1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
5 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
6 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
7 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
8 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
9 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
10 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
11 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
13 ;;; This file is part of GNU Guix.
15 ;;; GNU Guix is free software; you can redistribute it and/or modify it
16 ;;; under the terms of the GNU General Public License as published by
17 ;;; the Free Software Foundation; either version 3 of the License, or (at
18 ;;; your option) any later version.
20 ;;; GNU Guix is distributed in the hope that it will be useful, but
21 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
22 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 ;;; GNU General Public License for more details.
25 ;;; You should have received a copy of the GNU General Public License
26 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
28 (define-module (gnu services networking)
29 #:use-module (gnu services)
30 #:use-module (gnu services base)
31 #:use-module (gnu services shepherd)
32 #:use-module (gnu services dbus)
33 #:use-module (gnu system shadow)
34 #:use-module (gnu system pam)
35 #:use-module (gnu packages admin)
36 #:use-module (gnu packages connman)
37 #:use-module (gnu packages freedesktop)
38 #:use-module (gnu packages linux)
39 #:use-module (gnu packages tor)
40 #:use-module (gnu packages messaging)
41 #:use-module (gnu packages networking)
42 #:use-module (gnu packages ntp)
43 #:use-module (gnu packages wicd)
44 #:use-module (gnu packages gnome)
45 #:use-module (guix gexp)
46 #:use-module (guix records)
47 #:use-module (guix modules)
48 #:use-module (srfi srfi-1)
49 #:use-module (srfi srfi-9)
50 #:use-module (srfi srfi-26)
51 #:use-module (ice-9 match)
52 #:re-export (static-networking-service
53 static-networking-service-type)
54 #:export (%facebook-host-aliases
60 dhcpd-configuration-package
61 dhcpd-configuration-config-file
62 dhcpd-configuration-version
63 dhcpd-configuration-run-directory
64 dhcpd-configuration-lease-file
65 dhcpd-configuration-pid-file
66 dhcpd-configuration-interfaces
75 openntpd-configuration
76 openntpd-configuration?
92 network-manager-configuration
93 network-manager-configuration?
94 network-manager-configuration-dns
95 network-manager-service-type
98 connman-configuration?
101 modem-manager-configuration
102 modem-manager-configuration?
103 modem-manager-service-type
105 <wpa-supplicant-configuration>
106 wpa-supplicant-configuration
107 wpa-supplicant-configuration?
108 wpa-supplicant-configuration-wpa-supplicant
109 wpa-supplicant-configuration-pid-file
110 wpa-supplicant-configuration-dbus?
111 wpa-supplicant-configuration-interface
112 wpa-supplicant-configuration-config-file
113 wpa-supplicant-configuration-extra-options
114 wpa-supplicant-service-type
116 openvswitch-service-type
117 openvswitch-configuration
119 iptables-configuration
120 iptables-configuration?
121 iptables-configuration-iptables
122 iptables-configuration-ipv4-rules
123 iptables-configuration-ipv6-rules
124 iptables-service-type))
128 ;;; Networking services.
132 (define %facebook-host-aliases
133 ;; This is the list of known Facebook hosts to be added to /etc/hosts if you
136 # Block Facebook IPv4.
137 127.0.0.1 www.facebook.com
138 127.0.0.1 facebook.com
139 127.0.0.1 login.facebook.com
140 127.0.0.1 www.login.facebook.com
142 127.0.0.1 www.fbcdn.net
144 127.0.0.1 www.fbcdn.com
145 127.0.0.1 static.ak.fbcdn.net
146 127.0.0.1 static.ak.connect.facebook.com
147 127.0.0.1 connect.facebook.net
148 127.0.0.1 www.connect.facebook.net
149 127.0.0.1 apps.facebook.com
151 # Block Facebook IPv6.
152 fe80::1%lo0 facebook.com
153 fe80::1%lo0 login.facebook.com
154 fe80::1%lo0 www.login.facebook.com
155 fe80::1%lo0 fbcdn.net
156 fe80::1%lo0 www.fbcdn.net
157 fe80::1%lo0 fbcdn.com
158 fe80::1%lo0 www.fbcdn.com
159 fe80::1%lo0 static.ak.fbcdn.net
160 fe80::1%lo0 static.ak.connect.facebook.com
161 fe80::1%lo0 connect.facebook.net
162 fe80::1%lo0 www.connect.facebook.net
163 fe80::1%lo0 apps.facebook.com\n")
165 (define dhcp-client-service-type
166 (shepherd-service-type
170 (file-append dhcp "/sbin/dhclient"))
173 "/var/run/dhclient.pid")
176 (documentation "Set up networking via DHCP.")
