Previous: Servicios de Hurd, Up: Servicios [Contents][Index]
El módulo (gnu services authentication)
proporciona un servicio DBus
para leer e identificar huellas dactilares mediante un sensor de huellas.
El tipo de servicio para fprintd
, que proporciona la capacidad de
lectura de huellas dactilares.
El módulo (gnu services sysctl)
proporciona servicios para configurar
parámetros del núcleo durante el arranque.
El tipo de servicio para sysctl
, que modifica parámetros del
núcleo bajo /proc/sys. Para activar el encaminamiento de tráfico IPv4
se puede instanciar de esta manera:
(service sysctl-service-type
(sysctl-configuration
(settings '(("net.ipv4.ip_forward" . "1")))))
Since sysctl-service-type
is used in the default lists of services,
%base-services
and %desktop-services
, you can use
modify-services
to change its configuration and add the kernel
parameters that you want (see modify-services
).
(modify-services %base-services
(sysctl-service-type config =>
(sysctl-configuration
(settings (append '(("net.ipv4.ip_forward" . "1"))
%default-sysctl-settings)))))
Tipo de datos que representa la configuración de sysctl
.
sysctl
(predeterminado: (file-append procps "/sbin/sysctl"
)El ejecutable sysctl
usado.
settings
(default: %default-sysctl-settings
)Una lista asociativa que especifica parámetros del núcleo y sus valores.
An association list specifying the default sysctl
parameters on
Guix System.
The (gnu services security-token)
module provides the following
service to run pcscd
, the PC/SC Smart Card Daemon.
pcscd
is the daemon program for pcsc-lite and the MuscleCard
framework. It is a resource manager that coordinates communications with
smart card readers, smart cards and cryptographic tokens that are connected
to the system.
Tipo de servicio para el servicio pcscd
. Su valor debe ser un
objeto pcscd-configuration
. Puede instanciarlo de esta manera para
ejecutar pcscd con la configuración predeterminada:
Tipo de datos que representa la configuración de pcscd
.
pcsc-lite
(predeterminado: pcsc-lite
)El paquete pcsc-lite que proporciona pcscd.
usb-drivers
(predeterminado: (list ccid)
)List of packages that provide USB drivers to pcscd. Drivers are expected to be under pcsc/drivers in the store directory of the package.
El módulo (gnu services lirc)
proporciona el siguiente servicio.
Type for a service that runs LIRC, a daemon that decodes infrared signals from remote controls.
The value for this service is a <lirc-configuration>
object.
Data type representing the configuration of lircd
.
lirc
(default: lirc
) (type: file-like)Package object for lirc
.
device
(default: #f
) (type: string)driver
(default: #f
) (type: string)config-file
(default: #f
) (type: string-or-file-like)TODO. See lircd
manual for details.
extra-options
(default: '()
) (type: list-of-string)Additional command-line options to pass to lircd
.
El módulo (gnu services spice)
proporciona el siguiente servicio.
Type of the service that runs VDAGENT, a daemon that enables sharing the clipboard with a vm and setting the guest display resolution when the graphical console window resizes.
Data type representing the configuration of
spice-vdagent-service-type
.
spice-vdagent
(default: spice-vdagent
) (type: file-like)Package object for VDAGENT.
El servicio inputattach permite el uso de dispositivos de entrada como tabletas Wacom, pantallas táctiles, o joysticks con el servidor gráfico Xorg.
Tipo de un servicio que ejecuta inputattach
con un dispositivo y
reenvía los eventos que produzca.
device-type
(predeterminado: "wacom"
)Tipo del dispositivo al que conectarse. Ejecute inputattach
--help
, del paquete inputattach
, para ver la lista de tipos de
dispositivo implementados.
device
(predeterminado: "/dev/ttyS0"
)El nombre de archivo para la conexión al dispositivo.
baud-rate
(predeterminado: #f
)Tasa de transmisión usada para las conexiones serie. Debe ser un número o
#f
.
log-file
(predeterminado: #f
)Si es verdadero, debe ser el nombre de un archivo en el que registrar los mensajes.
El módulo (gnu services dict)
proporciona el servicio siguiente:
Tipo de servicio que ejecuta el daemon dicod
, una implementación
del servidor DICT (see Dicod in GNU Dico Manual).
Puede añadir open localhost
en su archivo ~/.dico para
hacer que localhost
sea el servidor predeterminado de su cliente
dico
(see Initialization File in GNU Dico Manual).
Nota: This service is also available for Guix Home, where it runs directly with your user privileges (see
home-dicod-service-type
).
