aboutsummaryrefslogtreecommitdiff
path: root/gnu/services
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2022-07-22 01:09:14 +0200
committerMarius Bakke <marius@gnu.org>2022-07-22 01:09:14 +0200
commit9044b086ddca64a62966a83cbf1b82d32dece89e (patch)
tree2c7f910c9100b2f2a752d07fe0ec44be83fb7600 /gnu/services
parent5dfc6ab1ab292b87ceea144aa661d0e64c834031 (diff)
parentabea091dbef2d44e6eb46bd2413bdf917e14d095 (diff)
downloadguix-9044b086ddca64a62966a83cbf1b82d32dece89e.tar.gz
guix-9044b086ddca64a62966a83cbf1b82d32dece89e.zip
Merge branch 'staging' into core-updates
Diffstat (limited to 'gnu/services')
-rw-r--r--gnu/services/base.scm59
-rw-r--r--gnu/services/docker.scm5
-rw-r--r--gnu/services/guix.scm14
-rw-r--r--gnu/services/networking.scm47
-rw-r--r--gnu/services/ssh.scm20
-rw-r--r--gnu/services/web.scm124
6 files changed, 217 insertions, 52 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index d58afb27e3..27eae75c46 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -300,27 +300,36 @@ system objects.")))
;; Return #f if successfully stopped.
(sync)
- (call-with-blocked-asyncs
- (lambda ()
- (let ((null (%make-void-port "w")))
- ;; Close 'shepherd.log'.
- (display "closing log\n")
- ((@ (shepherd comm) stop-logging))
-
- ;; Redirect the default output ports..
- (set-current-output-port null)
- (set-current-error-port null)
-
- ;; Close /dev/console.
- (for-each close-fdes '(0 1 2))
-
- ;; At this point, there are no open files left, so the
- ;; root file system can be re-mounted read-only.
- (mount #f "/" #f
- (logior MS_REMOUNT MS_RDONLY)
- #:update-mtab? #f)
-
- #f)))))
+ (let ((null (%make-void-port "w")))
+ ;; Close 'shepherd.log'.
+ (display "closing log\n")
+ ((@ (shepherd comm) stop-logging))
+
+ ;; Redirect the default output ports..
+ (set-current-output-port null)
+ (set-current-error-port null)
+
+ ;; Close /dev/console.
+ (for-each close-fdes '(0 1 2))
+
+ ;; At this point, there should be no open files left so the
+ ;; root file system can be re-mounted read-only.
+ (let loop ((n 10))
+ (unless (catch 'system-error
+ (lambda ()
+ (mount #f "/" #f
+ (logior MS_REMOUNT MS_RDONLY)
+ #:update-mtab? #f)
+ #t)
+ (const #f))
+ (unless (zero? n)
+ ;; Yield to the other fibers. That gives logging fibers
+ ;; an opportunity to close log files so the 'mount' call
+ ;; doesn't fail with EBUSY.
+ ((@ (fibers) sleep) 1)
+ (loop (- n 1)))))
+
+ #f)))
(respawn? #f)))
(define root-file-system-service-type
@@ -2912,8 +2921,12 @@ to handle."
(define %greetd-accounts
(list (user-account
(name "greeter")
- (group "wheel")
- (supplementary-groups '("users" "tty" "input" "video" "audio"))
+ (group "greeter")
+ ;; video group is required for graphical greeters.
+ (supplementary-groups '("video"))
+ (system? #t))
+ (user-group
+ (name "greeter")
(system? #t))))
(define %greetd-file-systems
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 846ebe8334..741bab5a8c 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -98,6 +98,8 @@ loop-back communications.")
;; For finding containerd-shim binary.
#:environment-variables
(list (string-append "PATH=" #$containerd "/bin"))
+ #:pid-file "/run/containerd/containerd.pid"
+ #:pid-file-timeout 300
#:log-file "/var/log/containerd.log"))
(stop #~(make-kill-destructor)))))
@@ -135,7 +137,8 @@ loop-back communications.")
'("--userland-proxy=false"))
(if #$enable-iptables?