177 (requirement '(user-processes udev))
179 ;; XXX: Running with '-nw' ("no wait") avoids blocking for a minute when
180 ;; networking is unavailable, but also means that the interface is not up
181 ;; yet when 'start' completes. To wait for the interface to be ready, one
182 ;; should instead monitor udev events.
183 (provision '(networking))
186 ;; When invoked without any arguments, 'dhclient' discovers all
187 ;; non-loopback interfaces *that are up*. However, the relevant
188 ;; interfaces are typically down at this point. Thus we perform
189 ;; our own interface discovery here.
191 (negate loopback-network-interface?))
193 (filter valid? (all-network-interface-names)))
195 ;; XXX: Make sure the interfaces are up so that 'dhclient' can
196 ;; actually send/receive over them.
197 (for-each set-network-interface-up ifaces)
199 (false-if-exception (delete-file #$pid-file))
200 (let ((pid (fork+exec-command
201 (cons* #$dhclient "-nw"
202 "-pf" #$pid-file ifaces))))
203 (and (zero? (cdr (waitpid pid)))
204 (read-pid-file #$pid-file)))))
205 (stop #~(make-kill-destructor))))))
207 (define* (dhcp-client-service #:key (dhcp isc-dhcp))
208 "Return a service that runs @var{dhcp}, a Dynamic Host Configuration
209 Protocol (DHCP) client, on all the non-loopback network interfaces."
210 (service dhcp-client-service-type dhcp))
212 (define-record-type* <dhcpd-configuration>
213 dhcpd-configuration make-dhcpd-configuration
215 (package dhcpd-configuration-package ;<package>
217 (config-file dhcpd-configuration-config-file ;file-like
219 (version dhcpd-configuration-version ;"4", "6", or "4o6"
221 (run-directory dhcpd-configuration-run-directory
222 (default "/run/dhcpd"))
223 (lease-file dhcpd-configuration-lease-file
224 (default "/var/db/dhcpd.leases"))
225 (pid-file dhcpd-configuration-pid-file
226 (default "/run/dhcpd/dhcpd.pid"))
227 ;; list of strings, e.g. (list "enp0s25")
228 (interfaces dhcpd-configuration-interfaces
231 (define dhcpd-shepherd-service
233 (($ <dhcpd-configuration> package config-file version run-directory
234 lease-file pid-file interfaces)
236 (error "Must supply a config-file"))
237 (list (shepherd-service
238 ;; Allow users to easily run multiple versions simultaneously.
239 (provision (list (string->symbol
240 (string-append "dhcpv" version "-daemon"))))
241 (documentation (string-append "Run the DHCPv" version " daemon"))
242 (requirement '(networking))
243 (start #~(make-forkexec-constructor
244 '(#$(file-append package "/sbin/dhcpd")
245 #$(string-append "-" version)
250 #:pid-file #$pid-file))
251 (stop #~(make-kill-destructor)))))))
253 (define dhcpd-activation
255 (($ <dhcpd-configuration> package config-file version run-directory
256 lease-file pid-file interfaces)
257 (with-imported-modules '((guix build utils))
259 (unless (file-exists? #$run-directory)
260 (mkdir #$run-directory))
261 ;; According to the DHCP manual (man dhcpd.leases), the lease
262 ;; database must be present for dhcpd to start successfully.
263 (unless (file-exists? #$lease-file)
264 (with-output-to-file #$lease-file
265 (lambda _ (display ""))))
266 ;; Validate the config.
268 #$(file-append package "/sbin/dhcpd") "-t" "-cf"
271 (define dhcpd-service-type
275 (list (service-extension shepherd-root-service-type dhcpd-shepherd-service)
276 (service-extension activation-service-type dhcpd-activation)))))
279 ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
280 ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
281 ;; for this NTP pool "zone".
282 '("0.guix.pool.ntp.org"
283 "1.guix.pool.ntp.org"
284 "2.guix.pool.ntp.org"
285 "3.guix.pool.ntp.org"))
293 (define-record-type* <ntp-configuration>
294 ntp-configuration make-ntp-configuration
296 (ntp ntp-configuration-ntp
298 (servers ntp-configuration-servers)
299 (allow-large-adjustment? ntp-allow-large-adjustment?
