;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019 Danny Milosavljevic <dannym@scratchpost.org>
;;; Copyright © 2020 Robin Green <greenrd@greenrd.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu services auditd)
  #:use-module (gnu services)
  #:use-module (gnu services configuration)
  #:use-module (gnu services base)
  #:use-module (gnu services shepherd)
  #:use-module (gnu packages admin)
  #:use-module (guix records)
  #:use-module (guix gexp)
  #:use-module (guix packages)
  #:export (auditd-configuration
            auditd-service-type
            %default-auditd-configuration-directory))

(define auditd.conf
  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
ignore\ndisk_error_action = syslog\n"))

(define %default-auditd-configuration-directory
  (computed-file "auditd"
                 #~(begin
                     (mkdir #$output)
                     (copy-file #$auditd.conf
                                (string-append #$output "/auditd.conf")))))

(define-record-type* <auditd-configuration>
  auditd-configuration make-auditd-configuration
  auditd-configuration?
  (audit                   auditd-configuration-audit                          ; package
                           (default audit))
  (configuration-directory auditd-configuration-configuration-directory))      ; file-like

(define (auditd-shepherd-service config)
  (let* ((audit (auditd-configuration-audit config))
         (configuration-directory (auditd-configuration-configuration-directory config)))
    (list (shepherd-service
           (documentation "Auditd allows you to audit file system accesses and process execution.")
           (provision '(auditd))
           (start #~(make-forkexec-constructor
                     (list (string-append #$audit "/sbin/auditd") "-c" #$configuration-directory)
                     #:pid-file "/var/run/auditd.pid"))
           (stop #~(make-kill-destructor))))))

(define auditd-service-type
  (service-type (name 'auditd)
                (description "Allows auditing file system accesses and process execution.")
                (extensions
                 (list
                  (service-extension shepherd-root-service-type
                                     auditd-shepherd-service)))
                (default-value
                  (auditd-configuration
                   (configuration-directory %default-auditd-configuration-directory)))))
</td></tr>
<tr><td><span title='2022-09-13 00:31:04 +0200'>2022-09-13</span></td><td><a href='/guix/commit/gnu/build/secret-service.scm?id=491dd62b38e1772f3e50de58118d9b9ac97272ff'>secret-service: Mark sockets as SOCK_CLOEXEC.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/build/secret-service.scm (secret-service-send-secrets)
(secret-service-receive-secrets): Pass SOCK_CLOEXEC to 'socket'.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2022-04-07 00:08:56 +0200'>2022-04-07</span></td><td><a href='/guix/commit/gnu/build/secret-service.scm?id=28b3763e33cd71fe281cd71a568c54fea7f4cf4f'>secret-service: Allow cooperative scheduling when Fibers is used.</a><span class='msg-avail'>...<span class='msg-tooltip'>This lets the 'childhurd' service start in the background, letting
shepherd perform other tasks in the meantime, including serving
clients (such as the 'herd' command).

* gnu/build/secret-service.scm (with-modules): New macro.
(wait-for-readable-fd): Add cooperative implementation when Fibers is in
use.
(secret-service-send-secrets): Define 'sleep' so that it cooperates when
Fibers is in use.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2022-04-07 00:08:56 +0200'>2022-04-07</span></td><td><a href='/guix/commit/gnu/build/secret-service.scm?id=83121aa85a0237f81c9a3c1dd36f1206c1cae854'>secret-service: Abstract 'wait-for-readable-fd'.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/build/secret-service.scm (wait-for-readable-fd): New procedure.
(secret-service-send-secrets): Use it instead of 'select'.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-12-12 23:20:49 +0100'>2021-12-12</span></td><td><a href='/guix/commit/gnu/build/secret-service.scm?id=39e3b4b7cee175a3c1f37329744c582528d55f5d'>services: secret-service: Turn into a Shepherd service.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/services/virtualization.scm (secret-service-activation): Remove.
(secret-service-shepherd-services): New procedure.
(secret-service-type)[extensions]: Remove ACTIVATION-SERVICE-TYPE
extension.  Add SHEPHERD-ROOT-SERVICE-TYPE and
USER-PROCESSES-SERVICE-TYPE extensions.
* gnu/build/secret-service.scm (delete-file*): New procedure.
(secret-service-receive-secrets): Use it.
</span></span></td><td>Ludovic Courtès</td></tr>
mk (nodist_pkglibexec_SCRIPTS): Remove
'scripts/list-runtime-roots'.
* config-daemon.ac: Don't output nix/scripts/list-runtime-roots.
* build-aux/pre-inst-env.in: Don't set 'NIX_ROOT_FINDER'.
Set 'GUIX'.
* doc/guix.texi (Invoking guix gc): Document '--list-busy'.
* guix/scripts/gc.scm (show-help, %options): Add "--list-busy".
(guix-gc)[list-busy]: New procedure.
Handle the 'list-busy' action.
</span></span></td><td>Ludovic Courtès</td></tr>