Tipo de datos que representa la configuración de dicod.
dico
(predeterminado: dico)El objeto paquete del servidor de diccionario GNU Dico.
interfaces
(predeterminada: ’("localhost"))Es la lista de direcciones IP y puertos, y posiblemente nombres de archivo
de sockets, en los que se debe escuchar (see listen
directive in GNU Dico Manual).
handlers
(predeterminados: ’())Lista de objetos <dicod-handler>
que identifican los controladores
(instancias de módulos).
databases
(predeterminada: (list %dicod-database:gcide))Lista de objetos <dicod-database>
que identifican los diccionarios
proporcionados.
Tipo de datos que representa un controlador de diccionario (instancia de un módulo).
name
Nombre del controlador (instancia de un módulo).
module
(predeterminado: #f)Nombre del módulo del controlador de dicod (instancia). Si es #f
, el
módulo tiene el mismo nombre que el controlador. (see Modules in GNU Dico Manual).
options
Lista de cadenas o expresiones-G que representan los parámetros al módulo de control
Tipo de datos que representa una base de datos de diccionario.
name
Nombre de la base de datos, será usada en las órdenes DICT.
handler
Nombre del controlador de dicod (instancia de un módulo) usado por esta base de datos (see Handlers in GNU Dico Manual).
complex?
(predeterminado: #f)Determina si se usará la configuración compleja. La configuración compleja
necesita un objeto <dicod-handler>
, que no es necesario en otro caso.
options
Lista de cadenas o expresiones-g que representan los parámetros para la base de datos (see Databases in GNU Dico Manual).
Un objeto <dicod-service>
que ofrece el diccionario internacional
colaborativo de inglés de GNU usando el paquete gcide
.
The following is an example dicod-service-type
configuration.
(service dicod-service-type
(dicod-configuration
(handlers (list
(dicod-handler
(name "wordnet")
(module "wordnet")
(options
(list #~(string-append "wnhome=" #$wordnet))))))
(databases (list
(dicod-database
(name "wordnet")
(complex? #t)
(handler "wordnet"))
%dicod-database:gcide))))
El módulo (gnu services docker)
proporciona los siguientes servicios.
This service type operates containerd containerd, a daemon responsible for overseeing the entire container lifecycle on its host system. This includes image handling, storage management, container execution, supervision, low-level storage operations, network connections, and more.
This is the data type representing the configuration of containerd.
containerd
(default: containerd
)The containerd daemon package to use.
debug?
(predeterminado: #f
)Activa o desactiva la salida de depuración.
environment-variables
(default: '()
)List of environment variables to set for containerd
.
This must be a list of strings where each string has the form ‘key=value’ as in this example:
(list "HTTP_PROXY=socks5://127.0.0.1:9150"
"HTTPS_PROXY=socks5://127.0.0.1:9150")
Este es el tipo del servicio que ejecuta Docker, un daemon que puede ejecutar empaquetados de aplicaciones (a los que a veces nos referimos como “contenedores”) en entornos aislados.
The containerd-service-type
service need to be added to a system
configuration, otherwise a message about not any service provides
containerd
will be displayed during guix system reconfigure
.
Este es el tipo de datos que representa la configuración de Docker y Containerd.
docker
(default: docker
)El paquete de daemon de Docker usado.
docker-cli
(default: docker-cli
)El paquete de cliente de Docker usado.
containerd
(predeterminado: containerd)This field is deprecated in favor of containerd-service-type
service.
proxy
(predeterminado: docker-libnetwork-cmd-proxy)La pasarela de espacio de usuario para red de Docker usada.
enable-proxy?
(predeterminado: #t
)Activa o desactiva el uso de la pasarela de espacio de usuario para red de Docker.
debug?
(predeterminado: #f
)Activa o desactiva la salida de depuración.
enable-iptables?
(predeterminado: #t
)Activa o desactiva la adición de reglas para iptables.
environment-variables
(default: '()
)List of environment variables to set for dockerd
.
This must be a list of strings where each string has the form ‘key=value’ as in this example:
(list "LANGUAGE=eo:ca:eu"
"TMPDIR=/tmp/dockerd")
config-file
(type: maybe-file-like)JSON configuration file pass to dockerd
.
Tipo de servicio que le permite ejecutar Singularity, una herramienta tipo-Docker para crear y ejecutar aplicaciones empaquetadas (también conocidas como “contenedores”). El valor para este servicio es el paquete de Singularity usado.
El servicio no instala un daemon; en vez de ello, instala programas
auxiliares con con el bit setuid de root (see Privileged Programs) de
modo que usuarias sin privilegios puedan ejecutar singularity run
y ordenes similares.
The (gnu services containers)
module provides the following service.
This is the service type for Podman is a container management tool.
In addition to providing a drop-in replacement for Docker, Podman offers the ability to run containers in “root-less” mode, meaning that regular users can deploy containers without elevated privileges. It does so mainly by leveraging two Linux kernel features: unprivileged user namespaces, and subordinate user and group IDs (see the subordinate user and group ID service).