302 (define ntp-shepherd-service
304 (($ <ntp-configuration> ntp servers allow-large-adjustment?)
306 ;; TODO: Add authentication support.
308 (string-append "driftfile /var/run/ntpd/ntp.drift\n"
309 (string-join (map (cut string-append "server " <>)
313 # Disable status queries as a workaround for CVE-2013-5211:
314 # <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
315 restrict default kod nomodify notrap nopeer noquery
316 restrict -6 default kod nomodify notrap nopeer noquery
318 # Yet, allow use of the local 'ntpq'.
323 (plain-file "ntpd.conf" config))
325 (list (shepherd-service
327 (documentation "Run the Network Time Protocol (NTP) daemon.")
328 (requirement '(user-processes networking))
329 (start #~(make-forkexec-constructor
330 (list (string-append #$ntp "/bin/ntpd") "-n"
331 "-c" #$ntpd.conf "-u" "ntpd"
332 #$@(if allow-large-adjustment?
335 (stop #~(make-kill-destructor))))))))
337 (define %ntp-accounts
342 (comment "NTP daemon user")
343 (home-directory "/var/empty")
344 (shell (file-append shadow "/sbin/nologin")))))
347 (define (ntp-service-activation config)
348 "Return the activation gexp for CONFIG."
349 (with-imported-modules '((guix build utils))
351 (use-modules (guix build utils))
355 (let ((directory "/var/run/ntpd"))
357 (chown directory (passwd:uid %user) (passwd:gid %user))))))
359 (define ntp-service-type
360 (service-type (name 'ntp)
362 (list (service-extension shepherd-root-service-type
363 ntp-shepherd-service)
364 (service-extension account-service-type
365 (const %ntp-accounts))
366 (service-extension activation-service-type
367 ntp-service-activation)))
369 "Run the @command{ntpd}, the Network Time Protocol (NTP)
370 daemon of the @uref{http://www.ntp.org, Network Time Foundation}. The daemon
371 will keep the system clock synchronized with that of the given servers.")))
373 (define* (ntp-service #:key (ntp ntp)
374 (servers %ntp-servers)
375 allow-large-adjustment?)
376 "Return a service that runs the daemon from @var{ntp}, the
377 @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will
378 keep the system clock synchronized with that of @var{servers}.
379 @var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
380 make an initial adjustment of more than 1,000 seconds."
381 (service ntp-service-type
382 (ntp-configuration (ntp ntp)
384 (allow-large-adjustment?
385 allow-large-adjustment?))))
392 (define-record-type* <openntpd-configuration>
393 openntpd-configuration make-openntpd-configuration
394 openntpd-configuration?
395 (openntpd openntpd-configuration-openntpd
397 (listen-on openntpd-listen-on
398 (default '("127.0.0.1"
400 (query-from openntpd-query-from
402 (sensor openntpd-sensor
404 (server openntpd-server
405 (default %ntp-servers))
406 (servers openntpd-servers
408 (constraint-from openntpd-constraint-from
410 (constraints-from openntpd-constraints-from
412 (allow-large-adjustment? openntpd-allow-large-adjustment?
413 (default #f))) ; upstream default
415 (define (openntpd-shepherd-service config)
416 (match-record config <openntpd-configuration>
417 (openntpd listen-on query-from sensor server servers constraint-from
418 constraints-from allow-large-adjustment?)
423 (lambda (field value)
425 (map (cut string-append field <> "\n")
427 '("listen on " "query from " "sensor " "server " "servers "
429 (list listen-on query-from sensor server servers constraint-from))
430 ;; The 'constraints from' field needs to be enclosed in double quotes.
432 (map (cut string-append "constraints from \"" <> "\"\n")
436 (plain-file "ntpd.conf" config))
438 (list (shepherd-service
440 (documentation "Run the Network Time Protocol (NTP) daemon.")
441 (requirement '(user-processes networking))
442 (start #~(make-forkexec-constructor
443 (list (string-append #$openntpd "/sbin/ntpd")
445 "-d" ;; don't daemonize
446 #$@(if allow-large-adjustment?
449 ;; When ntpd is daemonized it repeatedly tries to respawn
450 ;; while running, leading shepherd to disable it. To
451 ;; prevent spamming stderr, redirect output to logfile.
452 #:log-file "/var/log/ntpd"))
453 (stop #~(make-kill-destructor)))))))
455 (define (openntpd-service-activation config)
456 "Return the activation gexp for CONFIG."
