1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
5 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
6 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
7 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
8 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
9 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
10 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
11 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
13 ;;; This file is part of GNU Guix.
15 ;;; GNU Guix is free software; you can redistribute it and/or modify it
16 ;;; under the terms of the GNU General Public License as published by
17 ;;; the Free Software Foundation; either version 3 of the License, or (at
18 ;;; your option) any later version.
20 ;;; GNU Guix is distributed in the hope that it will be useful, but
21 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
22 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 ;;; GNU General Public License for more details.
25 ;;; You should have received a copy of the GNU General Public License
26 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
28 (define-module (gnu services networking)
29 #:use-module (gnu services)
30 #:use-module (gnu services base)
31 #:use-module (gnu services shepherd)
32 #:use-module (gnu services dbus)
33 #:use-module (gnu system shadow)
34 #:use-module (gnu system pam)
35 #:use-module (gnu packages admin)
36 #:use-module (gnu packages connman)
37 #:use-module (gnu packages freedesktop)
38 #:use-module (gnu packages linux)
39 #:use-module (gnu packages tor)
40 #:use-module (gnu packages messaging)
41 #:use-module (gnu packages networking)
42 #:use-module (gnu packages ntp)
43 #:use-module (gnu packages wicd)
44 #:use-module (gnu packages gnome)
45 #:use-module (guix gexp)
46 #:use-module (guix records)
47 #:use-module (guix modules)
48 #:use-module (srfi srfi-1)
49 #:use-module (srfi srfi-9)
50 #:use-module (srfi srfi-26)
51 #:use-module (ice-9 match)
52 #:re-export (static-networking-service
53 static-networking-service-type)
54 #:export (%facebook-host-aliases
60 dhcpd-configuration-package
61 dhcpd-configuration-config-file
62 dhcpd-configuration-version
63 dhcpd-configuration-run-directory
64 dhcpd-configuration-lease-file
65 dhcpd-configuration-pid-file
66 dhcpd-configuration-interfaces
75 openntpd-configuration
76 openntpd-configuration?
92 network-manager-configuration
93 network-manager-configuration?
94 network-manager-configuration-dns
95 network-manager-service-type
98 connman-configuration?
101 modem-manager-configuration
102 modem-manager-configuration?
103 modem-manager-service-type
104 wpa-supplicant-service-type
106 openvswitch-service-type
107 openvswitch-configuration
109 iptables-configuration
110 iptables-configuration?
111 iptables-configuration-iptables
112 iptables-configuration-ipv4-rules
113 iptables-configuration-ipv6-rules
114 iptables-service-type))
118 ;;; Networking services.
122 (define %facebook-host-aliases
123 ;; This is the list of known Facebook hosts to be added to /etc/hosts if you
126 # Block Facebook IPv4.
127 127.0.0.1 www.facebook.com
128 127.0.0.1 facebook.com
129 127.0.0.1 login.facebook.com
130 127.0.0.1 www.login.facebook.com
132 127.0.0.1 www.fbcdn.net
134 127.0.0.1 www.fbcdn.com
135 127.0.0.1 static.ak.fbcdn.net
136 127.0.0.1 static.ak.connect.facebook.com
137 127.0.0.1 connect.facebook.net
138 127.0.0.1 www.connect.facebook.net
139 127.0.0.1 apps.facebook.com
141 # Block Facebook IPv6.
142 fe80::1%lo0 facebook.com
143 fe80::1%lo0 login.facebook.com
144 fe80::1%lo0 www.login.facebook.com
145 fe80::1%lo0 fbcdn.net
146 fe80::1%lo0 www.fbcdn.net
147 fe80::1%lo0 fbcdn.com
148 fe80::1%lo0 www.fbcdn.com
149 fe80::1%lo0 static.ak.fbcdn.net
150 fe80::1%lo0 static.ak.connect.facebook.com
151 fe80::1%lo0 connect.facebook.net
152 fe80::1%lo0 www.connect.facebook.net
153 fe80::1%lo0 apps.facebook.com\n")
155 (define dhcp-client-service-type
156 (shepherd-service-type
160 (file-append dhcp "/sbin/dhclient"))
163 "/var/run/dhclient.pid")
166 (documentation "Set up networking via DHCP.")