The rootless-podman-service-type
sets up the system to allow
unprivileged users to run podman
commands:
(use-service-modules containers networking …) (operating-system ;; … (users (cons (user-account (name "alice") (comment "Bob's sister") (group "users") ;; Adding the account to the "cgroup" group ;; makes it possible to run podman commands. (supplementary-groups '("cgroup" "wheel" "audio" "video"))) %base-user-accounts)) (services (append (list (service iptables-service-type) (service rootless-podman-service-type (rootless-podman-configuration (subgids (list (subid-range (name "alice")))) (subuids (list (subid-range (name "alice"))))))) %base-services)))
The iptables-service-type
is required for Podman to be able to setup
its own networks. Due to the change in user groups and file systems it is
recommended to reboot (or at least logout), before trying to run Podman
commands.
To test your installation you can run:
$ podman run -it --rm docker.io/alpine cat /etc/*release* NAME="Alpine Linux" ID=alpine VERSION_ID=3.20.2 PRETTY_NAME="Alpine Linux v3.20" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
Available rootless-podman-configuration
fields are:
podman
(default: podman
) (type: package)The Podman package that will be installed in the system profile.
group-name
(default: "cgroup"
) (type: string)The name of the group that will own /sys/fs/cgroup resources. Users that want to use rootless Podman have to be in this group.
containers-registries
(type: lowerable)A string or a gexp evaluating to the path of Podman’s
containers/registries.conf
configuration file.
containers-storage
(type: lowerable)A string or a gexp evaluating to the path of Podman’s
containers/storage.conf
configuration file.
containers-policy
(type: lowerable)A string or a gexp evaluating to the path of Podman’s
containers/policy.json
configuration file.
pam-limits
(type: list-of-pam-limits-entries)The PAM limits to be set for rootless Podman.
subgids
(default: ()
) (type: list-of-subid-ranges)A list of subid ranges representing the subgids that will be available for each configured user.
subuids
(default: ()
) (type: list-of-subid-ranges)A list of subid ranges representing the subuids that will be available for each configured user.
Should you wish to manage your Docker containers with the same consistent interface you use for your other Shepherd services, oci-container-service-type is the tool to use: given an Open Container Initiative (OCI) container image, it will run it in a Shepherd service. One example where this is useful: it lets you run services that are available as Docker/OCI images but not yet packaged for Guix.
This is a thin wrapper around Docker’s CLI that executes OCI images backed processes as Shepherd Services.
(service oci-container-service-type
(list
(oci-container-configuration
(network "host")
(image
(oci-image
(repository "guile")
(tag "3")
(value (specifications->manifest '("guile")))
(pack-options '(#:symlinks (("/bin/guile" -> "bin/guile"))
#:max-layers 2))))
(entrypoint "/bin/guile")
(command
'("-c" "(display \"hello!\n\")")))
(oci-container-configuration
(image "prom/prometheus")
(ports
'(("9000" . "9000")
("9090" . "9090"))))
(oci-container-configuration
(image "grafana/grafana:10.0.1")
(network "host")
(volumes
'("/var/lib/grafana:/var/lib/grafana")))))
In this example three different Shepherd services are going to be added to
the system. Each oci-container-configuration
record translates to a
docker run
invocation and its fields directly map to options. You
can refer to the
upstream
documentation for the semantics of each value. If the images are not found,
they will be
pulled.
The services with (network "host")
are going to be attached to the
host network and are supposed to behave like native processes with regard to
networking.
Available oci-container-configuration
fields are:
user
(default: "oci-container"
) (type: string)The user under whose authority docker commands will be run.
group
(default: "docker"
) (type: string)The group under whose authority docker commands will be run.
command
(default: '()
) (type: list-of-strings)Overwrite the default command (CMD
) of the image.
entrypoint
(default: ""
) (type: string)Overwrite the default entrypoint (ENTRYPOINT
) of the image.
host-environment
(default: '()
) (type: list)Set environment variables in the host environment where docker run
is invoked. This is especially useful to pass secrets from the host to the
container without having them on the docker run
’s command line: by
setting the MYSQL_PASSWORD
on the host and by passing --env
MYSQL_PASSWORD
through the extra-arguments
field, it is possible to
securely set values in the container environment. This field’s value can be
a list of pairs or strings, even mixed:
(list '("LANGUAGE\" . "eo:ca:eu")
"JAVA_HOME=/opt/java")
Pair members can be strings, gexps or file-like objects. Strings are passed
directly to make-forkexec-constructor
.
environment
(default: '()
) (type: list)Set environment variables. This can be a list of pairs or strings, even mixed:
(list '("LANGUAGE" . "eo:ca:eu")
"JAVA_HOME=/opt/java")
Pair members can be strings, gexps or file-like objects. Strings are passed directly to the Docker CLI. You can refer to the upstream documentation for semantics.
