhcp "/sbin/dhclient"))
163 "/var/run/dhclient.pid")
166 (documentation "Set up networking via DHCP.")
167 (requirement '(user-processes udev))
169 ;; XXX: Running with '-nw' ("no wait") avoids blocking for a minute when
170 ;; networking is unavailable, but also means that the interface is not up
171 ;; yet when 'start' completes. To wait for the interface to be ready, one
172 ;; should instead monitor udev events.
173 (provision '(networking))
176 ;; When invoked without any arguments, 'dhclient' discovers all
177 ;; non-loopback interfaces *that are up*. However, the relevant
178 ;; interfaces are typically down at this point. Thus we perform
179 ;; our own interface discovery here.
181 (negate loopback-network-interface?))
183 (filter valid? (all-network-interface-names)))
185 ;; XXX: Make sure the interfaces are up so that 'dhclient' can
186 ;; actually send/receive over them.
187 (for-each set-network-interface-up ifaces)
189 (false-if-exception (delete-file #$pid-file))
190 (let ((pid (fork+exec-command
191 (cons* #$dhclient "-nw"
192 "-pf" #$pid-file ifaces))))
193 (and (zero? (cdr (waitpid pid)))
197 (call-with-input-file #$pid-file read))
199 ;; 'dhclient' returned before PID-FILE was created,
201 (let ((errno (system-error-errno args)))
206 (apply throw args))))))))))
207 (stop #~(make-kill-destructor))))))
209 (define* (dhcp-client-service #:key (dhcp isc-dhcp))
210 "Return a service that runs @var{dhcp}, a Dynamic Host Configuration
211 Protocol (DHCP) client, on all the non-loopback network interfaces."
212 (service dhcp-client-service-type dhcp))
214 (define-record-type* <dhcpd-configuration>
215 dhcpd-configuration make-dhcpd-configuration
217 (package dhcpd-configuration-package ;<package>
219 (config-file dhcpd-configuration-config-file ;file-like
221 (version dhcpd-configuration-version ;"4", "6", or "4o6"
223 (run-directory dhcpd-configuration-run-directory
224 (default "/run/dhcpd"))
225 (lease-file dhcpd-configuration-lease-file
226 (default "/var/db/dhcpd.leases"))
227 (pid-file dhcpd-configuration-pid-file
228 (default "/run/dhcpd/dhcpd.pid"))
229 ;; list of strings, e.g. (list "enp0s25")
230 (interfaces dhcpd-configuration-interfaces
233 (define dhcpd-shepherd-service
235 (($ <dhcpd-configuration> package config-file version run-directory
236 lease-file pid-file interfaces)
238 (error "Must supply a config-file"))
239 (list (shepherd-service
240 ;; Allow users to easily run multiple versions simultaneously.
241 (provision (list (string->symbol
242 (string-append "dhcpv" version "-daemon"))))
243 (documentation (string-append "Run the DHCPv" version " daemon"))
244 (requirement '(networking))
245 (start #~(make-forkexec-constructor
246 '(#$(file-append package "/sbin/dhcpd")
247 #$(string-append "-" version)
252 #:pid-file #$pid-file))
253 (stop #~(make-kill-destructor)))))))
255 (define dhcpd-activation
257 (($ <dhcpd-configuration> package config-file version run-directory
258 lease-file pid-file interfaces)
259 (with-imported-modules '((guix build utils))
261 (unless (file-exists? #$run-directory)
262 (mkdir #$run-directory))
263 ;; According to the DHCP manual (man dhcpd.leases), the lease
264 ;; database must be present for dhcpd to start successfully.
265 (unless (file-exists? #$lease-file)
266 (with-output-to-file #$lease-file
267 (lambda _ (display ""))))
268 ;; Validate the config.
270 #$(file-append package "/sbin/dhcpd") "-t" "-cf"
273 (define dhcpd-service-type
277 (list (service-extension shepherd-root-service-type dhcpd-shepherd-service)
278 (service-extension activation-service-type dhcpd-activation)))))
281 ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
282 ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
283 ;; for this NTP pool "zone".