457 (with-imported-modules '((guix build utils))
459 (use-modules (guix build utils))
463 (unless (file-exists? "/var/db/ntpd.drift")
464 (with-output-to-file "/var/db/ntpd.drift"
466 (format #t "0.0")))))))
468 (define openntpd-service-type
469 (service-type (name 'openntpd)
471 (list (service-extension shepherd-root-service-type
472 openntpd-shepherd-service)
473 (service-extension account-service-type
474 (const %ntp-accounts))
475 (service-extension profile-service-type
476 (compose list openntpd-configuration-openntpd))
477 (service-extension activation-service-type
478 openntpd-service-activation)))
479 (default-value (openntpd-configuration))
481 "Run the @command{ntpd}, the Network Time Protocol (NTP)
482 daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The
483 daemon will keep the system clock synchronized with that of the given servers.")))
490 (define-record-type* <inetd-configuration> inetd-configuration
491 make-inetd-configuration
493 (program inetd-configuration-program ;file-like
494 (default (file-append inetutils "/libexec/inetd")))
495 (entries inetd-configuration-entries ;list of <inetd-entry>
498 (define-record-type* <inetd-entry> inetd-entry make-inetd-entry
500 (node inetd-entry-node ;string or #f
502 (name inetd-entry-name) ;string, from /etc/services
504 (socket-type inetd-entry-socket-type) ;stream | dgram | raw |
506 (protocol inetd-entry-protocol) ;string, from /etc/protocols
508 (wait? inetd-entry-wait? ;Boolean
510 (user inetd-entry-user) ;string
512 (program inetd-entry-program ;string or file-like object
513 (default "internal"))
514 (arguments inetd-entry-arguments ;list of strings or file-like objects
517 (define (inetd-config-file entries)
518 (apply mixed-text-file "inetd.conf"
521 (let* ((node (inetd-entry-node entry))
522 (name (inetd-entry-name entry))
524 (if node (string-append node ":" name) name))
526 (match (inetd-entry-socket-type entry)
527 ((or 'stream 'dgram 'raw 'rdm 'seqpacket)
528 (symbol->string (inetd-entry-socket-type entry)))))
529 (protocol (inetd-entry-protocol entry))
530 (wait (if (inetd-entry-wait? entry) "wait" "nowait"))
531 (user (inetd-entry-user entry))
532 (program (inetd-entry-program entry))
533 (args (inetd-entry-arguments entry)))
536 (list #$@(list socket type protocol wait user program) #$@args)
540 (define inetd-shepherd-service
542 (($ <inetd-configuration> program ()) '()) ; empty list of entries -> do nothing
543 (($ <inetd-configuration> program entries)
546 (documentation "Run inetd.")
548 (requirement '(user-processes networking syslogd))
549 (start #~(make-forkexec-constructor
550 (list #$program #$(inetd-config-file entries))
551 #:pid-file "/var/run/inetd.pid"))
552 (stop #~(make-kill-destructor)))))))
554 (define-public inetd-service-type
558 (list (service-extension shepherd-root-service-type
559 inetd-shepherd-service)))
561 ;; The service can be extended with additional lists of entries.
562 (compose concatenate)
563 (extend (lambda (config entries)
566 (entries (append (inetd-configuration-entries config)
569 "Start @command{inetd}, the @dfn{Internet superserver}. It is responsible
570 for listening on Internet sockets and spawning the corresponding services on
578 (define-record-type* <tor-configuration>
579 tor-configuration make-tor-configuration
581 (tor tor-configuration-tor
583 (config-file tor-configuration-config-file
584 (default (plain-file "empty" "")))
585 (hidden-services tor-configuration-hidden-services
587 (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
590 (define %tor-accounts
591 ;; User account and groups for Tor.
592 (list (user-group (name "tor") (system? #t))
597 (comment "Tor daemon user")
598 (home-directory "/var/empty")
599 (shell (file-append shadow "/sbin/nologin")))))
601 (define-record-type <hidden-service>
602 (hidden-service name mapping)
604 (name hidden-service-name) ;string
605 (mapping hidden-service-mapping)) ;list of port/address tuples
607 (define (tor-configuration->torrc config)
608 "Return a 'torrc' file for CONFIG."