167 (requirement '(user-processes udev))
169 ;; XXX: Running with '-nw' ("no wait") avoids blocking for a minute when
170 ;; networking is unavailable, but also means that the interface is not up
171 ;; yet when 'start' completes. To wait for the interface to be ready, one
172 ;; should instead monitor udev events.
173 (provision '(networking))
176 ;; When invoked without any arguments, 'dhclient' discovers all
177 ;; non-loopback interfaces *that are up*. However, the relevant
178 ;; interfaces are typically down at this point. Thus we perform
179 ;; our own interface discovery here.
181 (negate loopback-network-interface?))
183 (filter valid? (all-network-interface-names)))
185 ;; XXX: Make sure the interfaces are up so that 'dhclient' can
186 ;; actually send/receive over them.
187 (for-each set-network-interface-up ifaces)
189 (false-if-exception (delete-file #$pid-file))
190 (let ((pid (fork+exec-command
191 (cons* #$dhclient "-nw"
192 "-pf" #$pid-file ifaces))))
193 (and (zero? (cdr (waitpid pid)))
194 (read-pid-file #$pid-file)))))
195 (stop #~(make-kill-destructor))))))
197 (define* (dhcp-client-service #:key (dhcp isc-dhcp))
198 "Return a service that runs @var{dhcp}, a Dynamic Host Configuration
199 Protocol (DHCP) client, on all the non-loopback network interfaces."
200 (service dhcp-client-service-type dhcp))
202 (define-record-type* <dhcpd-configuration>
203 dhcpd-configuration make-dhcpd-configuration
205 (package dhcpd-configuration-package ;<package>
207 (config-file dhcpd-configuration-config-file ;file-like
209 (version dhcpd-configuration-version ;"4", "6", or "4o6"
211 (run-directory dhcpd-configuration-run-directory
212 (default "/run/dhcpd"))
213 (lease-file dhcpd-configuration-lease-file
214 (default "/var/db/dhcpd.leases"))
215 (pid-file dhcpd-configuration-pid-file
216 (default "/run/dhcpd/dhcpd.pid"))
217 ;; list of strings, e.g. (list "enp0s25")
218 (interfaces dhcpd-configuration-interfaces
221 (define dhcpd-shepherd-service
223 (($ <dhcpd-configuration> package config-file version run-directory
224 lease-file pid-file interfaces)
226 (error "Must supply a config-file"))
227 (list (shepherd-service
228 ;; Allow users to easily run multiple versions simultaneously.
229 (provision (list (string->symbol
230 (string-append "dhcpv" version "-daemon"))))
231 (documentation (string-append "Run the DHCPv" version " daemon"))
232 (requirement '(networking))
233 (start #~(make-forkexec-constructor
234 '(#$(file-append package "/sbin/dhcpd")
235 #$(string-append "-" version)
240 #:pid-file #$pid-file))
241 (stop #~(make-kill-destructor)))))))
243 (define dhcpd-activation
245 (($ <dhcpd-configuration> package config-file version run-directory
246 lease-file pid-file interfaces)
247 (with-imported-modules '((guix build utils))
249 (unless (file-exists? #$run-directory)
250 (mkdir #$run-directory))
251 ;; According to the DHCP manual (man dhcpd.leases), the lease
252 ;; database must be present for dhcpd to start successfully.
253 (unless (file-exists? #$lease-file)
254 (with-output-to-file #$lease-file
255 (lambda _ (display ""))))
256 ;; Validate the config.
258 #$(file-append package "/sbin/dhcpd") "-t" "-cf"
261 (define dhcpd-service-type
265 (list (service-extension shepherd-root-service-type dhcpd-shepherd-service)
266 (service-extension activation-service-type dhcpd-activation)))))
269 ;; Default set of NTP servers. These URLs are managed by the NTP Pool project.
270 ;; Within Guix, Leo Famulari <leo@famulari.name> is the administrative contact
271 ;; for this NTP pool "zone".
272 '("0.guix.pool.ntp.org"
273 "1.guix.pool.ntp.org"
274 "2.guix.pool.ntp.org"
275 "3.guix.pool.ntp.org"))
283 (define-record-type* <ntp-configuration>
284 ntp-configuration make-ntp-configuration
286 (ntp ntp-configuration-ntp
288 (servers ntp-configuration-servers)
289 (allow-large-adjustment? ntp-allow-large-adjustment?