284 '("0.guix.pool.ntp.org"
285 "1.guix.pool.ntp.org"
286 "2.guix.pool.ntp.org"
287 "3.guix.pool.ntp.org"))
295 (define-record-type* <ntp-configuration>
296 ntp-configuration make-ntp-configuration
298 (ntp ntp-configuration-ntp
300 (servers ntp-configuration-servers)
301 (allow-large-adjustment? ntp-allow-large-adjustment?
304 (define ntp-shepherd-service
306 (($ <ntp-configuration> ntp servers allow-large-adjustment?)
308 ;; TODO: Add authentication support.
310 (string-append "driftfile /var/run/ntpd/ntp.drift\n"
311 (string-join (map (cut string-append "server " <>)
315 # Disable status queries as a workaround for CVE-2013-5211:
316 # <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
317 restrict default kod nomodify notrap nopeer noquery
318 restrict -6 default kod nomodify notrap nopeer noquery
320 # Yet, allow use of the local 'ntpq'.
325 (plain-file "ntpd.conf" config))
327 (list (shepherd-service
329 (documentation "Run the Network Time Protocol (NTP) daemon.")
330 (requirement '(user-processes networking))
331 (start #~(make-forkexec-constructor
332 (list (string-append #$ntp "/bin/ntpd") "-n"
333 "-c" #$ntpd.conf "-u" "ntpd"
334 #$@(if allow-large-adjustment?
337 (stop #~(make-kill-destructor))))))))
339 (define %ntp-accounts
344 (comment "NTP daemon user")
345 (home-directory "/var/empty")
346 (shell (file-append shadow "/sbin/nologin")))))
349 (define (ntp-service-activation config)
350 "Return the activation gexp for CONFIG."
351 (with-imported-modules '((guix build utils))
353 (use-modules (guix build utils))
357 (let ((directory "/var/run/ntpd"))
359 (chown directory (passwd:uid %user) (passwd:gid %user))))))
361 (define ntp-service-type
362 (service-type (name 'ntp)
364 (list (service-extension shepherd-root-service-type
365 ntp-shepherd-service)
366 (service-extension account-service-type
367 (const %ntp-accounts))
368 (service-extension activation-service-type
369 ntp-service-activation)))
371 "Run the @command{ntpd}, the Network Time Protocol (NTP)
372 daemon of the @uref{http://www.ntp.org, Network Time Foundation}. The daemon
373 will keep the system clock synchronized with that of the given servers.")))
375 (define* (ntp-service #:key (ntp ntp)
376 (servers %ntp-servers)
377 allow-large-adjustment?)
378 "Return a service that runs the daemon from @var{ntp}, the
379 @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will
380 keep the system clock synchronized with that of @var{servers}.
381 @var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
382 make an initial adjustment of more than 1,000 seconds."
383 (service ntp-service-type
384 (ntp-configuration (ntp ntp)
386 (allow-large-adjustment?
387 allow-large-adjustment?))))
394 (define-record-type* <openntpd-configuration>
395 openntpd-configuration make-openntpd-configuration
396 openntpd-configuration?
397 (openntpd openntpd-configuration-openntpd
399 (listen-on openntpd-listen-on
400 (default '("127.0.0.1"
402 (query-from openntpd-query-from
404 (sensor openntpd-sensor
406 (server openntpd-server
407 (default %ntp-servers))
408 (servers openntpd-servers
410 (constraint-from openntpd-constraint-from
412 (constraints-from openntpd-constraints-from
414 (allow-large-adjustment? openntpd-allow-large-adjustment?
415 (default #f))) ; upstream default
417 (define (openntpd-shepherd-service config)
418 (match-record config <openntpd-configuration>
419 (openntpd listen-on query-from sensor server servers constraint-from
420 constraints-from allow-large-adjustment?)
425 (lambda (field value)
427 (map (cut string-append field <> "\n")
429 '("listen on " "query from " "sensor " "server " "servers "
431 (list listen-on query-from sensor server servers constraint-from))
432 ;; The 'constraints from' field needs to be enclosed in double quotes.
434 (map (cut string-append "constraints from \"" <> "\"\n")
438 (plain-file "ntpd.conf" config))
440 (list (shepherd-service
442 (documentation "Run the Network Time Protocol (NTP) daemon.")
443 (requirement '(user-processes networking))
444 (start #~(make-forkexec-constructor
445 (list (string-append #$openntpd "/sbin/ntpd")
447 "-d" ;; don't daemonize
448 #$@(if allow-large-adjustment?