610 (($ <tor-configuration> tor config-file services socks-socket-type)
613 (with-imported-modules '((guix build utils))
615 (use-modules (guix build utils)
618 (call-with-output-file #$output
621 ### These lines were generated from your system configuration:
623 DataDirectory /var/lib/tor
624 PidFile /var/run/tor/tor.pid
625 Log notice syslog\n" port)
626 (when (eq? 'unix '#$socks-socket-type)
628 SocksPort unix:/var/run/tor/socks-sock
629 UnixSocksGroupWritable 1\n" port))
631 (for-each (match-lambda
632 ((service (ports hosts) ...)
634 HiddenServiceDir /var/lib/tor/hidden-services/~a~%"
636 (for-each (lambda (tcp-port host)
638 HiddenServicePort ~a ~a~%"
641 '#$(map (match-lambda
642 (($ <hidden-service> name mapping)
643 (cons name mapping)))
647 ### End of automatically generated lines.\n\n" port)
649 ;; Append the user's config file.
650 (call-with-input-file #$config-file
652 (dump-port input port)))
655 (define (tor-shepherd-service config)
656 "Return a <shepherd-service> running Tor."
658 (($ <tor-configuration> tor)
659 (let ((torrc (tor-configuration->torrc config)))
660 (with-imported-modules (source-module-closure
661 '((gnu build shepherd)
662 (gnu system file-systems)))
663 (list (shepherd-service
666 ;; Tor needs at least one network interface to be up, hence the
667 ;; dependency on 'loopback'.
668 (requirement '(user-processes loopback syslogd))
670 (modules '((gnu build shepherd)
671 (gnu system file-systems)))
673 (start #~(make-forkexec-constructor/container
674 (list #$(file-append tor "/bin/tor") "-f" #$torrc)
676 #:mappings (list (file-system-mapping
677 (source "/var/lib/tor")
681 (source "/dev/log") ;for syslog
684 (source "/var/run/tor")
687 #:pid-file "/var/run/tor/tor.pid"))
688 (stop #~(make-kill-destructor))
689 (documentation "Run the Tor anonymous network overlay."))))))))
691 (define (tor-activation config)
692 "Set up directories for Tor and its hidden services, if any."
694 (use-modules (guix build utils))
699 (define (initialize service)
700 (let ((directory (string-append "/var/lib/tor/hidden-services/"
703 (chown directory (passwd:uid %user) (passwd:gid %user))
705 ;; The daemon bails out if we give wider permissions.
706 (chmod directory #o700)))
708 ;; Allow Tor to write its PID file.
709 (mkdir-p "/var/run/tor")
710 (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
711 ;; Set the group permissions to rw so that if the system administrator
712 ;; has specified UnixSocksGroupWritable=1 in their torrc file, members
713 ;; of the "tor" group will be able to use the SOCKS socket.
714 (chmod "/var/run/tor" #o750)
716 ;; Allow Tor to access the hidden services' directories.
717 (mkdir-p "/var/lib/tor")
718 (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
719 (chmod "/var/lib/tor" #o700)
721 ;; Make sure /var/lib is accessible to the 'tor' user.
722 (chmod "/var/lib" #o755)
725 '#$(map hidden-service-name
726 (tor-configuration-hidden-services config)))))
728 (define tor-service-type
729 (service-type (name 'tor)
731 (list (service-extension shepherd-root-service-type
732 tor-shepherd-service)
733 (service-extension account-service-type
734 (const %tor-accounts))
735 (service-extension activation-service-type
738 ;; This can be extended with hidden services.
739 (compose concatenate)
740 (extend (lambda (config services)
744 (append (tor-configuration-hidden-services config)
746 (default-value (tor-configuration))
748 "Run the @uref{https://torproject.org, Tor} anonymous
749 networking daemon.")))
751 (define* (tor-service #:optional
752 (config-file (plain-file "empty" ""))
754 "Return a service to run the @uref{https://torproject.org, Tor} anonymous
757 The daemon runs as the @code{tor} unprivileged user. It is passed
758 @var{config-file}, a file-like object, with an additional @code{User tor} line
759 and lines for hidden services added via @code{tor-hidden-service}. Run
760 @command{man tor} for information about the configuration file."
761 (service tor-service-type
762 (tor-configuration (tor tor)
763 (config-file config-file))))
765 (define tor-hidden-service-type
766 ;; A type that extends Tor with hidden services.
767 (service-type (name 'tor-hidden-service)
769 (list (service-extension tor-service-type list)))
771 "Define a new Tor @dfn{hidden service}.")))