image
(type: string-or-oci-image)The image used to build the container. It can be a string or an
oci-image
record. Strings are resolved by the Docker Engine, and
follow the usual format myregistry.local:5000/testing/test-image:tag
.
provision
(default: ""
) (type: string)Set the name of the provisioned Shepherd service.
requirement
(default: '()
) (type: list-of-symbols)Set additional Shepherd services dependencies to the provisioned Shepherd service.
log-file
(type: maybe-string)When log-file
is set, it names the file to which the service’s
standard output and standard error are redirected. log-file
is
created if it does not exist, otherwise it is appended to.
auto-start?
(default: #t
) (type: boolean)Whether this service should be started automatically by the Shepherd. If it
is #f
, the service has to be started manually with herd
start
.
respawn?
(default: #f
) (type: boolean)Whether to have Shepherd restart the service when it stops, for instance when the underlying process dies.
shepherd-actions
(default: '()
) (type: list-of-symbols)This is a list of shepherd-action
records defining actions supported
by the service.
network
(default: ""
) (type: string)Set a Docker network for the spawned container.
ports
(default: '()
) (type: list)Set the port or port ranges to expose from the spawned container. This can be a list of pairs or strings, even mixed:
(list '("8080" . "80")
"10443:443")
Pair members can be strings, gexps or file-like objects. Strings are passed directly to the Docker CLI. You can refer to the upstream documentation for semantics.
volumes
(default: '()
) (type: list)Set volume mappings for the spawned container. This can be a list of pairs or strings, even mixed:
(list '("/root/data/grafana" . "/var/lib/grafana")
"/gnu/store:/gnu/store")
Pair members can be strings, gexps or file-like objects. Strings are passed directly to the Docker CLI. You can refer to the upstream documentation for semantics.
container-user
(default: ""
) (type: string)Set the current user inside the spawned container. You can refer to the upstream documentation for semantics.
workdir
(default: ""
) (type: string)Set the current working directory for the spawned Shepherd service. You can refer to the upstream documentation for semantics.
extra-arguments
(default: '()
) (type: list)A list of strings, gexps or file-like objects that will be directly passed
to the docker run
invocation.
Available oci-image
fields are:
repository
(type: string)A string like myregistry.local:5000/testing/test-image
that names the
OCI image.
tag
(default: "latest"
) (type: string)A string representing the OCI image tag. Defaults to latest
.
value
(type: oci-lowerable-image)A manifest
or operating-system
record that will be lowered
into an OCI compatible tarball. Otherwise this field’s value can be a gexp
or a file-like object that evaluates to an OCI compatible tarball.
pack-options
(default: '()
) (type: list)An optional set of keyword arguments that will be passed to the
docker-image
procedure from guix scripts pack
. They can be
used to replicate guix pack
behavior:
(oci-image
(repository "guile")
(tag "3")
(value
(specifications->manifest '("guile")))
(pack-options '(#:symlinks (("/bin/guile" -> "bin/guile"))
#:max-layers 2)))
If the value
field is an operating-system
record, this field’s
value will be ignored.
system
(default: ""
) (type: string)Attempt to build for a given system, e.g. "i686-linux"
target
(default: ""
) (type: string)Attempt to cross-build for a given triple, e.g. "aarch64-linux-gnu"
grafts?
(default: #f
) (type: boolean)Whether to allow grafting or not in the pack build.
Among the virtualization facilities implemented by the Linux kernel is the
concept of subordinate IDs. Subordinate IDs allow for mapping user
and group IDs inside process namespaces to user and group IDs of the host
system. Subordinate user ID ranges (subuids) allow users to map virtual
user IDs inside containers to the user ID of an unprivileged user of the
host system. Subordinate group ID ranges (subgids), instead map virtual
group IDs to the group ID of an unprivileged user on the host system. You
can access subuid(5)
and subgid(5)
Linux man pages for more
details.
The (gnu system shadow)
module exposes the
subids-service-type
, its configuration record
subids-configuration
and its extension record
subids-extension
.
With subids-service-type
, subuids and subgids ranges can be reserved
for users that desire so:
(use-modules (gnu system shadow) ;for 'subids-service-type' (gnu system accounts) ;for 'subid-range' …) (operating-system ;; … (services (list (simple-service 'alice-bob-subids subids-service-type (subids-extension (subgids (list (subid-range (name "alice")))) (subuids (list (subid-range (name "alice")) (subid-range (name "bob") (start 100700)))))))))
Users (definitely other services), usually, are supposed to extend the
service instead of adding subids directly to subids-configuration
,
unless the want to change the default behavior for root. With default
settings the subids-service-type
adds, if it’s not already there, a
configuration for the root account to both /etc/subuid and
/etc/subgid, possibly starting at the minimum possible subid.
