summaryrefslogtreecommitdiff
path: root/gnu/services/networking.scm
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2018-12-03 19:15:17 +0100
committerMarius Bakke <mbakke@fastmail.com>2018-12-03 19:15:17 +0100
commit99f63f011df2aab38e98d7ee4608a8c70bf74c4d (patch)
tree3f224028f30c60f2ed7b9846365ad926192fc7e9 /gnu/services/networking.scm
parente9a8b603337802a77ff2d68f0d30dc0e67721e3a (diff)
parent4f03aa23e805bd653de774e1d74ed2f50826899b (diff)
Merge branch 'master' into staging
Diffstat (limited to 'gnu/services/networking.scm')
-rw-r--r--gnu/services/networking.scm210
1 files changed, 161 insertions, 49 deletions
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d5d0cf9d1d..bfa6e297e6 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1,12 +1,14 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 John Darrington <jmd@gnu.org>
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
+;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -51,6 +53,7 @@
static-networking-service-type)
#:export (%facebook-host-aliases
dhcp-client-service
+ dhcp-client-service-type
dhcpd-service-type
dhcpd-configuration
@@ -99,10 +102,27 @@
modem-manager-configuration
modem-manager-configuration?
modem-manager-service-type
+
+ <wpa-supplicant-configuration>
+ wpa-supplicant-configuration
+ wpa-supplicant-configuration?
+ wpa-supplicant-configuration-wpa-supplicant
+ wpa-supplicant-configuration-pid-file
+ wpa-supplicant-configuration-dbus?
+ wpa-supplicant-configuration-interface
+ wpa-supplicant-configuration-config-file
+ wpa-supplicant-configuration-extra-options
wpa-supplicant-service-type
openvswitch-service-type
- openvswitch-configuration))
+ openvswitch-configuration
+
+ iptables-configuration
+ iptables-configuration?
+ iptables-configuration-iptables
+ iptables-configuration-ipv4-rules
+ iptables-configuration-ipv6-rules
+ iptables-service-type))
;;; Commentary:
;;;
@@ -182,22 +202,11 @@ fe80::1%lo0 apps.facebook.com\n")
(cons* #$dhclient "-nw"
"-pf" #$pid-file ifaces))))
(and (zero? (cdr (waitpid pid)))
- (let loop ()
- (catch 'system-error
- (lambda ()
- (call-with-input-file #$pid-file read))
- (lambda args
- ;; 'dhclient' returned before PID-FILE was created,
- ;; so try again.
- (let ((errno (system-error-errno args)))
- (if (= ENOENT errno)
- (begin
- (sleep 1)
- (loop))
- (apply throw args))))))))))
- (stop #~(make-kill-destructor))))))
-
-(define* (dhcp-client-service #:key (dhcp isc-dhcp))
+ (read-pid-file #$pid-file)))))
+ (stop #~(make-kill-destructor))))
+ isc-dhcp))
+
+(define* (dhcp-client-service #:key (dhcp isc-dhcp)) ;deprecated
"Return a service that runs @var{dhcp}, a Dynamic Host Configuration
Protocol (DHCP) client, on all the non-loopback network interfaces."
(service dhcp-client-service-type dhcp))
@@ -288,7 +297,8 @@ Protocol (DHCP) client, on all the non-loopback network interfaces."
ntp-configuration?
(ntp ntp-configuration-ntp
(default ntp))
- (servers ntp-configuration-servers)
+ (servers ntp-configuration-servers
+ (default %ntp-servers))
(allow-large-adjustment? ntp-allow-large-adjustment?
(default #f)))
@@ -361,9 +371,10 @@ restrict -6 ::1\n"))
(description
"Run the @command{ntpd}, the Network Time Protocol (NTP)
daemon of the @uref{http://www.ntp.org, Network Time Foundation}. The daemon
-will keep the system clock synchronized with that of the given servers.")))
+will keep the system clock synchronized with that of the given servers.")
