From deeee98a50267660439109ce8ef8fe856bdb1846 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 24 Jun 2023 16:10:03 +0200 Subject: services: dicod: Use one inetd endpoint per interface. * gnu/services/dict.scm (dicod-shepherd-service): Remove the (= 1 (length interfaces)) restriction by adding one endpoint per interface. --- gnu/services/dict.scm | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm index 90d3c35b6c7..23e1d363649 100644 --- a/gnu/services/dict.scm +++ b/gnu/services/dict.scm @@ -167,15 +167,15 @@ database { (provision '(dicod)) (requirement '(user-processes)) (documentation "Run the dicod daemon.") - (start #~(if (and (defined? 'make-inetd-constructor) - #$(= 1 (length interfaces))) ;XXX + (start #~(if (defined? 'make-inetd-constructor) (make-inetd-constructor (list #$dicod "--inetd" "--foreground" (string-append "--config=" #$dicod.conf)) - (list (endpoint - (addrinfo:addr - (car (getaddrinfo #$(first interfaces) - "dict"))))) + (map (lambda (interface) + (endpoint + (addrinfo:addr + (car (getaddrinfo interface "dict"))))) + '#$interfaces) #:requirements '#$requirement #:user "dicod" #:group "dicod" #:service-name-stem "dicod") @@ -183,8 +183,7 @@ database { (list #$dicod "--foreground" (string-append "--config=" #$dicod.conf)) #:user "dicod" #:group "dicod"))) - (stop #~(if (and (defined? 'make-inetd-destructor) - #$(= 1 (length interfaces))) ;XXX + (stop #~(if (defined? 'make-inetd-destructor) (make-inetd-destructor) (make-kill-destructor))) (actions (list (shepherd-configuration-action dicod.conf))))))) -- cgit v1.3 From 6c0e7b266523a2cc381c76392c830a237d9e41a9 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 25 Jun 2023 23:31:11 +0200 Subject: services: Validate 'provision' field of . Fixes . * gnu/services/shepherd.scm (validate-provision): New procedure. ()[provision]: Use it. Co-authored-by: Bruno Victal --- gnu/services/shepherd.scm | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm index de40454f7da..e9d3a631c21 100644 --- a/gnu/services/shepherd.scm +++ b/gnu/services/shepherd.scm @@ -27,8 +27,9 @@ #:use-module (guix store) #:use-module (guix records) #:use-module (guix packages) - #:use-module (guix derivations) ;imported-modules, etc. #:use-module (guix utils) + #:use-module ((guix diagnostics) + #:select (define-with-syntax-properties formatted-message)) #:use-module (gnu services) #:use-module (gnu services herd) #:use-module (gnu packages admin) @@ -186,12 +187,25 @@ DEFAULT is given, use it as the service's default value." ((guix build utils) #:hide (delete)) (guix build syscalls))) +(define-with-syntax-properties (validate-provision (provision properties)) + (match provision + (((? symbol?) ..1) provision) + (_ + (raise + (make-compound-condition + (condition + (&error-location + (location (source-properties->location properties)))) + (formatted-message + (G_ "'provision' must be a non-empty list of symbols"))))))) + (define-record-type* shepherd-service make-shepherd-service shepherd-service? (documentation shepherd-service-documentation ;string (default "[No documentation.]")) - (provision shepherd-service-provision) ;list of symbols + (provision shepherd-service-provision ;list of symbols + (sanitize validate-provision)) (requirement shepherd-service-requirement ;list of symbols (default '())) (one-shot? shepherd-service-one-shot? ;Boolean -- cgit v1.3 From 63660f0febb4aa0d5260791c82dfde15c0df4c79 Mon Sep 17 00:00:00 2001 From: John Kehayias Date: Tue, 27 Jun 2023 15:43:27 -0400 Subject: services: pam-limits: Add lightdm. Without this a user's pam-limits-service-type configuration does not have an effect when using lightdm. * gnu/services/base.scm (pam-limits-service-type): Add "lightdm" to the list. --- gnu/services/base.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/services') diff --git a/gnu/services/base.scm b/gnu/services/base.scm index bbc2ac2c79f..636d827ff9e 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1613,7 +1613,7 @@ information on the configuration file syntax." '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" - "sddm" "sudo" "sshd")) + "sddm" "sudo" "sshd" "lightdm")) (pam-service (inherit pam) (session (cons pam-limits -- cgit v1.3 From cbc14b3baea457cf2718b85f767d39ff3911ce91 Mon Sep 17 00:00:00 2001 From: Bruno Victal Date: Wed, 5 Apr 2023 16:34:08 +0100 Subject: services: nginx: Harden php-location settings. * gnu/services/web.scm (nginx-php-location): Only pass existing PHP files to the back end. Mitigate httpoxy vulnerability. --- gnu/services/web.scm | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'gnu/services') diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 45897d7d6fd..818226a4f76 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -1144,6 +1144,14 @@ a webserver.") (uri "~ \\.php$") (body (list "fastcgi_split_path_info ^(.