Otherwise the root subuids and subgids ranges are fitted wherever possible.
The above configuration will yield the following:
# cat /etc/subgid root:100000:65536 alice:165536:65536 # cat /etc/subuid root:100000:700 bob:100700:65536 alice:166236:65536
With default settings the subids-service-type
adds, if it’s not
already there, a configuration for the root account to both
/etc/subuid and /etc/subgid, possibly starting at the minimum
possible subid. To disable the default behavior and provide your own
definition for the root subid ranges you can set to #f
the
add-root?
field:
(use-modules (gnu system shadow) ;for 'subids-service-type' (gnu system accounts) ;for 'subid-range' …) (operating-system ;; … (services (list (service subids-service-type (subids-configuration (add-root? #f) (subgids (subid-range (name "root") (start 120000) (count 100))) (subuids (subid-range (name "root") (start 120000) (count 100))))) (simple-service 'alice-bob-subids subids-service-type (subids-extension (subgids (list (subid-range (name "alice")))) (subuids (list (subid-range (name "alice")) (subid-range (name "bob") (start 100700)))))))))
Available subids-configuration
fields are:
add-root?
(default: #t
) (type: boolean)Whether to automatically configure subuids and subgids for root.
subgids
(default: '()
) (type: list-of-subid-ranges)The list of subid-range
s that will be serialized to
/etc/subgid
. If a range doesn’t specify a start it will be fitted
based on its number of requrested subids. If a range doesn’t specify a
count the default size of 65536 will be assumed.
subuids
(default: '()
) (type: list-of-subid-ranges)The list of subid-range
s that will be serialized to
/etc/subuid
. If a range doesn’t specify a start it will be fitted
based on its number of requrested subids. If a range doesn’t specify a
count the default size of 65536 will be assumed.
Available subids-extension
fields are:
subgids
(default: '()
) (type: list-of-subid-ranges)The list of subid-range
s that will be appended to
subids-configuration-subgids
. Entries with the same name are
deduplicated upon merging.
subuids
(default: '()
) (type: list-of-subid-ranges)The list of subid-range
s that will be appended to
subids-configuration-subuids
. Entries with the same name are
deduplicated upon merging.
The subid-range
record is defined at (gnu system accounts)
.
Available fields are:
name
(type: string)The name of the user or group that will own this range.
start
(default: #f
) (type: integer)The first requested subid. When false the first available subid with enough contiguous subids will be assigned.
count
(default: #f
) (type: integer)The number of total allocated subids. When #f the default of 65536 will be assumed .
El módulo (gnu services auditd)
proporciona el servicio siguiente:
Este es el tipo del servicio que ejecuta auditd, un daemon que recolecta información relevante a la seguridad en su sistema.
Ejemplos de cosas que se pueden recolectar:
Puede usarse auditctl
del paquete audit
para añadir o
eliminar eventos a recolectar (hasta el siguiente reinicio). Para hacer
permanente la recolección de dichos eventos, introduzca los parámetros de la
línea de órdenes de auditctl en un archivo llamado audit.rules del
directorio de configuración (véase a continuación). También se puede usar
aureport
del paquete audit
para ver un informe de todos los
eventos registrados. El daemon audit habitualmente registra los eventos en
el archivo /var/log/audit.
Este es el tipo de datos que representa la configuración de auditd.
audit
(predeterminado: audit
)El paquete audit usado.
configuration-directory
(predeterminado: %default-auditd-configuration-directory
)Directorio que contiene el archivo de configuración para el paquete audit,
cuyo nombre debe ser auditd.conf
, y de manera opcional reglas de
audit que se instanciarán en el arranque.
El módulo (gnu services science)
proporciona el siguiente servicio.
Tipo de servicio usado para ejecutar una aplicación web creada con
r-shiny
. Este servicio proporciona el valor adecuado a la variable de
entorno R_LIBS_USER
y ejecuta el guión proporcionado para llamar a
runApp
.
Este es el tipo de datos que representa la configuración del rshiny.
package
(predeterminado: r-shiny
)El paquete usado.
binary
(default "rshiny"
)Nombre del binario o del guión en el directorio paquete/bin/
ejecutado cuando se arranca este servicio.
La manera habitual de crear este archivo es la siguiente:
… (let* ((out (assoc-ref %outputs "out")) (targetdir (string-append out "/share/" ,name)) (app (string-append out "/bin/" ,name)) (Rbin (search-input-file %build-inputs "/bin/Rscript"))) ;; … (mkdir-p (string-append out "/bin")) (call-with-output-file app (lambda (port) (format port "#!~a library(shiny) setwd(\"~a\") runApp(launch.browser=0, port=4202)~%\n" Rbin targetdir))))
El módulo (gnu services nix)
proporciona el siguiente servicio.