773 (define (tor-hidden-service name mapping)
774 "Define a new Tor @dfn{hidden service} called @var{name} and implementing
775 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
778 '((22 \"127.0.0.1:22\")
779 (80 \"127.0.0.1:8080\"))
782 In this example, port 22 of the hidden service is mapped to local port 22, and
783 port 80 is mapped to local port 8080.
785 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
786 the @file{hostname} file contains the @code{.onion} host name for the hidden
789 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
790 project's documentation} for more information."
791 (service tor-hidden-service-type
792 (hidden-service name mapping)))
799 (define %wicd-activation
800 ;; Activation gexp for Wicd.
802 (use-modules (guix build utils))
804 (mkdir-p "/etc/wicd")
805 (let ((file-name "/etc/wicd/dhclient.conf.template.default"))
806 (unless (file-exists? file-name)
807 (copy-file (string-append #$wicd file-name)
810 ;; Wicd invokes 'wpa_supplicant', which needs this directory for its
811 ;; named socket files.
812 (mkdir-p "/var/run/wpa_supplicant")
813 (chmod "/var/run/wpa_supplicant" #o750)))
815 (define (wicd-shepherd-service wicd)
816 "Return a shepherd service for WICD."
817 (list (shepherd-service
818 (documentation "Run the Wicd network manager.")
819 (provision '(networking))
820 (requirement '(user-processes dbus-system loopback))
821 (start #~(make-forkexec-constructor
822 (list (string-append #$wicd "/sbin/wicd")
824 (stop #~(make-kill-destructor)))))
826 (define wicd-service-type
827 (service-type (name 'wicd)
829 (list (service-extension shepherd-root-service-type
830 wicd-shepherd-service)
831 (service-extension dbus-root-service-type
833 (service-extension activation-service-type
834 (const %wicd-activation))
836 ;; Add Wicd to the global profile.
837 (service-extension profile-service-type list)))
839 "Run @url{https://launchpad.net/wicd,Wicd}, a network
840 management daemon that aims to simplify wired and wireless networking.")))
842 (define* (wicd-service #:key (wicd wicd))
843 "Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
844 management daemon that aims to simplify wired and wireless networking.
846 This service adds the @var{wicd} package to the global profile, providing
847 several commands to interact with the daemon and configure networking:
848 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
849 and @command{wicd-curses} user interfaces."
850 (service wicd-service-type wicd))
857 (define-record-type* <modem-manager-configuration>
858 modem-manager-configuration make-modem-manager-configuration
859 modem-manager-configuration?
860 (modem-manager modem-manager-configuration-modem-manager
861 (default modem-manager)))
868 (define-record-type* <network-manager-configuration>
869 network-manager-configuration make-network-manager-configuration
870 network-manager-configuration?
871 (network-manager network-manager-configuration-network-manager
872 (default network-manager))
873 (dns network-manager-configuration-dns
875 (vpn-plugins network-manager-vpn-plugins ;list of <package>
878 (define %network-manager-activation
879 ;; Activation gexp for NetworkManager.
881 (use-modules (guix build utils))
882 (mkdir-p "/etc/NetworkManager/system-connections")))
884 (define (vpn-plugin-directory plugins)
885 "Return a directory containing PLUGINS, the NM VPN plugins."
886 (directory-union "network-manager-vpn-plugins" plugins))
888 (define network-manager-environment
890 (($ <network-manager-configuration> network-manager dns vpn-plugins)
891 ;; Define this variable in the global environment such that
892 ;; "nmcli connection import type openvpn file foo.ovpn" works.
893 `(("NM_VPN_PLUGIN_DIR"
894 . ,(file-append (vpn-plugin-directory vpn-plugins)
895 "/lib/NetworkManager/VPN"))))))
897 (define network-manager-shepherd-service
899 (($ <network-manager-configuration> network-manager dns vpn-plugins)
900 (let ((conf (plain-file "NetworkManager.conf"
901 (string-append "[main]\ndns=" dns "\n")))
902 (vpn (vpn-plugin-directory vpn-plugins)))
903 (list (shepherd-service
904 (documentation "Run the NetworkManager.")