292 (define ntp-shepherd-service
294 (($ <ntp-configuration> ntp servers allow-large-adjustment?)
296 ;; TODO: Add authentication support.
298 (string-append "driftfile /var/run/ntpd/ntp.drift\n"
299 (string-join (map (cut string-append "server " <>)
303 # Disable status queries as a workaround for CVE-2013-5211:
304 # <http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>.
305 restrict default kod nomodify notrap nopeer noquery
306 restrict -6 default kod nomodify notrap nopeer noquery
308 # Yet, allow use of the local 'ntpq'.
313 (plain-file "ntpd.conf" config))
315 (list (shepherd-service
317 (documentation "Run the Network Time Protocol (NTP) daemon.")
318 (requirement '(user-processes networking))
319 (start #~(make-forkexec-constructor
320 (list (string-append #$ntp "/bin/ntpd") "-n"
321 "-c" #$ntpd.conf "-u" "ntpd"
322 #$@(if allow-large-adjustment?
325 (stop #~(make-kill-destructor))))))))
327 (define %ntp-accounts
332 (comment "NTP daemon user")
333 (home-directory "/var/empty")
334 (shell (file-append shadow "/sbin/nologin")))))
337 (define (ntp-service-activation config)
338 "Return the activation gexp for CONFIG."
339 (with-imported-modules '((guix build utils))
341 (use-modules (guix build utils))
345 (let ((directory "/var/run/ntpd"))
347 (chown directory (passwd:uid %user) (passwd:gid %user))))))
349 (define ntp-service-type
350 (service-type (name 'ntp)
352 (list (service-extension shepherd-root-service-type
353 ntp-shepherd-service)
354 (service-extension account-service-type
355 (const %ntp-accounts))
356 (service-extension activation-service-type
357 ntp-service-activation)))
359 "Run the @command{ntpd}, the Network Time Protocol (NTP)
360 daemon of the @uref{http://www.ntp.org, Network Time Foundation}. The daemon
361 will keep the system clock synchronized with that of the given servers.")))
363 (define* (ntp-service #:key (ntp ntp)
364 (servers %ntp-servers)
365 allow-large-adjustment?)
366 "Return a service that runs the daemon from @var{ntp}, the
367 @uref{http://www.ntp.org, Network Time Protocol package}. The daemon will
368 keep the system clock synchronized with that of @var{servers}.
369 @var{allow-large-adjustment?} determines whether @command{ntpd} is allowed to
370 make an initial adjustment of more than 1,000 seconds."
371 (service ntp-service-type
372 (ntp-configuration (ntp ntp)
374 (allow-large-adjustment?
375 allow-large-adjustment?))))
382 (define-record-type* <openntpd-configuration>
383 openntpd-configuration make-openntpd-configuration
384 openntpd-configuration?
385 (openntpd openntpd-configuration-openntpd
387 (listen-on openntpd-listen-on
388 (default '("127.0.0.1"
390 (query-from openntpd-query-from
392 (sensor openntpd-sensor
394 (server openntpd-server
395 (default %ntp-servers))
396 (servers openntpd-servers
398 (constraint-from openntpd-constraint-from
400 (constraints-from openntpd-constraints-from
402 (allow-large-adjustment? openntpd-allow-large-adjustment?
403 (default #f))) ; upstream default
405 (define (openntpd-shepherd-service config)
406 (match-record config <openntpd-configuration>
407 (openntpd listen-on query-from sensor server servers constraint-from
408 constraints-from allow-large-adjustment?)
413 (lambda (field value)
415 (map (cut string-append field <> "\n")
417 '("listen on " "query from " "sensor " "server " "servers "
419 (list listen-on query-from sensor server servers constraint-from))
420 ;; The 'constraints from' field needs to be enclosed in double quotes.
422 (map (cut string-append "constraints from \"" <> "\"\n")
426 (plain-file "ntpd.conf" config))
428 (list (shepherd-service
430 (documentation "Run the Network Time Protocol (NTP) daemon.")
431 (requirement '(user-processes networking))
432 (start #~(make-forkexec-constructor
433 (list (string-append #$openntpd "/sbin/ntpd")
435 "-d" ;; don't daemonize
436 #$@(if allow-large-adjustment?