Tipo del servicio que ejecuta el daemon de construcción del gestor de paquetes Nix. Este es un ejemplo de cómo usarlo:
(use-modules (gnu)) (use-service-modules nix) (use-package-modules package-management) (operating-system ;; … (packages (append (list nix) %base-packages)) (services (append (list (service nix-service-type)) %base-services)))
Tras guix system reconfigure
, configure Nix para su usuaria:
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable $ nix-channel --update
$ sudo mkdir -p /nix/var/nix/profiles/per-user/$USER $ sudo chown $USER:root /nix/var/nix/profiles/per-user/$USER
$ ln -s "/nix/var/nix/profiles/per-user/$USER/profile" ~/.nix-profile $ source /run/current-system/profile/etc/profile.d/nix.sh
Este tipo de datos representa la configuración del daemon de Nix.
nix
(predeterminado: nix
)El paquete Nix usado.
sandbox
(predeterminado: #t
)Especifica si las construcciones se ejecutan en un entorno aislado (“sandbox”) de manera predeterminada.
build-directory
(default: "/tmp"
)The directory where build directory are stored during builds. This is useful to change if, for example, the default location does not have enough space to hold build trees for big packages.
This is similar to setting the TMPDIR
environment variable for
guix-daemon
. TMPDIR
, for
more info.
build-sandbox-items
(predeterminada: '()
)Lista de cadenas u objetos añadida al final del campo
build-sandbox-items
en el archivo de configuración.
extra-config
(predeterminada: '()
)Es una lista de cadenas u objetos añadida al final del archivo de configuración. Se usa para proporcionar texto adicional para ser introducido de forma literal en el archivo de configuración.
extra-options
(predeterminadas: '()
)Opciones de línea de órdenes adicionales para nix-service-type
.
fail2ban
scans log files
(e.g. /var/log/apache/error_log
) and bans IP addresses that show
malicious signs – repeated password failures, attempts to make use of
exploits, etc.
fail2ban-service-type
service type is provided by the (gnu
services security)
module.
This service type runs the fail2ban
daemon. It can be configured in
various ways, which are:
The basic parameters of the Fail2Ban service can be configured via its
fail2ban
configuration, which is documented below.
The fail2ban-jail-service
function can be used to add new Fail2Ban
jails.
Service developers can extend the fail2ban-service-type
service type
itself via the usual service extension mechanism.
This is the type of the service that runs fail2ban
daemon. Below is
an example of a basic, explicit configuration:
(append
(list
(service fail2ban-service-type
(fail2ban-configuration
(extra-jails
(list
(fail2ban-jail-configuration
(name "sshd")
(enabled? #t))))))
;; There is no implicit dependency on an actual SSH
;; service, so you need to provide one.
(service openssh-service-type))
%base-services)
Extend svc-type, a <service-type>
object with jail, a
fail2ban-jail-configuration
object.
Por ejemplo:
(append
(list
(service
;; The 'fail2ban-jail-service' procedure can extend any service type
;; with a fail2ban jail. This removes the requirement to explicitly
;; extend services with fail2ban-service-type.
(fail2ban-jail-service
openssh-service-type
(fail2ban-jail-configuration
(name "sshd")
(enabled? #t)))
(openssh-configuration ...))))
Below is the reference for the different jail-service-type
configuration records.
Available fail2ban-configuration
fields are:
fail2ban
(default: fail2ban
) (type: package)The fail2ban
package to use. It is used for both binaries and as
base default configuration that is to be extended with
<fail2ban-jail-configuration>
objects.
run-directory
(default: "/var/run/fail2ban"
) (type: string)The state directory for the fail2ban
daemon.
jails
(default: '()
) (type: list-of-fail2ban-jail-configurations)Instances of <fail2ban-jail-configuration>
collected from extensions.
extra-jails
(default: '()
) (type: list-of-fail2ban-jail-configurations)Instances of <fail2ban-jail-configuration>
explicitly provided.
extra-content
(default: '()
) (type: text-config)Extra raw content to add to the end of the jail.local file, provided as a list of file-like objects.
Available fail2ban-ignore-cache-configuration
fields are:
key
(type: string)Cache key.
max-count
(type: integer)Cache size.
max-time
(type: integer)Cache time.
Available fail2ban-jail-action-configuration
fields are:
name
(type: string)Action name.
arguments
(default: '()
) (type: list-of-arguments)Action arguments.
Available fail2ban-jail-configuration
fields are:
name
(type: string)Required name of this jail configuration.
enabled?