905 (provision '(networking))
906 (requirement '(user-processes dbus-system wpa-supplicant loopback))
907 (start #~(make-forkexec-constructor
908 (list (string-append #$network-manager
909 "/sbin/NetworkManager")
910 (string-append "--config=" #$conf)
912 #:environment-variables
913 (list (string-append "NM_VPN_PLUGIN_DIR=" #$vpn
914 "/lib/NetworkManager/VPN"))))
915 (stop #~(make-kill-destructor))))))))
917 (define network-manager-service-type
921 (($ <network-manager-configuration> network-manager)
922 (list network-manager)))))
925 (name 'network-manager)
927 (list (service-extension shepherd-root-service-type
928 network-manager-shepherd-service)
929 (service-extension dbus-root-service-type config->package)
930 (service-extension polkit-service-type config->package)
931 (service-extension activation-service-type
932 (const %network-manager-activation))
933 (service-extension session-environment-service-type
934 network-manager-environment)
935 ;; Add network-manager to the system profile.
936 (service-extension profile-service-type config->package)))
937 (default-value (network-manager-configuration))
939 "Run @uref{https://wiki.gnome.org/Projects/NetworkManager,
940 NetworkManager}, a network management daemon that aims to simplify wired and
941 wireless networking."))))
948 (define-record-type* <connman-configuration>
949 connman-configuration make-connman-configuration
950 connman-configuration?
951 (connman connman-configuration-connman
953 (disable-vpn? connman-configuration-disable-vpn?
956 (define (connman-activation config)
957 (let ((disable-vpn? (connman-configuration-disable-vpn? config)))
958 (with-imported-modules '((guix build utils))
960 (use-modules (guix build utils))
961 (mkdir-p "/var/lib/connman/")
962 (unless #$disable-vpn?
963 (mkdir-p "/var/lib/connman-vpn/"))))))
965 (define (connman-shepherd-service config)
966 "Return a shepherd service for Connman"
968 (connman-configuration? config)
969 (let ((connman (connman-configuration-connman config))
970 (disable-vpn? (connman-configuration-disable-vpn? config)))
971 (list (shepherd-service
972 (documentation "Run Connman")
973 (provision '(networking))
975 '(user-processes dbus-system loopback wpa-supplicant))
976 (start #~(make-forkexec-constructor
977 (list (string-append #$connman
980 #$@(if disable-vpn? '("--noplugin=vpn") '()))))
981 (stop #~(make-kill-destructor)))))))
983 (define connman-service-type
984 (let ((connman-package (compose list connman-configuration-connman)))
985 (service-type (name 'connman)
987 (list (service-extension shepherd-root-service-type
988 connman-shepherd-service)
989 (service-extension polkit-service-type
991 (service-extension dbus-root-service-type
993 (service-extension activation-service-type
995 ;; Add connman to the system profile.
996 (service-extension profile-service-type
998 (default-value (connman-configuration))
1000 "Run @url{https://01.org/connman,Connman},
1001 a network connection manager."))))
1008 (define modem-manager-service-type
1009 (let ((config->package
1011 (($ <modem-manager-configuration> modem-manager)
1012 (list modem-manager)))))
1013 (service-type (name 'modem-manager)
1015 (list (service-extension dbus-root-service-type
1017 (service-extension udev-service-type
1019 (service-extension polkit-service-type
1021 (default-value (modem-manager-configuration))
1023 "Run @uref{https://wiki.gnome.org/Projects/ModemManager,
1024 ModemManager}, a modem management daemon that aims to simplify dialup
1032 (define-record-type* <wpa-supplicant-configuration>
1033 wpa-supplicant-configuration make-wpa-supplicant-configuration
1034 wpa-supplicant-configuration?
1035 (wpa-supplicant wpa-supplicant-configuration-wpa-supplicant ;<package>
1036 (default wpa-supplicant))
1037 (pid-file wpa-supplicant-configuration-pid-file ;string
1038 (default "/var/run/wpa_supplicant.pid"))
1039 (dbus? wpa-supplicant-configuration-dbus? ;Boolean
1041 (interface wpa-supplicant-configuration-interface ;#f | string
1043 (config-file wpa-supplicant-configuration-config-file ;#f | <file-like>
1045 (extra-options wpa-supplicant-configuration-extra-options ;list of strings
1048 (define wpa-supplicant-shepherd-service
1050 (($ <wpa-supplicant-configuration> wpa-supplicant pid-file dbus? interface
1051 config-file extra-options)
1052 (list (shepherd-service
1053 (documentation "Run the WPA supplicant daemon")
1054 (provision '(wpa-supplicant))
1055 (requirement '(user-processes dbus-system loopback))
1056 (start #~(make-forkexec-constructor
1057 (list (string-append #$wpa-supplicant
1058 "/sbin/wpa_supplicant")
1059 (string-append "-P" #$pid-file)
1060 "-B" ;run in background
1065 #~(string-append "-i" #$interface)
1068 #~(string-append "-c" #$config-file)
1071 #:pid-file #$pid-file))
1072 (stop #~(make-kill-destructor)))))))
1074 (define wpa-supplicant-service-type
1075 (let ((config->package
1077 (($ <wpa-supplicant-configuration> wpa-supplicant)
1078 (list wpa-supplicant)))))
1079 (service-type (name 'wpa-supplicant)
1081 (list (service-extension shepherd-root-service-type
1082 wpa-supplicant-shepherd-service)
1083 (service-extension dbus-root-service-type config->package)
1084 (service-extension profile-service-type config->package)))
1085 (description "Run the WPA Supplicant daemon, a service that
1086 implements authentication, key negotiation and more for wireless networks.")