439 ;; When ntpd is daemonized it repeatedly tries to respawn
440 ;; while running, leading shepherd to disable it. To
441 ;; prevent spamming stderr, redirect output to logfile.
442 #:log-file "/var/log/ntpd"))
443 (stop #~(make-kill-destructor)))))))
445 (define (openntpd-service-activation config)
446 "Return the activation gexp for CONFIG."
447 (with-imported-modules '((guix build utils))
449 (use-modules (guix build utils))
453 (unless (file-exists? "/var/db/ntpd.drift")
454 (with-output-to-file "/var/db/ntpd.drift"
456 (format #t "0.0")))))))
458 (define openntpd-service-type
459 (service-type (name 'openntpd)
461 (list (service-extension shepherd-root-service-type
462 openntpd-shepherd-service)
463 (service-extension account-service-type
464 (const %ntp-accounts))
465 (service-extension profile-service-type
466 (compose list openntpd-configuration-openntpd))
467 (service-extension activation-service-type
468 openntpd-service-activation)))
469 (default-value (openntpd-configuration))
471 "Run the @command{ntpd}, the Network Time Protocol (NTP)
472 daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The
473 daemon will keep the system clock synchronized with that of the given servers.")))
480 (define-record-type* <inetd-configuration> inetd-configuration
481 make-inetd-configuration
483 (program inetd-configuration-program ;file-like
484 (default (file-append inetutils "/libexec/inetd")))
485 (entries inetd-configuration-entries ;list of <inetd-entry>
488 (define-record-type* <inetd-entry> inetd-entry make-inetd-entry
490 (node inetd-entry-node ;string or #f
492 (name inetd-entry-name) ;string, from /etc/services
494 (socket-type inetd-entry-socket-type) ;stream | dgram | raw |
496 (protocol inetd-entry-protocol) ;string, from /etc/protocols
498 (wait? inetd-entry-wait? ;Boolean
500 (user inetd-entry-user) ;string
502 (program inetd-entry-program ;string or file-like object
503 (default "internal"))
504 (arguments inetd-entry-arguments ;list of strings or file-like objects
507 (define (inetd-config-file entries)
508 (apply mixed-text-file "inetd.conf"
511 (let* ((node (inetd-entry-node entry))
512 (name (inetd-entry-name entry))
514 (if node (string-append node ":" name) name))
516 (match (inetd-entry-socket-type entry)
517 ((or 'stream 'dgram 'raw 'rdm 'seqpacket)
518 (symbol->string (inetd-entry-socket-type entry)))))
519 (protocol (inetd-entry-protocol entry))
520 (wait (if (inetd-entry-wait? entry) "wait" "nowait"))
521 (user (inetd-entry-user entry))
522 (program (inetd-entry-program entry))
523 (args (inetd-entry-arguments entry)))
526 (list #$@(list socket type protocol wait user program) #$@args)
530 (define inetd-shepherd-service
532 (($ <inetd-configuration> program ()) '()) ; empty list of entries -> do nothing
533 (($ <inetd-configuration> program entries)
536 (documentation "Run inetd.")
538 (requirement '(user-processes networking syslogd))
539 (start #~(make-forkexec-constructor
540 (list #$program #$(inetd-config-file entries))
541 #:pid-file "/var/run/inetd.pid"))
542 (stop #~(make-kill-destructor)))))))
544 (define-public inetd-service-type
548 (list (service-extension shepherd-root-service-type
549 inetd-shepherd-service)))
551 ;; The service can be extended with additional lists of entries.
552 (compose concatenate)
553 (extend (lambda (config entries)
556 (entries (append (inetd-configuration-entries config)
559 "Start @command{inetd}, the @dfn{Internet superserver}. It is responsible
560 for listening on Internet sockets and spawning the corresponding services on
568 (define-record-type* <tor-configuration>
569 tor-configuration make-tor-configuration
571 (tor tor-configuration-tor
573 (config-file tor-configuration-config-file
574 (default (plain-file "empty" "")))
575 (hidden-services tor-configuration-hidden-services
577 (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
580 (define %tor-accounts
581 ;; User account and groups for Tor.
