aboutsummaryrefslogtreecommitdiff
path: root/config-daemon.ac
blob: 86306effe1f8444ea7669a0249ae826fe7dd9bcf (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
dnl -*- Autoconf -*- fragment for the C++ daemon.

AC_MSG_CHECKING([whether to build daemon])
AC_MSG_RESULT([$guix_build_daemon])

dnl C++ environment.  This macro must be used unconditionnaly.
AC_PROG_CXX
AM_PROG_AR
AC_LANG([C++])

if test "x$guix_build_daemon" = "xyes"; then

  GUIX_ASSERT_CXX11

  AC_PROG_RANLIB
  AC_CONFIG_HEADERS([nix/config.h])

  dnl Use 64-bit file system calls so that we can support files > 2 GiB.
  AC_SYS_LARGEFILE

  dnl Look for zlib, a required dependency.
  AC_CHECK_LIB([z], [gzdopen], [true],
    [AC_MSG_ERROR([Guix requires zlib.  See http://www.zlib.net/.])])
  AC_CHECK_HEADERS([zlib.h], [true],
    [AC_MSG_ERROR([Guix requires zlib.  See http://www.zlib.net/.])])

  dnl Look for libbz2, an optional dependency.
  AC_CHECK_LIB([bz2], [BZ2_bzWriteOpen], [HAVE_LIBBZ2=yes], [HAVE_LIBBZ2=no])
  if test "x$HAVE_LIBBZ2" = xyes; then
    AC_CHECK_HEADERS([bzlib.h])
    HAVE_LIBBZ2="$ac_cv_header_bzlib_h"
  fi

  dnl Look for SQLite, a required dependency.
  PKG_CHECK_MODULES([SQLITE3], [sqlite3 >= 3.6.19])

  AC_DEFINE_UNQUOTED([SYSTEM], ["$guix_system"],
    [Guix host system type--i.e., platform and OS kernel tuple.])

  case "$LIBGCRYPT_PREFIX" in
    no)
      LIBGCRYPT_CFLAGS=""
      ;;
    *)
      LIBGCRYPT_CFLAGS="-I$LIBGCRYPT_PREFIX/include"
      ;;
  esac

  case "$LIBGCRYPT_LIBDIR" in
    no | "")
      LIBGCRYPT_LIBS="-lgcrypt"
      ;;
    *)
      LIBGCRYPT_LIBS="-L$LIBGCRYPT_LIBDIR -lgcrypt"
      ;;
  esac

  AC_SUBST([LIBGCRYPT_CFLAGS])
  AC_SUBST([LIBGCRYPT_LIBS])

  save_CFLAGS="$CFLAGS"
  save_LDFLAGS="$LDFLAGS"
  CFLAGS="$CFLAGS $LIBGCRYPT_CFLAGS"
  LDFLAGS="$LDFLAGS $LIBGCRYPT_LDFLAGS"

  have_gcrypt=yes
  AC_CHECK_LIB([gcrypt], [gcry_md_open], [:], [have_gcrypt=no])
  AC_CHECK_HEADER([gcrypt.h], [:], [have_gcrypt=no])
  if test "x$have_gcrypt" != "xyes"; then
    AC_MSG_ERROR([GNU libgcrypt not found; please install it.])
  fi

  CFLAGS="$save_CFLAGS"
  LDFLAGS="$save_LDFLAGS"

  dnl Chroot support.
  AC_CHECK_FUNCS([chroot unshare])
  AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h])

  if test "x$ac_cv_func_chroot" != "xyes"; then
    AC_MSG_ERROR(['chroot' function missing, bailing out])
  fi

  dnl lutimes and lchown: used when canonicalizing store items.
  dnl posix_fallocate: used when extracting archives.
  dnl vfork: to speed up spawning of helper programs.
  dnl   `--> now disabled because of unpredictable behavior:
  dnl        see <http://lists.gnu.org/archive/html/guix-devel/2014-05/msg00036.html>
  dnl        and Nix commit f794465c (Nov. 2012).
  dnl sched_setaffinity: to improve RPC locality.
  dnl statvfs: to detect disk-full conditions.
  dnl strsignal: for error reporting.
  dnl statx: fine-grain 'stat' call, new in glibc 2.28.
  AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \
     statvfs nanosleep strsignal statx])

  dnl Check for <locale>.
  AC_LANG_PUSH(C++)
  AC_CHECK_HEADERS([locale])
  AC_LANG_POP(C++)


  dnl Check whether we have the `personality' syscall, which allows us
  dnl to do i686-linux builds on x86_64-linux machines.
  AC_CHECK_HEADERS([sys/personality.h])

  dnl Determine the appropriate default list of substitute URLs (GnuTLS
  dnl is required so we can default to 'https'.)
  guix_substitute_urls="https://ci.guix.gnu.org https://bordeaux.guix.gnu.org"