1087 (default-value (wpa-supplicant-configuration)))))
1094 (define-record-type* <openvswitch-configuration>
1095 openvswitch-configuration make-openvswitch-configuration
1096 openvswitch-configuration?
1097 (package openvswitch-configuration-package
1098 (default openvswitch)))
1100 (define openvswitch-activation
1102 (($ <openvswitch-configuration> package)
1103 (let ((ovsdb-tool (file-append package "/bin/ovsdb-tool")))
1104 (with-imported-modules '((guix build utils))
1106 (use-modules (guix build utils))
1107 (mkdir-p "/var/run/openvswitch")
1108 (mkdir-p "/var/lib/openvswitch")
1109 (let ((conf.db "/var/lib/openvswitch/conf.db"))
1110 (unless (file-exists? conf.db)
1111 (system* #$ovsdb-tool "create" conf.db)))))))))
1113 (define openvswitch-shepherd-service
1115 (($ <openvswitch-configuration> package)
1116 (let ((ovsdb-server (file-append package "/sbin/ovsdb-server"))
1117 (ovs-vswitchd (file-append package "/sbin/ovs-vswitchd")))
1120 (provision '(ovsdb))
1121 (documentation "Run the Open vSwitch database server.")
1122 (start #~(make-forkexec-constructor
1123 (list #$ovsdb-server "--pidfile"
1124 "--remote=punix:/var/run/openvswitch/db.sock")
1125 #:pid-file "/var/run/openvswitch/ovsdb-server.pid"))
1126 (stop #~(make-kill-destructor)))
1128 (provision '(vswitchd))
1129 (requirement '(ovsdb))
1130 (documentation "Run the Open vSwitch daemon.")
1131 (start #~(make-forkexec-constructor
1132 (list #$ovs-vswitchd "--pidfile")
1133 #:pid-file "/var/run/openvswitch/ovs-vswitchd.pid"))
1134 (stop #~(make-kill-destructor))))))))
1136 (define openvswitch-service-type
1140 (list (service-extension activation-service-type
1141 openvswitch-activation)
1142 (service-extension profile-service-type
1143 (compose list openvswitch-configuration-package))
1144 (service-extension shepherd-root-service-type
1145 openvswitch-shepherd-service)))
1147 "Run @uref{http://www.openvswitch.org, Open vSwitch}, a multilayer virtual
1148 switch designed to enable massive network automation through programmatic
1155 (define %iptables-accept-all-rules
1156 (plain-file "iptables-accept-all.rules"
1164 (define-record-type* <iptables-configuration>
1165 iptables-configuration make-iptables-configuration iptables-configuration?
1166 (iptables iptables-configuration-iptables
1168 (ipv4-rules iptables-configuration-ipv4-rules
1169 (default %iptables-accept-all-rules))
1170 (ipv6-rules iptables-configuration-ipv6-rules
1171 (default %iptables-accept-all-rules)))
1173 (define iptables-shepherd-service
1175 (($ <iptables-configuration> iptables ipv4-rules ipv6-rules)
1176 (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
1177 (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")))
1179 (documentation "Packet filtering framework")
1180 (provision '(iptables))
1182 (invoke #$iptables-restore #$ipv4-rules)
1183 (invoke #$ip6tables-restore #$ipv6-rules)))
1185 (invoke #$iptables-restore #$%iptables-accept-all-rules)
1186 (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
1188 (define iptables-service-type
1192 "Run @command{iptables-restore}, setting up the specified rules.")
1194 (list (service-extension shepherd-root-service-type
1195 (compose list iptables-shepherd-service))))))
1197 ;;; networking.scm ends here