451 ;; When ntpd is daemonized it repeatedly tries to respawn
452 ;; while running, leading shepherd to disable it. To
453 ;; prevent spamming stderr, redirect output to logfile.
454 #:log-file "/var/log/ntpd"))
455 (stop #~(make-kill-destructor)))))))
457 (define (openntpd-service-activation config)
458 "Return the activation gexp for CONFIG."
459 (with-imported-modules '((guix build utils))
461 (use-modules (guix build utils))
465 (unless (file-exists? "/var/db/ntpd.drift")
466 (with-output-to-file "/var/db/ntpd.drift"
468 (format #t "0.0")))))))
470 (define openntpd-service-type
471 (service-type (name 'openntpd)
473 (list (service-extension shepherd-root-service-type
474 openntpd-shepherd-service)
475 (service-extension account-service-type
476 (const %ntp-accounts))
477 (service-extension profile-service-type
478 (compose list openntpd-configuration-openntpd))
479 (service-extension activation-service-type
480 openntpd-service-activation)))
481 (default-value (openntpd-configuration))
483 "Run the @command{ntpd}, the Network Time Protocol (NTP)
484 daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The
485 daemon will keep the system clock synchronized with that of the given servers.")))
492 (define-record-type* <inetd-configuration> inetd-configuration
493 make-inetd-configuration
495 (program inetd-configuration-program ;file-like
496 (default (file-append inetutils "/libexec/inetd")))
497 (entries inetd-configuration-entries ;list of <inetd-entry>
500 (define-record-type* <inetd-entry> inetd-entry make-inetd-entry
502 (node inetd-entry-node ;string or #f
504 (name inetd-entry-name) ;string, from /etc/services
506 (socket-type inetd-entry-socket-type) ;stream | dgram | raw |
508 (protocol inetd-entry-protocol) ;string, from /etc/protocols
510 (wait? inetd-entry-wait? ;Boolean
512 (user inetd-entry-user) ;string
514 (program inetd-entry-program ;string or file-like object
515 (default "internal"))
516 (arguments inetd-entry-arguments ;list of strings or file-like objects
519 (define (inetd-config-file entries)
520 (apply mixed-text-file "inetd.conf"
523 (let* ((node (inetd-entry-node entry))
524 (name (inetd-entry-name entry))
526 (if node (string-append node ":" name) name))
528 (match (inetd-entry-socket-type entry)
529 ((or 'stream 'dgram 'raw 'rdm 'seqpacket)
530 (symbol->string (inetd-entry-socket-type entry)))))
531 (protocol (inetd-entry-protocol entry))
532 (wait (if (inetd-entry-wait? entry) "wait" "nowait"))
533 (user (inetd-entry-user entry))
534 (program (inetd-entry-program entry))
535 (args (inetd-entry-arguments entry)))
538 (list #$@(list socket type protocol wait user program) #$@args)
542 (define inetd-shepherd-service
544 (($ <inetd-configuration> program ()) '()) ; empty list of entries -> do nothing
545 (($ <inetd-configuration> program entries)
548 (documentation "Run inetd.")
550 (requirement '(user-processes networking syslogd))
551 (start #~(make-forkexec-constructor
552 (list #$program #$(inetd-config-file entries))
553 #:pid-file "/var/run/inetd.pid"))
554 (stop #~(make-kill-destructor)))))))
556 (define-public inetd-service-type
560 (list (service-extension shepherd-root-service-type
561 inetd-shepherd-service)))
563 ;; The service can be extended with additional lists of entries.
564 (compose concatenate)
565 (extend (lambda (config entries)
568 (entries (append (inetd-configuration-entries config)
571 "Start @command{inetd}, the @dfn{Internet superserver}. It is responsible
572 for listening on Internet sockets and spawning the corresponding services on
580 (define-record-type* <tor-configuration>
581 tor-configuration make-tor-configuration
583 (tor tor-configuration-tor
585 (config-file tor-configuration-config-file
586 (default (plain-file "empty" "")))
587 (hidden-services tor-configuration-hidden-services
589 (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
592 (define %tor-accounts
593 ;; User account and groups for Tor.
