From bfe3fdbc75a1412ccac46fc2ca750fa42e7f70fe Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 31 Jul 2022 18:22:45 +0200 Subject: services: tor: Do not write to /var/log/tor.log. The service uses syslog and additionally shepherd 0.9 captures its stdout/stderr, so there's no point in passing #:log-file. * gnu/services/networking.scm (tor-shepherd-service): Remove #:log-file argument to 'make-forkexec-constructor'. (%tor-log-rotation): Remove. (tor-service-type): Remove ROTTLOG-SERVICE-TYPE extension. --- gnu/services/networking.scm | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index b555c460408..3ddcdcc251d 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -997,15 +997,10 @@ HiddenServicePort ~a ~a~%" ;; 'sd_notify' though), so we're stuck with that. (start #~(make-forkexec-constructor (list #$tor "-f" #$torrc) - #:user "tor" #:group "tor" - #:log-file "/var/log/tor.log")) + #:user "tor" #:group "tor")) (stop #~(make-kill-destructor)) (documentation "Run the Tor anonymous network overlay.")))))))) -(define %tor-log-rotation - (list (log-rotation - (files '("/var/log/tor.log"))))) - (define (tor-activation config) "Set up directories for Tor and its hidden services, if any." #~(begin @@ -1051,9 +1046,7 @@ HiddenServicePort ~a ~a~%" (service-extension account-service-type (const %tor-accounts)) (service-extension activation-service-type - tor-activation) - (service-extension rottlog-service-type - (const %tor-log-rotation)))) + tor-activation))) ;; This can be extended with hidden services. (compose concatenate) -- cgit v1.3 From e5a6900baf758a12024283171bf45f2fe90121ee Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 31 Jul 2022 18:32:13 +0200 Subject: services: rottlog: Keep important /var/log files for 16 weeks. The default "rotate" value is 1 as of rottlog 0.72.2, meaning that only one rotated file would be kept in addition to the active file. * gnu/services/admin.scm (%default-rotations): Add "rotate" option for %ROTATED-FILES. --- gnu/services/admin.scm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/admin.scm b/gnu/services/admin.scm index 0b4ecaeb835..6951c7a9fde 100644 --- a/gnu/services/admin.scm +++ b/gnu/services/admin.scm @@ -93,7 +93,10 @@ (list (log-rotation ;syslog files (files %rotated-files) - (options '(;; Run post-rotate once per rotation + (frequency 'weekly) + (options '(;; These files are worth keeping for a few weeks. + "rotate 16" + ;; Run post-rotate once per rotation "sharedscripts" ;; Append .gz to rotated files "storefile @FILENAME.@COMP_EXT")) -- cgit v1.3 From 7d0ebc467ff2a76b75ef0817ac24af4b22c0ab8e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 31 Jul 2022 23:35:27 +0200 Subject: services: rottlog: More convenient default options for . * gnu/services/admin.scm (%default-log-rotation-options): New variable. (%default-rotations): Use it. * gnu/services/cuirass.scm (cuirass-log-rotations): Likewise. * doc/guix.texi (Log Rotation): Adjust accordingly. --- doc/guix.texi | 5 +++-- gnu/services/admin.scm | 18 ++++++++++++------ gnu/services/cuirass.scm | 5 +++-- 3 files changed, 18 insertions(+), 10 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 6e867839a4c..271aad32f05 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18811,9 +18811,10 @@ The log rotation frequency, a symbol. @item @code{files} The list of files or file glob patterns to rotate. -@item @code{options} (default: @code{'()}) +@vindex %default-log-rotation-options +@item @code{options} (default: @code{%default-log-rotation-options}) The list of rottlog options for this rotation (@pxref{Configuration -parameters,,, rottlog, GNU Rot[t]lg Manual}). +parameters,,, rottlog, GNU Rot[t]log Manual}). @item @code{post-rotate} (default: @code{#f}) Either @code{#f} or a gexp to execute once the rotation has completed. diff --git a/gnu/services/admin.scm b/gnu/services/admin.scm index 6951c7a9fde..252bedb0bd2 100644 --- a/gnu/services/admin.scm +++ b/gnu/services/admin.scm @@ -40,6 +40,7 @@ log-rotation-files log-rotation-options log-rotation-post-rotate + %default-log-rotation-options rottlog-configuration rottlog-configuration? @@ -82,7 +83,12 @@ (post-rotate log-rotation-post-rotate ;#f | gexp (default #f)) (options log-rotation-options ;list of strings - (default '()))) + (default %default-log-rotation-options))) + +(define %default-log-rotation-options + ;; Default log rotation options: append ".gz" to file names. + '("storefile @FILENAME.@COMP_EXT" + "notifempty")) (define %rotated-files ;; Syslog files subject to rotation. @@ -94,20 +100,20 @@ (files %rotated-files) (frequency 'weekly) - (options '(;; These files are worth keeping for a few weeks. + (options `(;; These files are worth keeping for a few weeks. "rotate 16" ;; Run post-rotate once per rotation "sharedscripts" - ;; Append .gz to rotated files - "storefile @FILENAME.