+\\.php)(/.+)$;" + + ;; Include some upstream recommendations from + ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi + ;; Mitigate https://httpoxy.org/ vulnerabilities + "fastcgi_param HTTP_PROXY \"\";" + ;; Only pass existing php files to the backend. + "if (!-f $document_root$fastcgi_script_name) { return 404; }" + (string-append "fastcgi_pass unix:" socket ";") "fastcgi_index index.php;" (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;"))))) -- cgit v1.3 From 4722496292ea282db7d1779bfada1e6a3813be99 Mon Sep 17 00:00:00 2001 From: Josselin Poiret Date: Fri, 12 May 2023 10:09:42 +0200 Subject: gnu: gnome: Remove gnome-boxes from default GNOME apps. * gnu/packages/gnome.scm (gnome): Remove gnome-boxes from propagated-inputs, since it is no longer a Core App in 42. --- gnu/packages/gnome.scm | 1 - gnu/services/desktop.scm | 15 +-------------- 2 files changed, 1 insertion(+), 15 deletions(-) (limited to 'gnu/services') diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index d4dd54e5d7d..4d680e4a856 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -10058,7 +10058,6 @@ world.") epiphany evince file-roller - gnome-boxes gnome-calculator gnome-calendar gnome-characters diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index a63748b652f..01aec64bee3 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1398,18 +1398,7 @@ rules." '("gnome-settings-daemon" "gnome-control-center" "gnome-system-monitor" - "gvfs" - ;; spice-gtk provides polkit actions for USB redirection - ;; in GNOME Boxes. - ("gnome-boxes" "spice-gtk"))))) - -(define (gnome-setuid-programs config) - "Return the list of GNOME setuid programs." - (let* ((gnome (gnome-desktop-configuration-gnome config)) - (spice-gtk (gnome-package gnome '("gnome-boxes" "spice-gtk")))) - (map file-like->setuid-program - (list (file-append spice-gtk - "/libexec/spice-client-glib-usb-acl-helper"))))) + "gvfs")))) (define gnome-desktop-service-type (service-type @@ -1419,8 +1408,6 @@ rules." gnome-udev-rules) (service-extension polkit-service-type gnome-polkit-settings) - (service-extension setuid-program-service-type - gnome-setuid-programs) (service-extension profile-service-type (compose list gnome-desktop-configuration-gnome)))) (default-value (gnome-desktop-configuration)) -- cgit v1.3 From 612399df3edcbe4d1b1da784bd23440398d27454 Mon Sep 17 00:00:00 2001 From: Josselin Poiret Date: Sat, 17 Jun 2023 18:01:28 +0200 Subject: services: libvirt: Add requirement on dbus. * gnu/services/virtualization.scm (libvirt-shepherd-service): Add requirement on dbus. --- gnu/services/virtualization.scm | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/services') diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 880557915cd..506f5a7ab6a 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -478,6 +478,7 @@ potential infinite waits blocking libvirt.")) (list (shepherd-service (documentation "Run the libvirt daemon.") (provision '(libvirtd)) + (requirement '(dbus-system)) (start #~(make-forkexec-constructor (list (string-append #$libvirt "/sbin/libvirtd") "-f" #$config-file -- cgit v1.3 From 820e32b556aa978827249ae4687c7423508c04b3 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 2 Jul 2023 02:00:00 +0200 Subject: services: cgit: Remove ‘cgit-repo’ left-overs. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This follows up on commit 16d77b31c5024e9288dfd2f25f8eb6d0114a342c. * gnu/services/cgit.scm (cgit-configuration): Use extant repository-cgit-configuration variable name. --- gnu/services/cgit.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'gnu/services') diff --git a/gnu/services/cgit.scm b/gnu/services/cgit.scm index c2c003983a2..e33cb9e7dbf 100644 --- a/gnu/services/cgit.scm +++ b/gnu/services/cgit.scm @@ -561,7 +561,8 @@ to it, that should loaded as Git repositories. An empty list means that all subdirectories will be loaded.") (readme (file-object "") - "Text which will be used as default value for @code{cgit-repo-readme}.") + "Text which will be used as default @code{repository-cgit-configuration} +@code{readme}.") (remove-suffix? (boolean #f) "If set to @code{#t} and @code{repository-directory} is enabled, if any @@ -642,7 +643,7 @@ for cgit to allow access to that repository.") "URL which, if specified, will be used as root for all cgit links.") (repositories (repository-cgit-configuration-list '()) - "A list of @dfn{cgit-repo} records to use with config.") + "A list of @code{repository-cgit-configuration} records.") (extra-options (list '()) "Extra options will be appended to cgitrc file.")) -- cgit v1.3