594 (list (user-group (name "tor") (system? #t))
599 (comment "Tor daemon user")
600 (home-directory "/var/empty")
601 (shell (file-append shadow "/sbin/nologin")))))
603 (define-record-type <hidden-service>
604 (hidden-service name mapping)
606 (name hidden-service-name) ;string
607 (mapping hidden-service-mapping)) ;list of port/address tuples
609 (define (tor-configuration->torrc config)
610 "Return a 'torrc' file for CONFIG."
612 (($ <tor-configuration> tor config-file services socks-socket-type)
615 (with-imported-modules '((guix build utils))
617 (use-modules (guix build utils)
620 (call-with-output-file #$output
623 ### These lines were generated from your system configuration:
625 DataDirectory /var/lib/tor
626 PidFile /var/run/tor/tor.pid
627 Log notice syslog\n" port)
628 (when (eq? 'unix '#$socks-socket-type)
630 SocksPort unix:/var/run/tor/socks-sock
631 UnixSocksGroupWritable 1\n" port))
633 (for-each (match-lambda
634 ((service (ports hosts) ...)
636 HiddenServiceDir /var/lib/tor/hidden-services/~a~%"
638 (for-each (lambda (tcp-port host)
640 HiddenServicePort ~a ~a~%"
643 '#$(map (match-lambda
644 (($ <hidden-service> name mapping)
645 (cons name mapping)))
649 ### End of automatically generated lines.\n\n" port)
651 ;; Append the user's config file.
652 (call-with-input-file #$config-file
654 (dump-port input port)))
657 (define (tor-shepherd-service config)
658 "Return a <shepherd-service> running Tor."
660 (($ <tor-configuration> tor)
661 (let ((torrc (tor-configuration->torrc config)))
662 (with-imported-modules (source-module-closure
663 '((gnu build shepherd)
664 (gnu system file-systems)))
665 (list (shepherd-service
668 ;; Tor needs at least one network interface to be up, hence the
669 ;; dependency on 'loopback'.
670 (requirement '(user-processes loopback syslogd))
672 (modules '((gnu build shepherd)
673 (gnu system file-systems)))
675 (start #~(make-forkexec-constructor/container
676 (list #$(file-append tor "/bin/tor") "-f" #$torrc)
678 #:mappings (list (file-system-mapping
679 (source "/var/lib/tor")
683 (source "/dev/log") ;for syslog
686 (source "/var/run/tor")
689 #:pid-file "/var/run/tor/tor.pid"))
690 (stop #~(make-kill-destructor))
691 (documentation "Run the Tor anonymous network overlay."))))))))
693 (define (tor-activation config)
694 "Set up directories for Tor and its hidden services, if any."
696 (use-modules (guix build utils))
701 (define (initialize service)
702 (let ((directory (string-append "/var/lib/tor/hidden-services/"
705 (chown directory (passwd:uid %user) (passwd:gid %user))
707 ;; The daemon bails out if we give wider permissions.
708 (chmod directory #o700)))
710 ;; Allow Tor to write its PID file.
711 (mkdir-p "/var/run/tor")
712 (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
713 ;; Set the group permissions to rw so that if the system administrator
714 ;; has specified UnixSocksGroupWritable=1 in their torrc file, members
715 ;; of the "tor" group will be able to use the SOCKS socket.
716 (chmod "/var/run/tor" #o750)
718 ;; Allow Tor to access the hidden services' directories.
719 (mkdir-p "/var/lib/tor")
720 (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
721 (chmod "/var/lib/tor" #o700)
723 ;; Make sure /var/lib is accessible to the 'tor' user.
724 (chmod "/var/lib" #o755)
727 '#$(map hidden-service-name
728 (tor-configuration-hidden-services config)))))
730 (define tor-service-type
731 (service-type (name 'tor)
733 (list (service-extension shepherd-root-service-type
734 tor-shepherd-service)
735 (service-extension account-service-type
736 (const %tor-accounts))
737 (service-extension activation-service-type
740 ;; This can be extended with hidden services.
741 (compose concatenate)
742 (extend (lambda (config services)
746 (append (tor-configuration-hidden-services config)
748 (default-value (tor-configuration))
750 "Run the @uref{https://torproject.org, Tor} anonymous
751 networking daemon.")))