@COMP_EXT")) + + ,@%default-log-rotation-options)) ;; Restart syslogd after rotation. (post-rotate #~(let ((pid (call-with-input-file "/var/run/syslog.pid" read))) (kill pid SIGHUP)))) (log-rotation (files '("/var/log/guix-daemon.log")) - (options '("rotate 4" ;don't keep too many of them - "storefile @FILENAME.@COMP_EXT"))))) + (options `("rotate 4" ;don't keep too many of them + ,@%default-log-rotation-options))))) (define (log-rotation->config rotation) "Return a string-valued gexp representing the rottlog configuration snippet diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index d666d6243b5..52de5ca7c0b 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2016 Mathieu Lirzin -;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès +;;; Copyright © 2016-2022 Ludovic Courtès ;;; Copyright © 2017, 2020 Mathieu Othacehe ;;; Copyright © 2017 Jan Nieuwenhuizen ;;; Copyright © 2018, 2019 Ricardo Wurmus @@ -305,7 +305,8 @@ (files (list (cuirass-configuration-log-file config) (cuirass-configuration-web-log-file config))) (frequency 'weekly) - (options '("rotate 40"))))) ;worth keeping + (options `("rotate 40" ;worth keeping + ,@%default-log-rotation-options))))) (define cuirass-service-type (service-type -- cgit v1.3 From dd3cf144028ccd4e12b32133846525e97101d9cd Mon Sep 17 00:00:00 2001 From: Maya Date: Mon, 25 Jul 2022 09:02:18 +0000 Subject: services: opensmtpd: Make commands setgid to "smtpq" by default. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a patch that fixes ": this program must be setgid smtpq". * gnu/services/mail.scm ()[setgid-commands?]: New field. (opensmtpd-set-gids): New procedure. (opensmtpd-service-type)[extensions]: Add SETUID-PROGRAM-SERVICE-TYPE extension. * doc/guix.texi (Mail Services): Document it. Co-authored-by: Ludovic Courtès --- doc/guix.texi | 5 +++++ gnu/services/mail.scm | 45 +++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 48 insertions(+), 2 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 271aad32f05..fc6f477c9aa 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25149,6 +25149,11 @@ it listens on the loopback network interface, and allows for mail from users and daemons on the local machine, as well as permitting email to remote servers. Run @command{man smtpd.conf} for more information. +@item @code{setgid-commands?} (default: @code{#t}) +Make the following commands setgid to @code{smtpq} so they can be +executed: @command{smtpctl}, @command{sendmail}, @command{send-mail}, +@command{makemap}, @command{mailq}, and @command{newaliases}. +@xref{Setuid Programs}, for more information on setgid programs. @end table @end deftp diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index 10e65238618..43f144a42d7 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -30,6 +30,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system pam) #:use-module (gnu system shadow) + #:use-module (gnu system setuid) #:use-module (gnu packages mail) #:use-module (gnu packages admin) #:use-module (gnu packages dav) @@ -1653,7 +1654,8 @@ by @code{dovecot-configuration}. @var{config} may also be created by (package opensmtpd-configuration-package (default opensmtpd)) (config-file opensmtpd-configuration-config-file - (default %default-opensmtpd-config-file))) + (default %default-opensmtpd-config-file)) + (setgid-commands? opensmtpd-setgid-commands? (default #t))) (define %default-opensmtpd-config-file (plain-file "smtpd.conf" " @@ -1714,6 +1716,43 @@ match from local for any action outbound (define %opensmtpd-pam-services (list (unix-pam-service "smtpd"))) +(define opensmtpd-set-gids + (match-lambda + (($ package config-file set-gids?) + (if set-gids? + (list + (setuid-program + (program (file-append package "/sbin/smtpctl")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/sendmail")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/send-mail")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/makemap")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/mailq")) + (setuid? #false) + (setgid? #true) + (group "smtpq")) + (setuid-program + (program (file-append package "/sbin/newaliases")) + (setuid? #false) + (setgid? #true) + (group "smtpq"))) + '())))) + (define opensmtpd-service-type (service-type (name 'opensmtpd) @@ -1727,7 +1766,9 @@ match from local for any action outbound (service-extension profile-service-type (compose list opensmtpd-configuration-package)) (service-extension shepherd-root-service-type - opensmtpd-shepherd-service))) + opensmtpd-shepherd-service) + (service-extension setuid-program-service-type + opensmtpd-set-gids))) (description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail Transfer Protocol} server."))) -- cgit v1.3 From a2b89a3319dc1d621c546855f578acae5baaf6da Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Wed, 27 Jul 2022 15:18:51 -0400 Subject: services: configuration: Step back from *unspecified*. Fixes . This partially reverts 8cb1a49a3998c39f315a4199b7d4a121a6d66449. Rationale: *unspecified* cannot be serialized thus used as a G-Expression input, which is problematic/inconvenient when using deeply nested records. As an example, jami-service-type was broken when using partially defined records. * gnu/services/configuration.scm (define-maybe-helper): Check against the 'unset symbol. (normalize-field-type+def): Adjust value to 'unset. (define-configuration-helper): Use 'unset as the default value thunk. * gnu/services/file-sharing.scm (serialize-maybe-string): Check against the 'unset symbol. (serialize-maybe-file-object): Likewise. * gnu/services/messaging.scm (define-all-configurations): Use 'unset as value. (raw-content?): Check against 'unset symbol. (prosody-configuration)[http-max-content-size]: Default to 'unset. [http-external-url]: Likewise. [mod-muc]: Likewise. [raw-content]: Likewise. * gnu/services/networking.scm (opendht-configuration): Adjust documentation. * gnu/services/telephony.scm (jami-shepherd-services): Replace *undefined* with the 'unset symbol. * tests/services/configuration.scm ("maybe type, no default"): Check against the 'unset symbol. * doc/guix.texi: Regenerate the opendht-configuration, openvpn-client-configuration and openvpn-server-configuration documentation. --- doc/guix.texi | 367 +++++++++------------------------------ gnu/services/configuration.scm | 11 +- gnu/services/file-sharing.scm | 4 +- gnu/services/messaging.scm | 12 +- gnu/services/networking.scm | 6 +- gnu/services/telephony.scm | 6 +- tests/services/configuration.scm | 6 +- 7 files changed, 102 insertions(+), 310 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index fc6f477c9aa..9d17050ffc6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -19769,75 +19769,46 @@ The value of this service is a @code{opendht-configuration} object, as described below. @end defvr -@deftp {Data Type} opendht-configuration -This is the data type for the OpenDHT service configuration. - @c The fields documentation has been auto-generated using the @c configuration->documentation procedure from @c (gnu services configuration). +@deftp {Data Type} opendht-configuration Available @code{opendht-configuration} fields are: -@deftypevr {@code{opendht-configuration} parameter} package opendht +@table @asis +@item @code{opendht} (default: @code{opendht}) (type: file-like) The @code{opendht} package to use. -@end deftypevr - -@deftypevr {@code{opendht-configuration} parameter} boolean peer-discovery? +@item @code{peer-discovery?} (default: @code{#f}) (type: boolean) Whether to enable the multicast local peer discovery mechanism. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{opendht-configuration} parameter} boolean enable-logging? +@item @code{enable-logging?} (default: @code{#f}) (type: boolean) Whether to enable logging messages to syslog. It is disabled by default as it is rather verbose. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{opendht-configuration} parameter} boolean debug? +@item @code{debug?} (default: @code{#f}) (type: boolean) Whether to enable debug-level logging messages. This has no effect if logging is disabled. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{opendht-configuration} parameter} maybe-string bootstrap-host +@item @code{bootstrap-host} (default: @code{"bootstrap.jami.net:4222"}) (type: maybe-string) The node host name that is used to make the first connection to the network. A specific port value can be provided by appending the @code{:PORT} suffix. By default, it uses the Jami bootstrap nodes, but any host can be specified here. It's also possible to disable -bootsrapping by explicitly setting this to the @code{*unspecified*} -value. +bootstrapping by explicitly setting this field to the +@code{'unset} value. -Defaults to @samp{"bootstrap.jami.net:4222"}. - -@end deftypevr - -@deftypevr {@code{opendht-configuration} parameter} maybe-number port -The UDP port to bind to. When explicitly set to @code{*unspecified*}, -an available port is automatically selected. - -Defaults to @samp{4222}. - -@end deftypevr +@item @code{port} (default: @code{4222}) (type: maybe-number) +The UDP port to bind to. When left unspecified, an available port is +automatically selected. -@deftypevr {@code{opendht-configuration} parameter} maybe-number proxy-server-port +@item @code{proxy-server-port} (type: maybe-number) Spawn a proxy server listening on the specified port. -Defaults to @samp{disabled}. - -@end deftypevr - -@deftypevr {@code{opendht-configuration} parameter} maybe-number proxy-server-port-tls +@item @code{proxy-server-port-tls} (type: maybe-number) Spawn a proxy server listening to TLS connections on the specified port. -Defaults to @samp{disabled}. - -@end deftypevr +@end table @end deftp @cindex Tor @@ -30532,362 +30503,184 @@ Both can be run simultaneously. @c %automatically generated documentation +@deftp {Data Type} openvpn-client-configuration Available @code{openvpn-client-configuration} fields are: -@deftypevr {@code{openvpn-client-configuration} parameter} package openvpn +@table @asis +@item @code{openvpn} (default: @code{openvpn}) (type: file-like) The OpenVPN package. -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} string pid-file +@item @code{pid-file} (default: @code{"/var/run/openvpn/openvpn.pid"}) (type: string) The OpenVPN pid file. -Defaults to @samp{"/var/run/openvpn/openvpn.pid"}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} proto proto +@item @code{proto} (default: @code{udp}) (type: proto) The protocol (UDP or TCP) used to open a channel between clients and servers. -Defaults to @samp{udp}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} dev dev +@item @code{dev} (default: @code{tun}) (type: dev) The device type used to represent the VPN connection. -Defaults to @samp{tun}. - -@end deftypevr - -If you do not have some of these files (eg.@: you use a username and -password), you can disable any of the following three fields by setting -it to @code{*unspecified*}. - -@deftypevr {@code{openvpn-client-configuration} parameter} maybe-string ca +@item @code{ca} (default: @code{"/etc/openvpn/ca.crt"}) (type: maybe-string) The certificate authority to check connections against. -Defaults to @samp{"/etc/openvpn/ca.crt"}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} maybe-string cert +@item @code{cert} (default: @code{"/etc/openvpn/client.crt"}) (type: maybe-string) The certificate of the machine the daemon is running on. It should be signed by the authority given in @code{ca}. -Defaults to @samp{"/etc/openvpn/client.crt"}. +@item @code{key} (default: @code{"/etc/openvpn/client.key"}) (type: maybe-string) +The key of the machine the daemon is running on. It must be the key +whose certificate is @code{cert}. -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} maybe-string key -The key of the machine the daemon is running on. It must be the key whose -certificate is @code{cert}. - -Defaults to @samp{"/etc/openvpn/client.key"}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} boolean comp-lzo? +@item @code{comp-lzo?} (default: @code{#t}) (type: boolean) Whether to use the lzo compression algorithm. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-key? +@item @code{persist-key?} (default: @code{#t}) (type: boolean) Don't re-read key files across SIGUSR1 or --ping-restart. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} boolean persist-tun? +@item @code{persist-tun?} (default: @code{#t}) (type: boolean) Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} boolean fast-io? +@item @code{fast-io?} (default: @code{#f}) (type: boolean) (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. -Defaults to @samp{#f}. -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} number verbosity +@item @code{verbosity} (default: @code{3}) (type: number) Verbosity level. -Defaults to @samp{3}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} tls-auth-client tls-auth +@item @code{tls-auth} (default: @code{#f}) (type: tls-auth-client) Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} maybe-string auth-user-pass +@item @code{auth-user-pass} (type: maybe-string) Authenticate with server using username/password. The option is a file -containing username/password on 2 lines. Do not use a file-like object as it -would be added to the store and readable by any user. +containing username/password on 2 lines. Do not use a file-like object +as it would be added to the store and readable by any user. -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} key-usage verify-key-usage? +@item @code{verify-key-usage?} (default: @code{#t}) (type: key-usage) Whether to check the server certificate has server usage extension. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} bind bind? +@item @code{bind?} (default: @code{#f}) (type: bind) Bind to a specific local port number. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} resolv-retry resolv-retry? +@item @code{resolv-retry?} (default: @code{#t}) (type: resolv-retry) Retry resolving server address. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-client-configuration} parameter} openvpn-remote-list remote +@item @code{remote} (default: @code{()}) (type: openvpn-remote-list) A list of remote servers to connect to. -Defaults to @samp{()}. - +@deftp {Data Type} openvpn-remote-configuration Available @code{openvpn-remote-configuration} fields are: -@deftypevr {@code{openvpn-remote-configuration} parameter} string name +@table @asis +@item @code{name} (default: @code{"my-server"}) (type: string) Server name. -Defaults to @samp{"my-server"}. +@item @code{port} (default: @code{1194}) (type: number) +Port number the server listens to. -@end deftypevr +@end table -@deftypevr {@code{openvpn-remote-configuration} parameter} number port -Port number the server listens to. +@end deftp -Defaults to @samp{1194}. +@end table -@end deftypevr +@end deftp -@end deftypevr @c %end of automatic openvpn-client documentation @c %automatically generated documentation +@deftp {Data Type} openvpn-server-configuration Available @code{openvpn-server-configuration} fields are: -@deftypevr {@code{openvpn-server-configuration} parameter} package openvpn +@table @asis +@item @code{openvpn} (default: @code{openvpn}) (type: file-like) The OpenVPN package. -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} string pid-file +@item @code{pid-file} (default: @code{"/var/run/openvpn/openvpn.pid"}) (type: string) The OpenVPN pid file. -Defaults to @samp{"/var/run/openvpn/openvpn.pid"}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} proto proto +@item @code{proto} (default: @code{udp}) (type: proto) The protocol (UDP or TCP) used to open a channel between clients and servers. -Defaults to @samp{udp}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} dev dev +@item @code{dev} (default: @code{tun}) (type: dev) The device type used to represent the VPN connection. -Defaults to @samp{tun}. - -@end deftypevr - -If you do not have some of these files (eg.@: you use a username and -password), you can disable any of the following three fields by setting -it to @code{*unspecified*}. - -@deftypevr {@code{openvpn-server-configuration} parameter} maybe-string ca +@item @code{ca} (default: @code{"/etc/openvpn/ca.crt"}) (type: maybe-string) The certificate authority to check connections against. -Defaults to @samp{"/etc/openvpn/ca.crt"}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} maybe-string cert +@item @code{cert} (default: @code{"/etc/openvpn/client.crt"}) (type: maybe-string) The certificate of the machine the daemon is running on. It should be signed by the authority given in @code{ca}. -Defaults to @samp{"/etc/openvpn/client.crt"}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} maybe-string key -The key of the machine the daemon is running on. It must be the key whose -certificate is @code{cert}. - -Defaults to @samp{"/etc/openvpn/client.key"}. - -@end deftypevr +@item @code{key} (default: @code{"/etc/openvpn/client.key"}) (type: maybe-string) +The key of the machine the daemon is running on. It must be the key +whose certificate is @code{cert}. -@deftypevr {@code{openvpn-server-configuration} parameter} boolean comp-lzo? +@item @code{comp-lzo?} (default: @code{#t}) (type: boolean) Whether to use the lzo compression algorithm. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-key? +@item @code{persist-key?} (default: @code{#t}) (type: boolean) Don't re-read key files across SIGUSR1 or --ping-restart. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} boolean persist-tun? +@item @code{persist-tun?} (default: @code{#t}) (type: boolean) Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. -Defaults to @samp{#t}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} boolean fast-io? +@item @code{fast-io?} (default: @code{#f}) (type: boolean) (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. -Defaults to @samp{#f}. -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} number verbosity +@item @code{verbosity} (default: @code{3}) (type: number) Verbosity level. -Defaults to @samp{3}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} tls-auth-server tls-auth +@item @code{tls-auth} (default: @code{#f}) (type: tls-auth-server) Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} number port +@item @code{port} (default: @code{1194}) (type: number) Specifies the port number on which the server listens. -Defaults to @samp{1194}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} ip-mask server +@item @code{server} (default: @code{"10.8.0.0 255.255.255.0"}) (type: ip-mask) An ip and mask specifying the subnet inside the virtual network. -Defaults to @samp{"10.8.0.0 255.255.255.0"}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} cidr6 server-ipv6 +@item @code{server-ipv6} (default: @code{#f}) (type: cidr6) A CIDR notation specifying the IPv6 subnet inside the virtual network. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} string dh +@item @code{dh} (default: @code{"/etc/openvpn/dh2048.pem"}) (type: string) The Diffie-Hellman parameters file. -Defaults to @samp{"/etc/openvpn/dh2048.pem"}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} string ifconfig-pool-persist +@item @code{ifconfig-pool-persist} (default: @code{"/etc/openvpn/ipp.txt"}) (type: string) The file that records client IPs. -Defaults to @samp{"/etc/openvpn/ipp.txt"}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} gateway redirect-gateway? +@item @code{redirect-gateway?} (default: @code{#f}) (type: gateway) When true, the server will act as a gateway for its clients. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} boolean client-to-client? +@item @code{client-to-client?} (default: @code{#f}) (type: boolean) When true, clients are allowed to talk to each other inside the VPN. -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} keepalive keepalive +@item @code{keepalive} (default: @code{(10 120)}) (type: keepalive) Causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down. @code{keepalive} requires a pair. The first element is the period of the ping sending, and the second element is the timeout before considering the other side down. -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} number max-clients +@item @code{max-clients} (default: @code{100}) (type: number) The maximum number of clients. -Defaults to @samp{100}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} string status +@item @code{status} (default: @code{"/var/run/openvpn/status"}) (type: string) The status file. This file shows a small report on current connection. It is truncated and rewritten every minute. -Defaults to @samp{"/var/run/openvpn/status"}. - -@end deftypevr - -@deftypevr {@code{openvpn-server-configuration} parameter} openvpn-ccd-list client-config-dir +@item @code{client-config-dir} (default: @code{()}) (type: openvpn-ccd-list) The list of configuration for some clients. -Defaults to @samp{()}. - -Available @code{openvpn-ccd-configuration} fields are: - -@deftypevr {@code{openvpn-ccd-configuration} parameter} string name -Client name. - -Defaults to @samp{"client"}. - -@end deftypevr - -@deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask iroute -Client own network - -Defaults to @samp{#f}. - -@end deftypevr - -@deftypevr {@code{openvpn-ccd-configuration} parameter} ip-mask ifconfig-push -Client VPN IP. - -Defaults to @samp{#f}. - -@end deftypevr +@end table -@end deftypevr +@end deftp @c %end of automatic openvpn-server documentation @@ -31519,7 +31312,7 @@ Each parameter definition is preceded by its type; for example, @samp{boolean foo} indicates that the @code{foo} parameter should be specified as a boolean. Types starting with @code{maybe-} denote parameters that won't show up in TLP config file when their value is -left unset, or is explicitly set to the @code{*unspecified*} value. +left unset, or is explicitly set to the @code{'unset} value. @c The following documentation was initially generated by @c (generate-tlp-documentation) in (gnu services pm). Manually maintained @@ -39136,7 +38929,7 @@ macro which is a shorthand of this. Sometimes a field should not be serialized if the user doesn’t specify a value. To achieve this, you can use the @code{define-maybe} macro to define a ``maybe type''; if the value of a maybe type is left unset, or -is set to the @code{*unspecified*} value, then it will not be +is set to the @code{'unset} value, then it will not be serialized. When defining a ``maybe type'', the corresponding serializer for the diff --git a/gnu/services/configuration.scm b/gnu/services/configuration.scm index e3c101d0421..3007e8de359 100644 --- a/gnu/services/configuration.scm +++ b/gnu/services/configuration.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2017 Mathieu Othacehe ;;; Copyright © 2017, 2018 Clément Lassieur ;;; Copyright © 2021 Xinglu Chen -;;; Copyright © 2021 Maxim Cournoyer +;;; Copyright © 2021, 2022 Maxim Cournoyer ;;; Copyright © 2021 Andrew Tropin ;;; Copyright © 2022 Maxime Devos ;;; @@ -142,8 +142,7 @@ does not have a default value" field kind))) (id #'stem #'serialize-maybe- #'stem)))) #`(begin (define (maybe-stem? val) - (or (unspecified? val) - (stem? val))) + (or (eq? val 'unset) (stem? val))) #,@(if serialize? (list #'(define (serialize-maybe-stem field-name val) (if (stem? val) @@ -171,10 +170,10 @@ does not have a default value" field kind))) (values #'(field-type