  AC_MSG_CHECKING([for default substitute URLs])
  AC_MSG_RESULT([$guix_substitute_urls])

  AC_DEFINE_UNQUOTED([GUIX_SUBSTITUTE_URLS], ["$guix_substitute_urls"],
    [Default list of substitute URLs used by 'guix-daemon'.])

  dnl Check for Guile-SSH, which is required by 'guix offload'.
  GUIX_CHECK_GUILE_SSH

  case "x$guix_cv_have_recent_guile_ssh" in
    xyes)
      guix_build_daemon_offload="yes"
      AC_DEFINE([HAVE_DAEMON_OFFLOAD_HOOK], [1],
	[Define if the daemon's 'offload' build hook is being built (requires Guile-SSH).])
      ;;
    *)
      guix_build_daemon_offload="no"
      ;;
  esac

  dnl Temporary directory used to store the daemon's data.
  GUIX_TEST_ROOT_DIRECTORY
  GUIX_TEST_ROOT="$ac_cv_guix_test_root"
  AC_SUBST([GUIX_TEST_ROOT])

  GUIX_CHECK_LOCALSTATEDIR
fi

AM_CONDITIONAL([HAVE_LIBBZ2], [test "x$HAVE_LIBBZ2" = "xyes"])
AM_CONDITIONAL([BUILD_DAEMON], [test "x$guix_build_daemon" = "xyes"])
AM_CONDITIONAL([BUILD_DAEMON_OFFLOAD],			\
  [test "x$guix_build_daemon" = "xyes"			\
   && test "x$guix_build_daemon_offload" = "xyes"])
)) ;; Boolean (challenge-response-authentication? openssh-challenge-response-authentication? (default #f)) ;; Boolean (use-pam? openssh-configuration-use-pam? (default #t)) ;; Boolean (print-last-log? openssh-configuration-print-last-log? (default #t)) ;; list of two-element lists (subsystems openssh-configuration-subsystems (default '(("sftp" "internal-sftp")))) ;; list of user-name/file-like tuples (authorized-keys openssh-authorized-keys (default '()))) (define %openssh-accounts (list (user-group (name "sshd") (system? #t)) (user-account (name "sshd") (group "sshd") (system? #t) (comment "sshd privilege separation user") (home-directory "/var/run/sshd") (shell #~(string-append #$shadow "/sbin/nologin"))))) (define (openssh-activation config) "Return the activation GEXP for CONFIG." (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (define (touch file-name) (call-with-output-file file-name (const #t))) ;; Make sure /etc/ssh can be read by the 'sshd' user. (mkdir-p "/etc/ssh") (chmod "/etc/ssh" #o755) (mkdir-p (dirname #$(openssh-configuration-pid-file config))) ;; 'sshd' complains if the authorized-key directory and its parents ;; are group-writable, which rules out /gnu/store. Thus we copy the ;; authorized-key directory to /etc. (catch 'system-error (lambda () (delete-file-recursively "/etc/authorized_keys.d")) (lambda args (unless (= ENOENT (system-error-errno args)) (apply throw args)))) (copy-recursively #$(authorized-key-directory (openssh-authorized-keys config)) "/etc/ssh/authorized_keys.d") (chmod "/etc/ssh/authorized_keys.d" #o555) (let ((lastlog "/var/log/lastlog")) (when #$(openssh-configuration-print-last-log? config) (unless (file-exists? lastlog) (touch lastlog)))) ;; Generate missing host keys. (system* (string-append #$(openssh-configuration-openssh config) "/bin/ssh-keygen") "-A")))) (define (authorized-key-directory keys) "Return a directory containing the authorized keys specified in KEYS, a list of user-name/file-like tuples." (define build (with-imported-modules (source-module-closure '((guix build utils))) #~(begin (use-modules (ice-9 match) (srfi srfi-26) (guix build utils)) (mkdir #$output) (for-each (match-lambda ((user keys ...) (let ((file (string-append #$output "/" user))) (call-with-output-file file (lambda (port) (for-each (lambda (key) (call-with-input-file key (cut dump-port <> port))) keys)))))) '#$keys)))) (computed-file "openssh-authorized-keys" build)) (define (openssh-config-file config) "Return the sshd configuration file corresponding to CONFIG." (computed-file "sshd_config" #~(begin (use-modules (ice-9 match)) (call-with-output-file #$output (lambda (port) (display "# Generated by 'openssh-service'.\n" port) (format port "Port ~a\n" #$(number->string (openssh-configuration-port-number config))) (format port "PermitRootLogin ~a\n" #$(match (openssh-configuration-permit-root-login config) (#t "yes") (#f "no") ('without-password "without-password"))) (format port "PermitEmptyPasswords ~a\n" #$(if (openssh-configuration-allow-empty-passwords? config) "yes" "no")) (format port "PasswordAuthentication ~a\n" #$(if (openssh-configuration-password-authentication? config) "yes" "no")) (format port "PubkeyAuthentication ~a\n" #$(if (openssh-configuration-public-key-authentication? config) "yes" "no")) (format port "X11Forwarding ~a\n" #$(if (openssh-configuration-x11-forwarding? config) "yes" "no")) (format port "PidFile ~a\n" #$(openssh-configuration-pid-file config)) (format port "ChallengeResponseAuthentication ~a\n" #$(if (openssh-challenge-response-authentication? config) "yes" "no")) (format port "UsePAM ~a\n" #$(if (openssh-configuration-use-pam? config) "yes" "no")) (format port "PrintLastLog ~a\n" #$(if (openssh-configuration-print-last-log? config) "yes" "no")) ;; Add '/etc/authorized_keys.d/%u', which we populate. (format port "AuthorizedKeysFile \ .