(default: #t
) (type: boolean)Whether this jail is enabled.
backend
(type: maybe-symbol)Backend to use to detect changes in the log-path
. The default is
’auto. To consult the defaults of the jail configuration, refer to the
/etc/fail2ban/jail.conf file of the fail2ban
package.
max-retry
(type: maybe-integer)The number of failures before a host gets banned (e.g. (max-retry
5)
).
max-matches
(type: maybe-integer)The number of matches stored in ticket (resolvable via tag <matches>
)
in action.
find-time
(type: maybe-string)The time window during which the maximum retry count must be reached for an
IP address to be banned. A host is banned if it has generated
max-retry
during the last find-time
seconds (e.g.
(find-time "10m")
). It can be provided in seconds or using
Fail2Ban’s "time abbreviation format", as described in man 5
jail.conf
.
ban-time
(type: maybe-string)The duration, in seconds or time abbreviated format, that a ban should
last. (e.g. (ban-time "10m")
).
ban-time-increment?
(type: maybe-boolean)Whether to consider past bans to compute increases to the default ban time of a specific IP address.
ban-time-factor
(type: maybe-string)The coefficient to use to compute an exponentially growing ban time.
ban-time-formula
(type: maybe-string)This is the formula used to calculate the next value of a ban time.
ban-time-multipliers
(type: maybe-string)Used to calculate next value of ban time instead of formula.
ban-time-max-time
(type: maybe-string)The maximum number of seconds a ban should last.
ban-time-rnd-time
(type: maybe-string)The maximum number of seconds a randomized ban time should last. This can be useful to stop “clever” botnets calculating the exact time an IP address can be unbanned again.
ban-time-overall-jails?
(type: maybe-boolean)When true, it specifies the search of an IP address in the database should be made across all jails. Otherwise, only the current jail of the ban IP address is considered.
ignore-self?
(type: maybe-boolean)Never ban the local machine’s own IP address.
ignore-ip
(default: '()
) (type: list-of-strings)A list of IP addresses, CIDR masks or DNS hosts to ignore. fail2ban
will not ban a host which matches an address in this list.
ignore-cache
(type: maybe-fail2ban-ignore-cache-configuration)Provide cache parameters for the ignore failure check.
filter
(type: maybe-fail2ban-jail-filter-configuration)The filter to use by the jail, specified via a
<fail2ban-jail-filter-configuration>
object. By default, jails have
names matching their filter name.
log-time-zone
(type: maybe-string)The default time zone for log lines that do not have one.
log-encoding
(type: maybe-symbol)The encoding of the log files handled by the jail. Possible values are:
'ascii
, 'utf-8
and 'auto
.
log-path
(default: '()
) (type: list-of-strings)The file names of the log files to be monitored.
action
(default: '()
) (type: list-of-fail2ban-jail-actions)A list of <fail2ban-jail-action-configuration>
.
extra-content
(default: '()
) (type: text-config)Extra content for the jail configuration, provided as a list of file-like objects.
Available fail2ban-jail-filter-configuration
fields are:
name
(type: string)Filter to use.
mode
(type: maybe-string)Mode for filter.
This service type lets you resize a live file system during boot, which can be convenient if a Guix image is flashed on an SD Card (e.g. for an embedded device) or uploaded to a VPS. In both cases the medium the image will reside upon may be larger than the image you want to produce.
For an embedded device booting from an SD card you may use something like:
(service resize-file-system-service-type
(resize-file-system-configuration
(file-system
(file-system (device (file-system-label "root"))
(type "ext4")))))
Aviso: Be extra cautious to use the correct device and type. The service has little error handling of its own and relies on the underlying tools. Wrong use could end in loss of data or the corruption of the operating system.
Partitions and file systems are grown to the maximum size available. File systems can only grow when they are on the last partition on a device and have empty space available.
This service supports the ext2, ext3, ext4, btrfs, and bcachefs file systems.
file-system
(type: file-system)The file-system object to resize (see Sistemas de archivos). This object must
have the device
and type
fields set. Other fields are
ignored.
cloud-utils
(default: cloud-utils
) (type: file-like)The cloud-utils package to use. This package is used for the
growpart
command.
e2fsprogs
(default: e2fsprogs
) (type: file-like)The e2fsprogs package to use, used for resizing ext2, ext3, and ext4 file systems.
btrfs-progs
(default: btrfs-progs
) (type: file-like)The btrfs-progs package to use, used for resizing the btrfs file system.
bcachefs-tools
(default: bcachefs-tools
) (type: file-like)The bcachefs-tools package to use, used for resizing the bcachefs file system.
The (gnu services backup)
module offers services for backing up file
system trees. For now, it provides the restic-backup-service-type
.