582 (list (user-group (name "tor") (system? #t))
587 (comment "Tor daemon user")
588 (home-directory "/var/empty")
589 (shell (file-append shadow "/sbin/nologin")))))
591 (define-record-type <hidden-service>
592 (hidden-service name mapping)
594 (name hidden-service-name) ;string
595 (mapping hidden-service-mapping)) ;list of port/address tuples
597 (define (tor-configuration->torrc config)
598 "Return a 'torrc' file for CONFIG."
600 (($ <tor-configuration> tor config-file services socks-socket-type)
603 (with-imported-modules '((guix build utils))
605 (use-modules (guix build utils)
608 (call-with-output-file #$output
611 ### These lines were generated from your system configuration:
613 DataDirectory /var/lib/tor
614 PidFile /var/run/tor/tor.pid
615 Log notice syslog\n" port)
616 (when (eq? 'unix '#$socks-socket-type)
618 SocksPort unix:/var/run/tor/socks-sock
619 UnixSocksGroupWritable 1\n" port))
621 (for-each (match-lambda
622 ((service (ports hosts) ...)
624 HiddenServiceDir /var/lib/tor/hidden-services/~a~%"
626 (for-each (lambda (tcp-port host)
628 HiddenServicePort ~a ~a~%"
631 '#$(map (match-lambda
632 (($ <hidden-service> name mapping)
633 (cons name mapping)))
637 ### End of automatically generated lines.\n\n" port)
639 ;; Append the user's config file.
640 (call-with-input-file #$config-file
642 (dump-port input port)))
645 (define (tor-shepherd-service config)
646 "Return a <shepherd-service> running Tor."
648 (($ <tor-configuration> tor)
649 (let ((torrc (tor-configuration->torrc config)))
650 (with-imported-modules (source-module-closure
651 '((gnu build shepherd)
652 (gnu system file-systems)))
653 (list (shepherd-service
656 ;; Tor needs at least one network interface to be up, hence the
657 ;; dependency on 'loopback'.
658 (requirement '(user-processes loopback syslogd))
660 (modules '((gnu build shepherd)
661 (gnu system file-systems)))
663 (start #~(make-forkexec-constructor/container
664 (list #$(file-append tor "/bin/tor") "-f" #$torrc)
666 #:mappings (list (file-system-mapping
667 (source "/var/lib/tor")
671 (source "/dev/log") ;for syslog
674 (source "/var/run/tor")
677 #:pid-file "/var/run/tor/tor.pid"))
678 (stop #~(make-kill-destructor))
679 (documentation "Run the Tor anonymous network overlay."))))))))
681 (define (tor-activation config)
682 "Set up directories for Tor and its hidden services, if any."
684 (use-modules (guix build utils))
689 (define (initialize service)
690 (let ((directory (string-append "/var/lib/tor/hidden-services/"
693 (chown directory (passwd:uid %user) (passwd:gid %user))
695 ;; The daemon bails out if we give wider permissions.
696 (chmod directory #o700)))
698 ;; Allow Tor to write its PID file.
699 (mkdir-p "/var/run/tor")
700 (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
701 ;; Set the group permissions to rw so that if the system administrator
702 ;; has specified UnixSocksGroupWritable=1 in their torrc file, members
703 ;; of the "tor" group will be able to use the SOCKS socket.
704 (chmod "/var/run/tor" #o750)
706 ;; Allow Tor to access the hidden services' directories.
707 (mkdir-p "/var/lib/tor")
708 (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
709 (chmod "/var/lib/tor" #o700)
711 ;; Make sure /var/lib is accessible to the 'tor' user.
712 (chmod "/var/lib" #o755)
715 '#$(map hidden-service-name
716 (tor-configuration-hidden-services config)))))
718 (define tor-service-type
719 (service-type (name 'tor)
721 (list (service-extension shepherd-root-service-type
722 tor-shepherd-service)
723 (service-extension account-service-type
724 (const %tor-accounts))
725 (service-extension activation-service-type
728 ;; This can be extended with hidden services.
729 (compose concatenate)
730 (extend (lambda (config services)
734 (append (tor-configuration-hidden-services config)
736 (default-value (tor-configuration))
738 "Run the @uref{https://torproject.org, Tor} anonymous
739 networking daemon.")))
741 (define* (tor-service #:optional
742 (config-file (plain-file "empty" ""))
744 "Return a service to run the @uref{https://torproject.org, Tor} anonymous
747 The daemon runs as the @code{tor} unprivileged user. It is passed
748 @var{config-file}, a file-like object, with an additional @code{User tor} line
749 and lines for hidden services added via @code{tor-hidden-service}. Run
750 @command{man tor} for information about the configuration file."