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u\n") (for-each (match-lambda ((name command) (format port "Subsystem\t~a\t~a\n" name command))) '#$(openssh-configuration-subsystems config)) #t))))) (define (openssh-shepherd-service config) "Return a for openssh with CONFIG." (define pid-file (openssh-configuration-pid-file config)) (define openssh-command #~(list (string-append #$(openssh-configuration-openssh config) "/sbin/sshd") "-D" "-f" #$(openssh-config-file config))) (list (shepherd-service (documentation "OpenSSH server.") (requirement '(syslogd)) (provision '(ssh-daemon)) (start #~(make-forkexec-constructor #$openssh-command #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))) (define (openssh-pam-services config) "Return a list of for sshd with CONFIG." (list (unix-pam-service "sshd" #:allow-empty-passwords? (openssh-configuration-allow-empty-passwords? config)))) (define (extend-openssh-authorized-keys config keys) "Extend CONFIG with the extra authorized keys listed in KEYS." (openssh-configuration (inherit config) (authorized-keys (append (openssh-authorized-keys config) keys)))) (define openssh-service-type (service-type (name 'openssh) (description "Run the OpenSSH secure shell (SSH) server, @command{sshd}.") (extensions (list (service-extension shepherd-root-service-type openssh-shepherd-service) (service-extension pam-root-service-type openssh-pam-services) (service-extension activation-service-type openssh-activation) (service-extension account-service-type (const %openssh-accounts)))) (compose concatenate) (extend extend-openssh-authorized-keys) (default-value (openssh-configuration)))) ;;; ;;; Dropbear. ;;; (define-record-type* dropbear-configuration make-dropbear-configuration dropbear-configuration? (dropbear dropbear-configuration-dropbear (default dropbear)) (port-number dropbear-configuration-port-number (default 22)) (syslog-output? dropbear-configuration-syslog-output? (default #t)) (pid-file dropbear-configuration-pid-file (default "/var/run/dropbear.pid")) (root-login? dropbear-configuration-root-login? (default #f)) (allow-empty-passwords? dropbear-configuration-allow-empty-passwords? (default #f)) (password-authentication? dropbear-configuration-password-authentication? (default #t))) (define (dropbear-activation config) "Return the activation gexp for CONFIG." #~(begin (use-modules (guix build utils)) (mkdir-p "/etc/dropbear"))) (define (dropbear-shepherd-service config) "Return a for dropbear with CONFIG." (define dropbear (dropbear-configuration-dropbear config)) (define pid-file (dropbear-configuration-pid-file config)) (define dropbear-command #~(list (string-append #$dropbear "/sbin/dropbear") ;; '-R' allows host keys to be automatically generated upon first ;; connection, at a time when /dev/urandom is more likely securely ;; seeded. "-F" "-R" "-p" #$(number->string (dropbear-configuration-port-number config)) "-P" #$pid-file #$@(if (dropbear-configuration-syslog-output? config) '() '("-E")) #$@(if (dropbear-configuration-root-login? config) '() '("-w")) #$@(if (dropbear-configuration-password-authentication? config) '() '("-s" "-g")) #$@(if (dropbear-configuration-allow-empty-passwords? config) '("-B") '()))) (define requires (if (dropbear-configuration-syslog-output? config) '(networking syslogd) '(networking))) (list (shepherd-service (documentation "Dropbear SSH server.") (requirement requires) (provision '(ssh-daemon)) (start #~(make-forkexec-constructor #$dropbear-command #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))) (define dropbear-service-type (service-type (name 'dropbear) (description "Run the Dropbear secure shell (SSH) server.") (extensions (list (service-extension shepherd-root-service-type dropbear-shepherd-service) (service-extension activation-service-type dropbear-activation))))) (define* (dropbear-service #:optional (config (dropbear-configuration))) "Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH daemon} with the given @var{config}, a @code{} object." (service dropbear-service-type config)) ;;; ssh.scm ends here