def))) ((field-type) (identifier? #'field-type) - (values #'(field-type *unspecified*))) + (values #'(field-type 'unset))) (field-type (identifier? #'field-type) - (values #'(field-type *unspecified*))))) + (values #'(field-type 'unset))))) (define (define-configuration-helper serialize? serializer-prefix syn) (syntax-case syn () @@ -262,7 +261,7 @@ does not have a default value" field kind))) (lambda () (display '#,(id #'stem #'% #'stem)) (if (eq? (syntax->datum field-default) - '*unspecified*) + 'unset) (configuration-missing-default-value '#,(id #'stem #'% #'stem) 'field) field-default))) diff --git a/gnu/services/file-sharing.scm b/gnu/services/file-sharing.scm index e32d1f145da..5df8b0d5974 100644 --- a/gnu/services/file-sharing.scm +++ b/gnu/services/file-sharing.scm @@ -115,7 +115,7 @@ type generated and used by Transmission clients, suitable for passing to the (set! serialize-maybe-string (lambda (field-name val) (serialize-string field-name - (if (unspecified? val) + (if (eq? val 'unset) "" val)))) @@ -180,7 +180,7 @@ type generated and used by Transmission clients, suitable for passing to the (define-maybe file-object) (set! serialize-maybe-file-object (lambda (field-name val) - (if (unspecified? val) + (if (eq? val 'unset) (serialize-string field-name "") (serialize-file-object field-name val)))) diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm index 651f90adb27..00a1c80a148 100644 --- a/gnu/services/messaging.scm +++ b/gnu/services/messaging.scm @@ -90,7 +90,7 @@ ((new-def ...) (map (lambda (def target) (if (eq? 'common (syntax->datum target)) - #'*unspecified* def)) + #''unset def)) #'(def ...) #'(target ...))) ((new-doc ...) (map (lambda (doc target) @@ -200,7 +200,7 @@ (define-maybe file-object-list) (define (raw-content? val) - (not (unspecified? val))) + (not (eq? val 'unset))) (define (serialize-raw-content field-name val) val) (define-maybe raw-content) @@ -474,12 +474,12 @@ by the Prosody service. See @url{https://prosody.im/doc/logging}." global) (http-max-content-size - (maybe-non-negative-integer *unspecified*) + (maybe-non-negative-integer 'unset) "Maximum allowed size of the HTTP body (in bytes)." common) (http-external-url - (maybe-string *unspecified*) + (maybe-string 'unset) "Some modules expose their own URL in various ways. This URL is built from the protocol, host and port used. If Prosody sits behind a proxy, the public URL will be @code{http-external-url} instead. See @@ -556,7 +556,7 @@ support. To add an external component, you simply fill the hostname field. See int-component) (mod-muc - (maybe-mod-muc-configuration *unspecified*) + (maybe-mod-muc-configuration 'unset) "Multi-user chat (MUC) is Prosody's module for allowing you to create hosted chatrooms/conferences for XMPP users. @@ -573,7 +573,7 @@ See also @url{https://prosody.im/doc/modules/mod_muc}." ext-component) (raw-content - (maybe-raw-content *unspecified*) + (maybe-raw-content 'unset) "Raw content that will be added to the configuration file." common))) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 3ddcdcc251d..3c6395b6ca4 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -772,11 +772,11 @@ logging is disabled.") network. A specific port value can be provided by appending the @code{:PORT} suffix. By default, it uses the Jami bootstrap nodes, but any host can be specified here. It's also possible to disable bootstrapping by explicitly -setting this field to the @code{*unspecified*} value.") +setting this field to the @code{'unset} value.") (port (maybe-number 4222) - "The UDP port to bind to. When set to @code{*unspecified*}, an available -port is automatically selected.") + "The UDP port to bind to. When left unspecified, an available port is +automatically selected.") (proxy-server-port maybe-number "Spawn a proxy server listening on the specified port.") diff --git a/gnu/services/telephony.scm b/gnu/services/telephony.scm index e8bfbc88c53..7152f3b38d8 100644 --- a/gnu/services/telephony.scm +++ b/gnu/services/telephony.scm @@ -307,7 +307,7 @@ CONFIG, a object." (dbus (jami-configuration-dbus config)) (dbus-daemon (file-append dbus "/bin/dbus-daemon")) (accounts (jami-configuration-accounts config)) - (declarative-mode? (not (unspecified? accounts)))) + (declarative-mode? (not (eq? 'unset accounts)))) (with-extensions (list guile-packrat ;used by guile-ac-d-bus guile-ac-d-bus @@ -649,7 +649,7 @@ argument, either a registered username or the fingerprint of the account.") account-details) (let ((username (archive-name->username archive))) - (when (not (unspecified? allowed-contacts)) + (when (not (eq? 