"--iptables"
- "--iptables=false"))
+ "--iptables=false")
+ "--containerd" "/run/containerd/containerd.sock")
#:environment-variables
(list #$@environment-variables)
#:pid-file "/var/run/docker.pid"
diff --git a/gnu/services/guix.scm b/gnu/services/guix.scm
index ad7b020b69..dac1e5841a 100644
--- a/gnu/services/guix.scm
+++ b/gnu/services/guix.scm
@@ -46,6 +46,7 @@
guix-build-coordinator-configuration-client-communication-uri-string
guix-build-coordinator-configuration-allocation-strategy
guix-build-coordinator-configuration-hooks
+ guix-build-coordinator-configuration-parallel-hooks
guix-build-coordinator-configuration-guile
guix-build-coordinator-service-type
@@ -155,6 +156,8 @@
(default #~basic-build-allocation-strategy))
(hooks guix-build-coordinator-configuration-hooks
(default '()))
+ (parallel-hooks guix-build-coordinator-configuration-parallel-hooks
+ (default '()))
(guile guix-build-coordinator-configuration-guile
(default guile-3.0-latest)))
@@ -246,6 +249,7 @@
agent-communication-uri-string
client-communication-uri-string
(hooks '())
+ (parallel-hooks '())
(guile guile-3.0))
(program-file
"start-guix-build-coordinator"
@@ -304,7 +308,11 @@
#:agent-communication-uri (string->uri
#$agent-communication-uri-string)
#:client-communication-uri (string->uri
- #$client-communication-uri-string)))))
+ #$client-communication-uri-string)
+ #:parallel-hooks (list #$@(map (match-lambda
+ ((name . val)
+ #~(cons '#$name #$val)))
+ parallel-hooks))))))
#:guile guile))
(define (guix-build-coordinator-shepherd-services config)
@@ -314,6 +322,7 @@
client-communication-uri-string
allocation-strategy
hooks
+ parallel-hooks
guile)
(list
(shepherd-service
@@ -331,6 +340,7 @@
#:client-communication-uri-string
client-communication-uri-string
#:hooks hooks
+ #:parallel-hooks parallel-hooks
#:guile guile))
#:user #$user
#:group #$group
@@ -642,8 +652,6 @@ ca-certificates.crt file in the system profile."
#:user #$user
#:group #$group
#:pid-file "/var/run/guix-data-service/pid"
- ;; Allow time for migrations to run
- #:pid-file-timeout 120
#:environment-variables
`(,(string-append
"GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale")
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index a9560db66b..b555c46040 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -918,9 +918,7 @@ applications in communication. It is used by Jami, for example.")))
(lambda (port)
(display "\
### These lines were generated from your system configuration:
-User tor
DataDirectory /var/lib/tor
-PidFile /var/run/tor/tor.pid
Log notice syslog\n" port)
(when (eq? 'unix '#$socks-socket-type)
(display "\
@@ -960,7 +958,25 @@ HiddenServicePort ~a ~a~%"
"Return a <shepherd-service> running Tor."
(match config
(($ <tor-configuration> tor)
- (let ((torrc (tor-configuration->torrc config)))
+ (let* ((torrc (tor-configuration->torrc config))
+ (tor (least-authority-wrapper
+ (file-append tor "/bin/tor")
+ #:name "tor"
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/dev/log") ;for syslog
+ (target source))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ #:namespaces (delq 'net %namespaces))))
(with-imported-modules (source-module-closure
'((gnu build shepherd)
(gnu system file-systems)))
@@ -974,22 +990,15 @@ HiddenServicePort ~a ~a~%"
(modules '((gnu build shepherd)
(gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$(file-append tor "/bin/tor") "-f" #$torrc)
-
- #:log-file "/var/log/tor.log"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/dev/log") ;for syslog
- (target source))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t)))
- #:pid-file "/var/run/tor/tor.pid"))
+ ;; XXX: #:pid-file won't work because the wrapped 'tor'
+ ;; program would print its PID within the user namespace
+ ;; instead of its actual PID outside. There's no inetd or
+ ;; systemd socket activation support either (there's
+ ;; 'sd_notify' though), so we're stuck with that.
+ (start #~(make-forkexec-constructor
+ (list #$tor "-f" #$torrc)
+ #:user "tor" #:group "tor"
+ #:log-file "/var/log/tor.log"))
(stop #~(make-kill-destructor))
(documentation "Run the Tor anonymous network overlay."))))))))
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 57d3ad218c..72e7183590 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -536,6 +536,15 @@ of user-name/file-like tuples."
#~(and (defined? 'make-inetd-constructor)
(not (string=? (@ (shepherd config) Version) "0.9.0"))))
+ (define ipv6-support?
+ ;; Expression that returns true if IPv6 support is available.
+ #~(catch 'system-error
+ (lambda ()
+ (let ((sock (socket AF_INET6 SOCK_STREAM 0)))
+ (close-port sock)
+ #t))
+ (const #f)))
+
(list (shepherd-service
(documentation "OpenSSH server.")
(requirement '(syslogd loopback))
@@ -544,12 +553,15 @@ of user-name/file-like tuples."
(start #~(if #$inetd-style?
(make-inetd-constructor
(append #$openssh-command '("-i"))
- (list (endpoint
+ (cons (endpoint
(make-socket-address AF_INET INADDR_ANY
#$port-number))
- (endpoint
- (make-socket-address AF_INET6 IN6ADDR_ANY
- #$port-number)))
+ (if #$ipv6-support?
+ (list
+ (endpoint
+ (make-socket-address AF_INET6 IN6ADDR_ANY
+ #$port-number)))
+ '()))
#:max-connections #$max-connections)
(make-forkexec-constructor #$openssh-command
#:pid-file #$pid-file)))
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 4f06d4e0bb..f0c7e90cbf 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -9,7 +9,7 @@
;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr>
;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2019, 2020 Florian Pelz <pelzflorian@pelzflorian.de>
-;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
@@ -120,6 +120,7 @@
nginx-upstream-configuration?
nginx-upstream-configuration-name
nginx-upstream-configuration-servers
+ nginx-upstream-configuration-extra-content
nginx-location-configuration
nginx-location-configuration?