753 (define* (tor-service #:optional
754 (config-file (plain-file "empty" ""))
756 "Return a service to run the @uref{https://torproject.org, Tor} anonymous
759 The daemon runs as the @code{tor} unprivileged user. It is passed
760 @var{config-file}, a file-like object, with an additional @code{User tor} line
761 and lines for hidden services added via @code{tor-hidden-service}. Run
762 @command{man tor} for information about the configuration file."
763 (service tor-service-type
764 (tor-configuration (tor tor)
765 (config-file config-file))))
767 (define tor-hidden-service-type
768 ;; A type that extends Tor with hidden services.
769 (service-type (name 'tor-hidden-service)
771 (list (service-extension tor-service-type list)))
773 "Define a new Tor @dfn{hidden service}.")))
775 (define (tor-hidden-service name mapping)
776 "Define a new Tor @dfn{hidden service} called @var{name} and implementing
777 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
780 '((22 \"127.0.0.1:22\")
781 (80 \"127.0.0.1:8080\"))
784 In this example, port 22 of the hidden service is mapped to local port 22, and
785 port 80 is mapped to local port 8080.
787 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
788 the @file{hostname} file contains the @code{.onion} host name for the hidden
791 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
792 project's documentation} for more information."
793 (service tor-hidden-service-type
794 (hidden-service name mapping)))
801 (define %wicd-activation
802 ;; Activation gexp for Wicd.
804 (use-modules (guix build utils))
806 (mkdir-p "/etc/wicd")
807 (let ((file-name "/etc/wicd/dhclient.conf.template.default"))
808 (unless (file-exists? file-name)
809 (copy-file (string-append #$wicd file-name)
812 ;; Wicd invokes 'wpa_supplicant', which needs this directory for its
813 ;; named socket files.
814 (mkdir-p "/var/run/wpa_supplicant")
815 (chmod "/var/run/wpa_supplicant" #o750)))
817 (define (wicd-shepherd-service wicd)
818 "Return a shepherd service for WICD."
819 (list (shepherd-service
820 (documentation "Run the Wicd network manager.")
821 (provision '(networking))
822 (requirement '(user-processes dbus-system loopback))
823 (start #~(make-forkexec-constructor
824 (list (string-append #$wicd "/sbin/wicd")
826 (stop #~(make-kill-destructor)))))
828 (define wicd-service-type
829 (service-type (name 'wicd)
831 (list (service-extension shepherd-root-service-type
832 wicd-shepherd-service)
833 (service-extension dbus-root-service-type
835 (service-extension activation-service-type
836 (const %wicd-activation))
838 ;; Add Wicd to the global profile.
839 (service-extension profile-service-type list)))
841 "Run @url{https://launchpad.net/wicd,Wicd}, a network
842 management daemon that aims to simplify wired and wireless networking.")))
844 (define* (wicd-service #:key (wicd wicd))
845 "Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
846 management daemon that aims to simplify wired and wireless networking.
848 This service adds the @var{wicd} package to the global profile, providing
849 several commands to interact with the daemon and configure networking:
850 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
851 and @command{wicd-curses} user interfaces."
852 (service wicd-service-type wicd))
859 (define-record-type* <modem-manager-configuration>
860 modem-manager-configuration make-modem-manager-configuration
861 modem-manager-configuration?
862 (modem-manager modem-manager-configuration-modem-manager
863 (default modem-manager)))
870 (define-record-type* <network-manager-configuration>
871 network-manager-configuration make-network-manager-configuration
872 network-manager-configuration?
873 (network-manager network-manager-configuration-network-manager
874 (default network-manager))
875 (dns network-manager-configuration-dns
877 (vpn-plugins network-manager-vpn-plugins ;list of <package>
880 (define %network-manager-activation
881 ;; Activation gexp for NetworkManager.
883 (use-modules (guix build utils))
884 (mkdir-p "/etc/NetworkManager/system-connections")))
886 (define (vpn-plugin-directory plugins)
887 "Return a directory containing PLUGINS, the NM VPN plugins."
888 (directory-union "network-manager-vpn-plugins" plugins))
890 (define network-manager-environment
892 (($ <network-manager-configuration> network-manager dns vpn-plugins)
893 ;; Define this variable in the global environment such that
894 ;; "nmcli connection import type openvpn file foo.ovpn" works.