With restic-backup-service-type
, you can periodically back up
directories and files with Restic, which
supports end-to-end encryption and deduplication. Consider the following
configuration:
(use-service-modules backup …) ;for 'restic-backup-service-type' (use-package-modules sync …) ;for 'rclone' (operating-system ;; … (packages (append (list rclone) ;for use by restic %base-packages)) (services (list (service restic-backup-service-type (restic-backup-configuration (jobs (list (restic-backup-job (name "remote-ftp") (repository "rclone:remote-ftp:backup/restic") (password-file "/root/.restic") ;; Every day at 23. (schedule "0 23 * * *") (files '("/root/.restic" "/root/.config/rclone" "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" "/etc/guix/signing-key.pub" "/etc/guix/signing-key.sec"))))))))))
Each restic-backup-job
translates to an mcron job which sets the
RESTIC_PASSWORD
environment variable by reading the first line of
password-file
and runs restic backup
, creating backups
using rclone of all the files listed in the files
field.
The restic-backup-service-type
installs as well restic-guix
to
the system profile, a restic
utility wrapper that allows for easier
interaction with the Guix configured backup jobs. For example the following
could be used to instantaneusly trigger a backup for the above shown
configuration, without waiting for the scheduled job:
restic-guix backup remote-ftp
Available restic-backup-configuration
fields are:
jobs
(default: '()
) (type: list-of-restic-backup-jobs)The list of backup jobs for the current system.
Available restic-backup-job
fields are:
restic
(default: restic
) (type: package)The restic package to be used for the current job.
user
(default: "root"
) (type: string)The user used for running the current job.
repository
(type: string)The restic repository target of this job.
name
(type: string)A string denoting a name for this job.
password-file
(type: string)Name of the password file, readable by the configured user
, that will
be used to set the RESTIC_PASSWORD
environment variable for the
current job.
schedule
(type: gexp-or-string)A string or a gexp that will be passed as time specification in the mcron job specification (see mcron job specifications in GNU mcron).
files
(default: '()
) (type: list-of-lowerables)The list of files or directories to be backed up. It must be a list of values that can be lowered to strings.
verbose?
(default: #f
) (type: boolean)Whether to enable verbose output for the current backup job.
extra-flags
(default: '()
) (type: list-of-lowerables)A list of values that are lowered to strings. These will be passed as
command-line arguments to the current job restic backup
invokation.
The (gnu services upnp)
module offers services related to
UPnP (Universal Plug and Play) and DLNA (Digital Living
Network Alliance), networking protocols that can be used for media streaming
and device interoperability within a local network. For now, this module
provides the readymedia-service-type
.
ReadyMedia (formerly
known as MiniDLNA) is a DLNA/UPnP-AV media server. The project’s daemon,
minidlnad
, can serve media files (audio, pictures, and video) to
DLNA/UPnP-AV clients available on the network.
readymedia-service-type
is a Guix service that wraps around
ReadyMedia’s minidlnad
.
Consider the following configuration:
(use-service-modules upnp …) (operating-system … (services (list (service readymedia-service-type (readymedia-configuration (media-directories (list (readymedia-media-directory (path "/media/audio") (types '(A))) (readymedia-media-directory (path "/media/video") (types '(V))) (readymedia-media-directory (path "/media/misc")))) (extra-config '(("notify_interval" . "60"))))) …)))
This sets up the ReadyMedia daemon to serve files from the media folders
specified in media-directories
. The media-directories
field
is mandatory. All other fields (such as network ports and the server name)
come with a predefined default and can be omitted.
Available readymedia-configuration
fields are:
readymedia
(default: readymedia
) (type: package)The ReadyMedia package to be used for the service.
friendly-name
(default: #f
) (type: maybe-string)A custom name that will be displayed on connected clients.
media-directories
(type: list)The list of media folders to serve content from. Each item is a
readymedia-media-directory
.
cache-directory
(default: "/var/cache/readymedia"
) (type: string)A folder for ReadyMedia’s cache files. If not existing already, the folder will be created as part of the service activation and the ReadyMedia user will be assigned ownership.
log-directory
(default: "/var/log/readymedia"
) (type: string)A folder for ReadyMedia’s log files. If not existing already, the folder will be created as part of the service activation and the ReadyMedia user will be assigned ownership.
port
(default: #f
) (type: maybe-integer)A custom port that the service will be listening on.
extra-config
(default: '()
) (type: alist)An association list of further options, as accepted by ReadyMedia.
A media-directories
entry includes a folder path
and,
optionally, the types
of media files included within the folder.
path
(type: string)The media folder location.
types
(default: '()
) (type: list)A list indicating the types of file included in the media folder. Valid
values are combinations of individual media types, i.e. symbol A
for
audio, P
for pictures, V
for video. An empty list means that
no type is specified.
Previous: Servicios de Hurd, Up: Servicios [Contents][Index]