diff options
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/base.scm | 8 | ||||
| -rw-r--r-- | gnu/services/certbot.scm | 32 | ||||
| -rw-r--r-- | gnu/services/cgit.scm | 5 | ||||
| -rw-r--r-- | gnu/services/desktop.scm | 15 | ||||
| -rw-r--r-- | gnu/services/dict.scm | 15 | ||||
| -rw-r--r-- | gnu/services/shepherd.scm | 18 | ||||
| -rw-r--r-- | gnu/services/virtualization.scm | 8 | ||||
| -rw-r--r-- | gnu/services/web.scm | 8 |
8 files changed, 67 insertions, 42 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index c5b06b57e8..636d827ff9 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1613,7 +1613,7 @@ information on the configuration file syntax." '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" - "sddm" "sudo" "sshd")) + "sddm" "sudo" "sshd" "lightdm")) (pam-service (inherit pam) (session (cons pam-limits @@ -2799,6 +2799,12 @@ to CONFIG." #$@(map (lambda (address) #~(begin + ;; Before going any further, wait for the + ;; device to show up. + (wait-for-link + #$(network-address-device address) + #:blocking? #f) + (addr-add #$(network-address-device address) #$(network-address-value address) #:ipv6? diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 8e6784df2b..0c45471659 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -173,20 +173,24 @@ (match-lambda (($ <certbot-configuration> package webroot certificates email server rsa-key-size default-location) - (list - (nginx-server-configuration - (listen '("80" "[::]:80")) - (ssl-certificate #f) - (ssl-certificate-key #f) - (server-name - (apply append (map certificate-configuration-domains certificates))) - (locations - (filter identity - (list - (nginx-location-configuration - (uri "/.well-known") - (body (list (list "root " webroot ";")))) - default-location)))))))) + (define (certificate->nginx-server certificate-configuration) + (match-record certificate-configuration <certificate-configuration> + (domains challenge) + (nginx-server-configuration + (listen '("80" "[::]:80")) + (ssl-certificate #f) + (ssl-certificate-key #f) + (server-name domains) + (locations + (filter identity + (append + (if challenge + '() + (list (nginx-location-configuration + (uri "/.well-known") + (body (list (list "root " webroot ";")))))) + (list default-location))))))) + (map certificate->nginx-server certificates)))) (define certbot-service-type (service-type (name 'certbot) diff --git a/gnu/services/cgit.scm b/gnu/services/cgit.scm index c2c003983a..e33cb9e7db 100644 --- a/gnu/services/cgit.scm +++ b/gnu/services/cgit.scm @@ -561,7 +561,8 @@ to it, that should loaded as Git repositories. An empty list means that all subdirectories will be loaded.") (readme (file-object "") - "Text which will be used as default value for @code{cgit-repo-readme}.") + "Text which will be used as default @code{repository-cgit-configuration} +@code{readme}.") (remove-suffix? (boolean #f) "If set to @code{#t} and @code{repository-directory} is enabled, if any @@ -642,7 +643,7 @@ for cgit to allow access to that repository.") "URL which, if specified, will be used as root for all cgit links.") (repositories (repository-cgit-configuration-list '()) - "A list of @dfn{cgit-repo} records to use with config.") + "A list of @code{repository-cgit-configuration} records.") (extra-options (list '()) "Extra options will be appended to cgitrc file.")) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index a63748b652..01aec64bee 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1398,18 +1398,7 @@ rules." '("gnome-settings-daemon" "gnome-control-center" "gnome-system-monitor" - "gvfs" - ;; spice-gtk provides polkit actions for USB redirection - ;; in GNOME Boxes. - ("gnome-boxes" "spice-gtk"))))) - -(define (gnome-setuid-programs config) - "Return the list of GNOME setuid programs." - (let* ((gnome (gnome-desktop-configuration-gnome config)) - (spice-gtk (gnome-package gnome '("gnome-boxes" "spice-gtk")))) - (map file-like->setuid-program - (list (file-append spice-gtk - "/libexec/spice-client-glib-usb-acl-helper"))))) + "gvfs")))) (define gnome-desktop-service-type (service-type @@ -1419,8 +1408,6 @@ rules." gnome-udev-rules) (service-extension polkit-service-type gnome-polkit-settings) - (service-extension setuid-program-service-type - gnome-setuid-programs) (service-extension profile-service-type (compose list gnome-desktop-configuration-gnome)))) (default-value (gnome-desktop-configuration)) diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm index 90d3c35b6c..23e1d36364 100644 --- a/gnu/services/dict.scm +++ b/gnu/services/dict.scm @@ -167,15 +167,15 @@ database { (provision '(dicod)) (requirement '(user-processes)) (documentation "Run the dicod daemon.") - (start #~(if (and (defined? 