'unset allowed-contacts)) ;; Reject calls from unknown contacts. (set-account-details '(("DHT.PublicInCalls" . "false")) username) @@ -659,7 +659,7 @@ argument, either a registered username or the fingerprint of the account.") ;; Add allowed ones. (for-each (cut add-contact <> username) allowed-contacts)) - (when (not (unspecified? moderators)) + (when (not (eq? 'unset moderators)) ;; Disable the 'AllModerators' property. (set-all-moderators #f username) ;; Remove all moderators. diff --git a/tests/services/configuration.scm b/tests/services/configuration.scm index 6268525317a..548c400bfe6 100644 --- a/tests/services/configuration.scm +++ b/tests/services/configuration.scm @@ -151,9 +151,9 @@ (not (defined? 'serialize-maybe-string))) (test-assert "maybe type, no default" - (unspecified? - (config-with-maybe-string/no-serialization-name - (config-with-maybe-string/no-serialization)))) + (eq? 'unset + (config-with-maybe-string/no-serialization-name + (config-with-maybe-string/no-serialization)))) (test-assert "maybe type, with default" (equal? -- cgit v1.3 From ee199cd3baf3f2f207223749e0c1015432826bd3 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Thu, 28 Jul 2022 17:03:25 +0200 Subject: services: qemu-guest-agent: Fix arguments to qemu-ga. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix the check for empty device path. Do not use --daemonize, since that is handled by make-forkexec-constructor. Drop the --pidfile option which is unused without --daemonize. * gnu/services/virtualization.scm (qemu-guest-agent-shepherd-service): Modify command arguments. Signed-off-by: Ludovic Courtès --- gnu/services/virtualization.scm | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 41afe451c15..406752b35c6 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -879,13 +879,11 @@ specified, the QEMU default path is used.")) (provision '(qemu-guest-agent)) (documentation "Run the QEMU guest agent.") (start #~(make-forkexec-constructor - `(,(string-append #$qemu "/bin/qemu-ga") "--daemon" - "--pidfile=/var/run/qemu-ga.pid" - "--statedir=/var/run" - ,@(if #$device - (list (string-append "--path=" #$device)) - '())) - #:pid-file "/var/run/qemu-ga.pid" + `(,(string-append #$qemu "/bin/qemu-ga") + "--statedir" "/var/run" + ,@(if (string-null? #$device) + '() + (list "--path" #$device))) #:log-file "/var/log/qemu-ga.log")) (stop #~(make-kill-destructor)))))) -- cgit v1.3 From 59ee837d8b11d7d688045b601e8b240ccbdbe7c7 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Tue, 9 Aug 2022 23:51:48 -0400 Subject: services: elogind: Fix default behavior for lid close. Fixes , which was a behavior change introduced inadvertently in 4c698cd51209a0102477478b026ea04bd7e45908. * gnu/services/desktop.scm () [handle-lid-switch-external-power]: Default to *unspecified*, which serializes to nothing. This matches upstream behavior, meaning that even when plugged to a power cord, a laptop will suspend when the lid is closed. * doc/guix.texi (Desktop Services): Update doc. Reported-by: Cairn --- doc/guix.texi | 2 +- gnu/services/desktop.scm | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'gnu/services') diff --git a/doc/guix.texi b/doc/guix.texi index 99321929ccf..86cfe7d49cc 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -22442,7 +22442,7 @@ their default values are: @item handle-lid-switch-docked @code{ignore} @item handle-lid-switch-external-power -@code{ignore} +@code{*unspecified*} @item power-key-ignore-inhibited? @code{#f} @item suspend-key-ignore-inhibited? diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 29a3722f1b5..f891d1b5ccd 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015 Andy Wingo ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2016 Sou Bunnbu -;;; Copyright © 2017, 2020 Maxim Cournoyer +;;; Copyright © 2017, 2020, 2022 Maxim Cournoyer ;;; Copyright © 2017 Nikita ;;; Copyright © 2018, 2020 Efraim Flashner ;;; Copyright © 2018 Ricardo Wurmus @@ -971,7 +971,7 @@ include the @command{udisksctl} command, part of UDisks, and GNOME Disks." (handle-lid-switch-docked elogind-handle-lid-switch-docked (default 'ignore)) (handle-lid-switch-external-power elogind-handle-lid-switch-external-power - (default 'ignore)) + (default *unspecified*)) (power-key-ignore-inhibited? elogind-power-key-ignore-inhibited? (default #f)) (suspend-key-ignore-inhibited? elogind-suspend-key-ignore-inhibited? @@ -1032,7 +1032,9 @@ include the @command{udisksctl} command, part of UDisks, and GNOME Disks." (define handle-actions '(ignore poweroff reboot halt kexec suspend hibernate hybrid-sleep lock)) (define (handle-action x) - (enum x handle-actions)) + (if (unspecified? x) + "" ;empty serializer + (enum x handle-actions))) (define (sleep-list tokens) (unless (valid-list? tokens char-set:user-name) (error "invalid sleep list" tokens)) -- cgit v1.3