+ (default-value (ntp-configuration))))
-(define* (ntp-service #:key (ntp ntp)
+(define* (ntp-service #:key (ntp ntp) ;deprecated
(servers %ntp-servers)
allow-large-adjustment?)
"Return a service that runs the daemon from @var{ntp}, the
@@ -576,7 +587,9 @@ demand.")))
(config-file tor-configuration-config-file
(default (plain-file "empty" "")))
(hidden-services tor-configuration-hidden-services
- (default '())))
+ (default '()))
+ (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
+ (default 'tcp)))
(define %tor-accounts
;; User account and groups for Tor.
@@ -598,7 +611,7 @@ demand.")))
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match config
- (($ <tor-configuration> tor config-file services)
+ (($ <tor-configuration> tor config-file services socks-socket-type)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -612,7 +625,12 @@ demand.")))
### These lines were generated from your system configuration:
User tor
DataDirectory /var/lib/tor
+PidFile /var/run/tor/tor.pid
Log notice syslog\n" port)
+ (when (eq? 'unix '#$socks-socket-type)
+ (display "\
+SocksPort unix:/var/run/tor/socks-sock
+UnixSocksGroupWritable 1\n" port))
(for-each (match-lambda
((service (ports hosts) ...)
@@ -639,7 +657,7 @@ HiddenServicePort ~a ~a~%"
#t))))))))
(define (tor-shepherd-service config)
- "Return a <shepherd-service> running TOR."
+ "Return a <shepherd-service> running Tor."
(match config
(($ <tor-configuration> tor)
(let ((torrc (tor-configuration->torrc config)))
@@ -665,12 +683,17 @@ HiddenServicePort ~a ~a~%"
(writable? #t))
(file-system-mapping
(source "/dev/log") ;for syslog
- (target source)))))
+ (target source))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t)))
+ #:pid-file "/var/run/tor/tor.pid"))
(stop #~(make-kill-destructor))
(documentation "Run the Tor anonymous network overlay."))))))))
-(define (tor-hidden-service-activation config)
- "Return the activation gexp for SERVICES, a list of hidden services."
+(define (tor-activation config)
+ "Set up directories for Tor and its hidden services, if any."
#~(begin
(use-modules (guix build utils))
@@ -686,6 +709,15 @@ HiddenServicePort ~a ~a~%"
;; The daemon bails out if we give wider permissions.
(chmod directory #o700)))
+ ;; Allow Tor to write its PID file.
+ (mkdir-p "/var/run/tor")
+ (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
+ ;; Set the group permissions to rw so that if the system administrator
+ ;; has specified UnixSocksGroupWritable=1 in their torrc file, members
+ ;; of the "tor" group will be able to use the SOCKS socket.
+ (chmod "/var/run/tor" #o750)
+
+ ;; Allow Tor to access the hidden services' directories.
(mkdir-p "/var/lib/tor")
(chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
(chmod "/var/lib/tor" #o700)
@@ -705,7 +737,7 @@ HiddenServicePort ~a ~a~%"
(service-extension account-service-type
(const %tor-accounts))
(service-extension activation-service-type
- tor-hidden-service-activation)))
+ tor-activation)))
;; This can be extended with hidden services.
(compose concatenate)
@@ -1001,28 +1033,62 @@ networking."))))
;;; WPA supplicant
;;;
-
-(define (wpa-supplicant-shepherd-service wpa-supplicant)
- "Return a shepherd service for wpa_supplicant"
- (list (shepherd-service
- (documentation "Run WPA supplicant with dbus interface")
- (provision '(wpa-supplicant))
- (requirement '(user-processes dbus-system loopback))
- (start #~(make-forkexec-constructor
- (list (string-append #$wpa-supplicant
- "/sbin/wpa_supplicant")
- "-u" "-B" "-P/var/run/wpa_supplicant.pid")
- #:pid-file "/var/run/wpa_supplicant.pid"))
- (stop #~(make-kill-destructor)))))
+(define-record-type* <wpa-supplicant-configuration>
+ wpa-supplicant-configuration make-wpa-supplicant-configuration
+ wpa-supplicant-configuration?