751 (service tor-service-type
752 (tor-configuration (tor tor)
753 (config-file config-file))))
755 (define tor-hidden-service-type
756 ;; A type that extends Tor with hidden services.
757 (service-type (name 'tor-hidden-service)
759 (list (service-extension tor-service-type list)))
761 "Define a new Tor @dfn{hidden service}.")))
763 (define (tor-hidden-service name mapping)
764 "Define a new Tor @dfn{hidden service} called @var{name} and implementing
765 @var{mapping}. @var{mapping} is a list of port/host tuples, such as:
768 '((22 \"127.0.0.1:22\")
769 (80 \"127.0.0.1:8080\"))
772 In this example, port 22 of the hidden service is mapped to local port 22, and
773 port 80 is mapped to local port 8080.
775 This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
776 the @file{hostname} file contains the @code{.onion} host name for the hidden
779 See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
780 project's documentation} for more information."
781 (service tor-hidden-service-type
782 (hidden-service name mapping)))
789 (define %wicd-activation
790 ;; Activation gexp for Wicd.
792 (use-modules (guix build utils))
794 (mkdir-p "/etc/wicd")
795 (let ((file-name "/etc/wicd/dhclient.conf.template.default"))
796 (unless (file-exists? file-name)
797 (copy-file (string-append #$wicd file-name)
800 ;; Wicd invokes 'wpa_supplicant', which needs this directory for its
801 ;; named socket files.
802 (mkdir-p "/var/run/wpa_supplicant")
803 (chmod "/var/run/wpa_supplicant" #o750)))
805 (define (wicd-shepherd-service wicd)
806 "Return a shepherd service for WICD."
807 (list (shepherd-service
808 (documentation "Run the Wicd network manager.")
809 (provision '(networking))
810 (requirement '(user-processes dbus-system loopback))
811 (start #~(make-forkexec-constructor
812 (list (string-append #$wicd "/sbin/wicd")
814 (stop #~(make-kill-destructor)))))
816 (define wicd-service-type
817 (service-type (name 'wicd)
819 (list (service-extension shepherd-root-service-type
820 wicd-shepherd-service)
821 (service-extension dbus-root-service-type
823 (service-extension activation-service-type
824 (const %wicd-activation))
826 ;; Add Wicd to the global profile.
827 (service-extension profile-service-type list)))
829 "Run @url{https://launchpad.net/wicd,Wicd}, a network
830 management daemon that aims to simplify wired and wireless networking.")))
832 (define* (wicd-service #:key (wicd wicd))
833 "Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
834 management daemon that aims to simplify wired and wireless networking.
836 This service adds the @var{wicd} package to the global profile, providing
837 several commands to interact with the daemon and configure networking:
838 @command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
839 and @command{wicd-curses} user interfaces."
840 (service wicd-service-type wicd))
847 (define-record-type* <modem-manager-configuration>
848 modem-manager-configuration make-modem-manager-configuration
849 modem-manager-configuration?
850 (modem-manager modem-manager-configuration-modem-manager
851 (default modem-manager)))
858 (define-record-type* <network-manager-configuration>
859 network-manager-configuration make-network-manager-configuration
860 network-manager-configuration?
861 (network-manager network-manager-configuration-network-manager
862 (default network-manager))
863 (dns network-manager-configuration-dns
865 (vpn-plugins network-manager-vpn-plugins ;list of <package>
868 (define %network-manager-activation
869 ;; Activation gexp for NetworkManager.
871 (use-modules (guix build utils))
872 (mkdir-p "/etc/NetworkManager/system-connections")))
874 (define (vpn-plugin-directory plugins)
875 "Return a directory containing PLUGINS, the NM VPN plugins."
876 (directory-union "network-manager-vpn-plugins" plugins))
878 (define network-manager-environment
880 (($ <network-manager-configuration> network-manager dns vpn-plugins)
881 ;; Define this variable in the global environment such that
882 ;; "nmcli connection import type openvpn file foo.ovpn" works.