895 `(("NM_VPN_PLUGIN_DIR"
896 . ,(file-append (vpn-plugin-directory vpn-plugins)
897 "/lib/NetworkManager/VPN"))))))
899 (define network-manager-shepherd-service
901 (($ <network-manager-configuration> network-manager dns vpn-plugins)
902 (let ((conf (plain-file "NetworkManager.conf"
903 (string-append "[main]\ndns=" dns "\n")))
904 (vpn (vpn-plugin-directory vpn-plugins)))
905 (list (shepherd-service
906 (documentation "Run the NetworkManager.")
907 (provision '(networking))
908 (requirement '(user-processes dbus-system wpa-supplicant loopback))
909 (start #~(make-forkexec-constructor
910 (list (string-append #$network-manager
911 "/sbin/NetworkManager")
912 (string-append "--config=" #$conf)
914 #:environment-variables
915 (list (string-append "NM_VPN_PLUGIN_DIR=" #$vpn
916 "/lib/NetworkManager/VPN"))))
917 (stop #~(make-kill-destructor))))))))
919 (define network-manager-service-type
923 (($ <network-manager-configuration> network-manager)
924 (list network-manager)))))
927 (name 'network-manager)
929 (list (service-extension shepherd-root-service-type
930 network-manager-shepherd-service)
931 (service-extension dbus-root-service-type config->package)
932 (service-extension polkit-service-type config->package)
933 (service-extension activation-service-type
934 (const %network-manager-activation))
935 (service-extension session-environment-service-type
936 network-manager-environment)
937 ;; Add network-manager to the system profile.
938 (service-extension profile-service-type config->package)))
939 (default-value (network-manager-configuration))
941 "Run @uref{https://wiki.gnome.org/Projects/NetworkManager,
942 NetworkManager}, a network management daemon that aims to simplify wired and
943 wireless networking."))))
950 (define-record-type* <connman-configuration>
951 connman-configuration make-connman-configuration
952 connman-configuration?
953 (connman connman-configuration-connman
955 (disable-vpn? connman-configuration-disable-vpn?
958 (define (connman-activation config)
959 (let ((disable-vpn? (connman-configuration-disable-vpn? config)))
960 (with-imported-modules '((guix build utils))
962 (use-modules (guix build utils))
963 (mkdir-p "/var/lib/connman/")
964 (unless #$disable-vpn?
965 (mkdir-p "/var/lib/connman-vpn/"))))))
967 (define (connman-shepherd-service config)
968 "Return a shepherd service for Connman"
970 (connman-configuration? config)
971 (let ((connman (connman-configuration-connman config))
972 (disable-vpn? (connman-configuration-disable-vpn? config)))
973 (list (shepherd-service
974 (documentation "Run Connman")
975 (provision '(networking))
977 '(user-processes dbus-system loopback wpa-supplicant))
978 (start #~(make-forkexec-constructor
979 (list (string-append #$connman
982 #$@(if disable-vpn? '("--noplugin=vpn") '()))))
983 (stop #~(make-kill-destructor)))))))
985 (define connman-service-type
986 (let ((connman-package (compose list connman-configuration-connman)))
987 (service-type (name 'connman)
989 (list (service-extension shepherd-root-service-type
990 connman-shepherd-service)
991 (service-extension polkit-service-type
993 (service-extension dbus-root-service-type
995 (service-extension activation-service-type
997 ;; Add connman to the system profile.
998 (service-extension profile-service-type
1000 (default-value (connman-configuration))
1002 "Run @url{https://01.org/connman,Connman},
1003 a network connection manager."))))