'make-inetd-constructor) - #$(= 1 (length interfaces))) ;XXX + (start #~(if (defined? 'make-inetd-constructor) (make-inetd-constructor (list #$dicod "--inetd" "--foreground" (string-append "--config=" #$dicod.conf)) - (list (endpoint - (addrinfo:addr - (car (getaddrinfo #$(first interfaces) - "dict"))))) + (map (lambda (interface) + (endpoint + (addrinfo:addr + (car (getaddrinfo interface "dict"))))) + '#$interfaces) #:requirements '#$requirement #:user "dicod" #:group "dicod" #:service-name-stem "dicod") @@ -183,8 +183,7 @@ database { (list #$dicod "--foreground" (string-append "--config=" #$dicod.conf)) #:user "dicod" #:group "dicod"))) - (stop #~(if (and (defined? 'make-inetd-destructor) - #$(= 1 (length interfaces))) ;XXX + (stop #~(if (defined? 'make-inetd-destructor) (make-inetd-destructor) (make-kill-destructor))) (actions (list (shepherd-configuration-action dicod.conf))))))) diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm index de40454f7d..e9d3a631c2 100644 --- a/gnu/services/shepherd.scm +++ b/gnu/services/shepherd.scm @@ -27,8 +27,9 @@ #:use-module (guix store) #:use-module (guix records) #:use-module (guix packages) - #:use-module (guix derivations) ;imported-modules, etc. #:use-module (guix utils) + #:use-module ((guix diagnostics) + #:select (define-with-syntax-properties formatted-message)) #:use-module (gnu services) #:use-module (gnu services herd) #:use-module (gnu packages admin) @@ -186,12 +187,25 @@ DEFAULT is given, use it as the service's default value." ((guix build utils) #:hide (delete)) (guix build syscalls))) +(define-with-syntax-properties (validate-provision (provision properties)) + (match provision + (((? symbol?) ..1) provision) + (_ + (raise + (make-compound-condition + (condition + (&error-location + (location (source-properties->location properties)))) + (formatted-message + (G_ "'provision' must be a non-empty list of symbols"))))))) + (define-record-type* <shepherd-service> shepherd-service make-shepherd-service shepherd-service? (documentation shepherd-service-documentation ;string (default "[No documentation.]")) - (provision shepherd-service-provision) ;list of symbols + (provision shepherd-service-provision ;list of symbols + (sanitize validate-provision)) (requirement shepherd-service-requirement ;list of symbols (default '())) (one-shot? shepherd-service-one-shot? ;Boolean diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 2e311e3813..506f5a7ab6 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Ryan Moe <ryan.moe@gmail.com> -;;; Copyright © 2018, 2020-2022 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2018, 2020-2023 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2020,2021 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2021 Timotej Lazar <timotej.lazar@araneo.si> ;;; Copyright © 2022 Oleg Pykhalov <go.wigust@gmail.com> @@ -478,6 +478,7 @@ potential infinite waits blocking libvirt.")) (list (shepherd-service (documentation "Run the libvirt daemon.") (provision '(libvirtd)) + (requirement '(dbus-system)) (start #~(make-forkexec-constructor (list (string-append #$libvirt "/sbin/libvirtd") "-f" #$config-file @@ -962,6 +963,11 @@ specified, the QEMU default path is used.")) (list (shepherd-service (provision '(qemu-guest-agent)) + + ;; The service needs to depend on udev, which brings up devices like + ;; those under /dev/virtio-ports. + (requirement '(user-processes udev)) + (documentation "Run the QEMU guest agent.") (start #~(make-forkexec-constructor `(,(string-append #$qemu "/bin/qemu-ga") diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 45897d7d6f..818226a4f7 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -1144,6 +1144,14 @@ a webserver.") (uri "~ \\.php$") (body (list "fastcgi_split_path_info ^(.+\\.php)(/.+)$;" + + ;; Include some upstream recommendations from + ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi + ;; Mitigate https://httpoxy.org/ vulnerabilities + "fastcgi_param HTTP_PROXY \"\";" + ;; Only pass existing php files to the backend. + "if (!-f $document_root$fastcgi_script_name) { return 404; }" + (string-append "fastcgi_pass unix:" socket ";") "fastcgi_index index.php;" (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;"))))) |