883 `(("NM_VPN_PLUGIN_DIR"
884 . ,(file-append (vpn-plugin-directory vpn-plugins)
885 "/lib/NetworkManager/VPN"))))))
887 (define network-manager-shepherd-service
889 (($ <network-manager-configuration> network-manager dns vpn-plugins)
890 (let ((conf (plain-file "NetworkManager.conf"
891 (string-append "[main]\ndns=" dns "\n")))
892 (vpn (vpn-plugin-directory vpn-plugins)))
893 (list (shepherd-service
894 (documentation "Run the NetworkManager.")
895 (provision '(networking))
896 (requirement '(user-processes dbus-system wpa-supplicant loopback))
897 (start #~(make-forkexec-constructor
898 (list (string-append #$network-manager
899 "/sbin/NetworkManager")
900 (string-append "--config=" #$conf)
902 #:environment-variables
903 (list (string-append "NM_VPN_PLUGIN_DIR=" #$vpn
904 "/lib/NetworkManager/VPN"))))
905 (stop #~(make-kill-destructor))))))))
907 (define network-manager-service-type
911 (($ <network-manager-configuration> network-manager)
912 (list network-manager)))))
915 (name 'network-manager)
917 (list (service-extension shepherd-root-service-type
918 network-manager-shepherd-service)
919 (service-extension dbus-root-service-type config->package)
920 (service-extension polkit-service-type config->package)
921 (service-extension activation-service-type
922 (const %network-manager-activation))
923 (service-extension session-environment-service-type
924 network-manager-environment)
925 ;; Add network-manager to the system profile.
926 (service-extension profile-service-type config->package)))
927 (default-value (network-manager-configuration))
929 "Run @uref{https://wiki.gnome.org/Projects/NetworkManager,
930 NetworkManager}, a network management daemon that aims to simplify wired and
931 wireless networking."))))
938 (define-record-type* <connman-configuration>
939 connman-configuration make-connman-configuration
940 connman-configuration?
941 (connman connman-configuration-connman
943 (disable-vpn? connman-configuration-disable-vpn?
946 (define (connman-activation config)
947 (let ((disable-vpn? (connman-configuration-disable-vpn? config)))
948 (with-imported-modules '((guix build utils))
950 (use-modules (guix build utils))
951 (mkdir-p "/var/lib/connman/")
952 (unless #$disable-vpn?
953 (mkdir-p "/var/lib/connman-vpn/"))))))
955 (define (connman-shepherd-service config)
956 "Return a shepherd service for Connman"
958 (connman-configuration? config)
959 (let ((connman (connman-configuration-connman config))
960 (disable-vpn? (connman-configuration-disable-vpn? config)))
961 (list (shepherd-service
962 (documentation "Run Connman")
963 (provision '(networking))
965 '(user-processes dbus-system loopback wpa-supplicant))
966 (start #~(make-forkexec-constructor
967 (list (string-append #$connman
970 #$@(if disable-vpn? '("--noplugin=vpn") '()))))
971 (stop #~(make-kill-destructor)))))))
973 (define connman-service-type
974 (let ((connman-package (compose list connman-configuration-connman)))
975 (service-type (name 'connman)
977 (list (service-extension shepherd-root-service-type
978 connman-shepherd-service)
979 (service-extension polkit-service-type
981 (service-extension dbus-root-service-type
983 (service-extension activation-service-type
985 ;; Add connman to the system profile.
986 (service-extension profile-service-type
988 (default-value (connman-configuration))
990 "Run @url{https://01.org/connman,Connman},
991 a network connection manager."))))