1010 (define modem-manager-service-type
1011 (let ((config->package
1013 (($ <modem-manager-configuration> modem-manager)
1014 (list modem-manager)))))
1015 (service-type (name 'modem-manager)
1017 (list (service-extension dbus-root-service-type
1019 (service-extension udev-service-type
1021 (service-extension polkit-service-type
1023 (default-value (modem-manager-configuration))
1025 "Run @uref{https://wiki.gnome.org/Projects/ModemManager,
1026 ModemManager}, a modem management daemon that aims to simplify dialup
1035 (define (wpa-supplicant-shepherd-service wpa-supplicant)
1036 "Return a shepherd service for wpa_supplicant"
1037 (list (shepherd-service
1038 (documentation "Run WPA supplicant with dbus interface")
1039 (provision '(wpa-supplicant))
1040 (requirement '(user-processes dbus-system loopback))
1041 (start #~(make-forkexec-constructor
1042 (list (string-append #$wpa-supplicant
1043 "/sbin/wpa_supplicant")
1044 "-u" "-B" "-P/var/run/wpa_supplicant.pid")
1045 #:pid-file "/var/run/wpa_supplicant.pid"))
1046 (stop #~(make-kill-destructor)))))
1048 (define wpa-supplicant-service-type
1049 (service-type (name 'wpa-supplicant)
1051 (list (service-extension shepherd-root-service-type
1052 wpa-supplicant-shepherd-service)
1053 (service-extension dbus-root-service-type list)
1054 (service-extension profile-service-type list)))
1055 (default-value wpa-supplicant)))
1062 (define-record-type* <openvswitch-configuration>
1063 openvswitch-configuration make-openvswitch-configuration
1064 openvswitch-configuration?
1065 (package openvswitch-configuration-package
1066 (default openvswitch)))
1068 (define openvswitch-activation
1070 (($ <openvswitch-configuration> package)
1071 (let ((ovsdb-tool (file-append package "/bin/ovsdb-tool")))
1072 (with-imported-modules '((guix build utils))
1074 (use-modules (guix build utils))
1075 (mkdir-p "/var/run/openvswitch")
1076 (mkdir-p "/var/lib/openvswitch")
1077 (let ((conf.db "/var/lib/openvswitch/conf.db"))
1078 (unless (file-exists? conf.db)
1079 (system* #$ovsdb-tool "create" conf.db)))))))))
1081 (define openvswitch-shepherd-service
1083 (($ <openvswitch-configuration> package)
1084 (let ((ovsdb-server (file-append package "/sbin/ovsdb-server"))
1085 (ovs-vswitchd (file-append package "/sbin/ovs-vswitchd")))
1088 (provision '(ovsdb))
1089 (documentation "Run the Open vSwitch database server.")
1090 (start #~(make-forkexec-constructor
1091 (list #$ovsdb-server "--pidfile"
1092 "--remote=punix:/var/run/openvswitch/db.sock")
1093 #:pid-file "/var/run/openvswitch/ovsdb-server.pid"))
1094 (stop #~(make-kill-destructor)))
1096 (provision '(vswitchd))
1097 (requirement '(ovsdb))
1098 (documentation "Run the Open vSwitch daemon.")
1099 (start #~(make-forkexec-constructor
1100 (list #$ovs-vswitchd "--pidfile")
1101 #:pid-file "/var/run/openvswitch/ovs-vswitchd.pid"))
1102 (stop #~(make-kill-destructor))))))))
1104 (define openvswitch-service-type
1108 (list (service-extension activation-service-type
1109 openvswitch-activation)
1110 (service-extension profile-service-type
1111 (compose list openvswitch-configuration-package))
1112 (service-extension shepherd-root-service-type
1113 openvswitch-shepherd-service)))
1115 "Run @uref{http://www.openvswitch.org, Open vSwitch}, a multilayer virtual
1116 switch designed to enable massive network automation through programmatic
1123 (define %iptables-accept-all-rules
1124 (plain-file "iptables-accept-all.rules"
1132 (define-record-type* <iptables-configuration>
1133 iptables-configuration make-iptables-configuration iptables-configuration?
1134 (iptables iptables-configuration-iptables
1136 (ipv4-rules iptables-configuration-ipv4-rules
1137 (default %iptables-accept-all-rules))
1138 (ipv6-rules iptables-configuration-ipv6-rules
1139 (default %iptables-accept-all-rules)))
1141 (define iptables-shepherd-service
1143 (($ <iptables-configuration> iptables ipv4-rules ipv6-rules)
1144 (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
1145 (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")))
1147 (documentation "Packet filtering framework")
1148 (provision '(iptables))
1150 (invoke #$iptables-restore #$ipv4-rules)
1151 (invoke #$ip6tables-restore #$ipv6-rules)))
1153 (invoke #$iptables-restore #$%iptables-accept-all-rules)
1154 (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
1156 (define iptables-service-type
1160 "Run @command{iptables-restore}, setting up the specified rules.")
1162 (list (service-extension shepherd-root-service-type
1163 (compose list iptables-shepherd-service))))))
1165 ;;; networking.scm ends here