+ (wpa-supplicant wpa-supplicant-configuration-wpa-supplicant ;<package>
+ (default wpa-supplicant))
+ (pid-file wpa-supplicant-configuration-pid-file ;string
+ (default "/var/run/wpa_supplicant.pid"))
+ (dbus? wpa-supplicant-configuration-dbus? ;Boolean
+ (default #t))
+ (interface wpa-supplicant-configuration-interface ;#f | string
+ (default #f))
+ (config-file wpa-supplicant-configuration-config-file ;#f | <file-like>
+ (default #f))
+ (extra-options wpa-supplicant-configuration-extra-options ;list of strings
+ (default '())))
+
+(define wpa-supplicant-shepherd-service
+ (match-lambda
+ (($ <wpa-supplicant-configuration> wpa-supplicant pid-file dbus? interface
+ config-file extra-options)
+ (list (shepherd-service
+ (documentation "Run the WPA supplicant daemon")
+ (provision '(wpa-supplicant))
+ (requirement '(user-processes dbus-system loopback))
+ (start #~(make-forkexec-constructor
+ (list (string-append #$wpa-supplicant
+ "/sbin/wpa_supplicant")
+ (string-append "-P" #$pid-file)
+ "-B" ;run in background
+ #$@(if dbus?
+ #~("-u")
+ #~())
+ #$@(if interface
+ #~((string-append "-i" #$interface))
+ #~())
+ #$@(if config-file
+ #~((string-append "-c" #$config-file))
+ #~())
+ #$@extra-options)
+ #:pid-file #$pid-file))
+ (stop #~(make-kill-destructor)))))))
(define wpa-supplicant-service-type
- (service-type (name 'wpa-supplicant)
- (extensions
- (list (service-extension shepherd-root-service-type
- wpa-supplicant-shepherd-service)
- (service-extension dbus-root-service-type list)
- (service-extension profile-service-type list)))
- (default-value wpa-supplicant)))
+ (let ((config->package
+ (match-lambda
+ (($ <wpa-supplicant-configuration> wpa-supplicant)
+ (list wpa-supplicant)))))
+ (service-type (name 'wpa-supplicant)
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ wpa-supplicant-shepherd-service)
+ (service-extension dbus-root-service-type config->package)
+ (service-extension profile-service-type config->package)))
+ (description "Run the WPA Supplicant daemon, a service that
+implements authentication, key negotiation and more for wireless networks.")
+ (default-value (wpa-supplicant-configuration)))))
;;;
@@ -1086,4 +1152,50 @@ networking."))))
switch designed to enable massive network automation through programmatic
extension.")))
+;;;
+;;; iptables
+;;;
+
+(define %iptables-accept-all-rules
+ (plain-file "iptables-accept-all.rules"
+ "*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+COMMIT
+"))
+
+(define-record-type* <iptables-configuration>
+ iptables-configuration make-iptables-configuration iptables-configuration?
+ (iptables iptables-configuration-iptables
+ (default iptables))
+ (ipv4-rules iptables-configuration-ipv4-rules
+ (default %iptables-accept-all-rules))
+ (ipv6-rules iptables-configuration-ipv6-rules
+ (default %iptables-accept-all-rules)))
+
+(define iptables-shepherd-service
+ (match-lambda
+ (($ <iptables-configuration> iptables ipv4-rules ipv6-rules)
+ (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
+ (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")))
+ (shepherd-service
+ (documentation "Packet filtering framework")
+ (provision '(iptables))
+ (start #~(lambda _
+ (invoke #$iptables-restore #$ipv4-rules)
+ (invoke #$ip6tables-restore #$ipv6-rules)))
+ (stop #~(lambda _
+ (invoke #$iptables-restore #$%iptables-accept-all-rules)
+ (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
+
+(define iptables-service-type
+ (service-type
+ (name 'iptables)
+ (description
+ "Run @command{iptables-restore}, setting up the specified rules.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list iptables-shepherd-service))))))
+
;;; networking.scm ends here