998 (define modem-manager-service-type
999 (let ((config->package
1001 (($ <modem-manager-configuration> modem-manager)
1002 (list modem-manager)))))
1003 (service-type (name 'modem-manager)
1005 (list (service-extension dbus-root-service-type
1007 (service-extension udev-service-type
1009 (service-extension polkit-service-type
1011 (default-value (modem-manager-configuration))
1013 "Run @uref{https://wiki.gnome.org/Projects/ModemManager,
1014 ModemManager}, a modem management daemon that aims to simplify dialup
1023 (define (wpa-supplicant-shepherd-service wpa-supplicant)
1024 "Return a shepherd service for wpa_supplicant"
1025 (list (shepherd-service
1026 (documentation "Run WPA supplicant with dbus interface")
1027 (provision '(wpa-supplicant))
1028 (requirement '(user-processes dbus-system loopback))
1029 (start #~(make-forkexec-constructor
1030 (list (string-append #$wpa-supplicant
1031 "/sbin/wpa_supplicant")
1032 "-u" "-B" "-P/var/run/wpa_supplicant.pid")
1033 #:pid-file "/var/run/wpa_supplicant.pid"))
1034 (stop #~(make-kill-destructor)))))
1036 (define wpa-supplicant-service-type
1037 (service-type (name 'wpa-supplicant)
1039 (list (service-extension shepherd-root-service-type
1040 wpa-supplicant-shepherd-service)
1041 (service-extension dbus-root-service-type list)
1042 (service-extension profile-service-type list)))
1043 (default-value wpa-supplicant)))
1050 (define-record-type* <openvswitch-configuration>
1051 openvswitch-configuration make-openvswitch-configuration
1052 openvswitch-configuration?
1053 (package openvswitch-configuration-package
1054 (default openvswitch)))
1056 (define openvswitch-activation
1058 (($ <openvswitch-configuration> package)
1059 (let ((ovsdb-tool (file-append package "/bin/ovsdb-tool")))
1060 (with-imported-modules '((guix build utils))
1062 (use-modules (guix build utils))
1063 (mkdir-p "/var/run/openvswitch")
1064 (mkdir-p "/var/lib/openvswitch")
1065 (let ((conf.db "/var/lib/openvswitch/conf.db"))
1066 (unless (file-exists? conf.db)
1067 (system* #$ovsdb-tool "create" conf.db)))))))))
1069 (define openvswitch-shepherd-service
1071 (($ <openvswitch-configuration> package)
1072 (let ((ovsdb-server (file-append package "/sbin/ovsdb-server"))
1073 (ovs-vswitchd (file-append package "/sbin/ovs-vswitchd")))
1076 (provision '(ovsdb))
1077 (documentation "Run the Open vSwitch database server.")
1078 (start #~(make-forkexec-constructor
1079 (list #$ovsdb-server "--pidfile"
1080 "--remote=punix:/var/run/openvswitch/db.sock")
1081 #:pid-file "/var/run/openvswitch/ovsdb-server.pid"))
1082 (stop #~(make-kill-destructor)))
1084 (provision '(vswitchd))
1085 (requirement '(ovsdb))
1086 (documentation "Run the Open vSwitch daemon.")
1087 (start #~(make-forkexec-constructor
1088 (list #$ovs-vswitchd "--pidfile")
1089 #:pid-file "/var/run/openvswitch/ovs-vswitchd.pid"))
1090 (stop #~(make-kill-destructor))))))))
1092 (define openvswitch-service-type
1096 (list (service-extension activation-service-type
1097 openvswitch-activation)
1098 (service-extension profile-service-type
1099 (compose list openvswitch-configuration-package))
1100 (service-extension shepherd-root-service-type
1101 openvswitch-shepherd-service)))
1103 "Run @uref{http://www.openvswitch.org, Open vSwitch}, a multilayer virtual
1104 switch designed to enable massive network automation through programmatic
1111 (define %iptables-accept-all-rules
1112 (plain-file "iptables-accept-all.rules"
1120 (define-record-type* <iptables-configuration>
1121 iptables-configuration make-iptables-configuration iptables-configuration?
1122 (iptables iptables-configuration-iptables
1124 (ipv4-rules iptables-configuration-ipv4-rules
1125 (default %iptables-accept-all-rules))
1126 (ipv6-rules iptables-configuration-ipv6-rules
1127 (default %iptables-accept-all-rules)))
1129 (define iptables-shepherd-service
1131 (($ <iptables-configuration> iptables ipv4-rules ipv6-rules)
1132 (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
1133 (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")))
1135 (documentation "Packet filtering framework")
1136 (provision '(iptables))
1138 (invoke #$iptables-restore #$ipv4-rules)
1139 (invoke #$ip6tables-restore #$ipv6-rules)))
1141 (invoke #$iptables-restore #$%iptables-accept-all-rules)
1142 (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
1144 (define iptables-service-type
1148 "Run @command{iptables-restore}, setting up the specified rules.")
1150 (list (service-extension shepherd-root-service-type
1151 (compose list iptables-shepherd-service))))))
1153 ;;; networking.scm ends here