@@ -204,6 +205,21 @@
tailon-service-type
+ anonip-configuration
+ anonip-configuration?
+ anonip-configuration-anonip
+ anonip-configuration-input
+ anonip-configuration-output
+ anonip-configuration-skip-private?
+ anonip-configuration-column
+ anonip-configuration-replacement
+ anonip-configuration-ipv4mask
+ anonip-configuration-ipv6mask
+ anonip-configuration-increment
+ anonip-configuration-delimiter
+ anonip-configuration-regex
+ anonip-service-type
+
varnish-configuration
varnish-configuration?
varnish-configuration-package
@@ -517,7 +533,9 @@
nginx-upstream-configuration make-nginx-upstream-configuration
nginx-upstream-configuration?
(name nginx-upstream-configuration-name)
- (servers nginx-upstream-configuration-servers))
+ (servers nginx-upstream-configuration-servers)
+ (extra-content nginx-upstream-configuration-extra-content
+ (default '())))
(define-record-type* <nginx-location-configuration>
nginx-location-configuration make-nginx-location-configuration
@@ -643,6 +661,15 @@ of index files."
(map (lambda (server)
(simple-format #f " server ~A;\n" server))
(nginx-upstream-configuration-servers upstream))
+ (let ((extra-content
+ (nginx-upstream-configuration-extra-content upstream)))
+ (if (and extra-content (not (null? extra-content)))
+ (cons
+ "\n"
+ (map (lambda (line)
+ (simple-format #f " ~A\n" line))
+ (flatten extra-content)))
+ '()))
" }\n"))
(define (flatten . lst)
@@ -1343,6 +1370,99 @@ files.")
files))))))))
(default-value (tailon-configuration))))
+
+
+;;;
+;;; Log anonymization
+;;;
+
+(define-record-type* <anonip-configuration>
+ anonip-configuration make-anonip-configuration
+ anonip-configuration?
+ (anonip anonip-configuration-anonip ;file-like
+ (default anonip))
+ (input anonip-configuration-input) ;string
+ (output anonip-configuration-output) ;string
+ (skip-private? anonip-configuration-skip-private? ;boolean
+ (default #f))
+ (column anonip-configuration-column ;number
+ (default #f))
+ (replacement anonip-configuration-replacement ;string
+ (default #f))
+ (ipv4mask anonip-configuration-ipv4mask ;number
+ (default #f))
+ (ipv6mask anonip-configuration-ipv6mask ;number
+ (default #f))
+ (increment anonip-configuration-increment ;number
+ (default #f))
+ (delimiter anonip-configuration-delimiter ;string
+ (default #f))
+ (regex anonip-configuration-regex ;string
+ (default #f)))
+
+(define (anonip-activation config)
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (for-each
+ (lambda (directory)
+ (mkdir-p directory)
+ (chmod directory #o755))
+ (list (dirname #$(anonip-configuration-input config))
+ (dirname #$(anonip-configuration-output config)))))))
+
+(define (anonip-shepherd-service config)
+ (let ((input (anonip-configuration-input config))
+ (output (anonip-configuration-output config))
+ (optional
+ (lambda (accessor option)
+ (or (and=> (accessor config)
+ (lambda (value)
+ (list
+ (format #false "~a=~a"
+ option value))))
+ (list)))))
+ (list (shepherd-service
+ (provision (list (symbol-append 'anonip- (string->symbol output))))
+ (requirement '(user-processes))
+ (documentation "Anonimyze the given log file location with anonip.")
+ (start #~(lambda _
+ (unless (file-exists? #$input)
+ (mknod #$input 'fifo #o600 0))
+ (let ((pid (fork+exec-command
+ (append
+ (list #$(file-append (anonip-configuration-anonip config)
+ "/bin/anonip")
+ (string-append "--input=" #$input)
+ (string-append "--output=" #$output))
+ (if #$(anonip-configuration-skip-private? config)
+ '("--skip-private") (list))
+ '#$(optional anonip-configuration-column "--column")
+ '#$(optional anonip-configuration-ipv4mask "--ipv4mask")
+ '#$(optional anonip-configuration-ipv6mask "--ipv6mask")
+ '#$(optional anonip-configuration-increment "--increment")
+ '#$(optional anonip-configuration-replacement "--replacement")
+ '#$(optional anonip-configuration-delimiter "--delimiter")
+ '#$(optional anonip-configuration-regex "--regex"))
+ ;; Run in a UTF-8 locale
+ #:environment-variables
+ (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales
+ "/lib/locale")
+ "LC_ALL=en_US.utf8"))))
+ pid)))
+ (stop #~(make-kill-destructor))))))
+
+(define anonip-service-type
+ (service-type
+ (name 'anonip)
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ anonip-shepherd-service)
+ (service-extension activation-service-type
+ anonip-activation)))
+ (description
+ "Provide web server log anonymization with @command{anonip}.")))
+
;;;
;;; Varnish
generated by cgit