Previous: , Up: 服务   [Contents][Index]


11.10.37 其它各种服务

Fingerprint Service

The (gnu services authentication) module provides a DBus service to read and identify fingerprints via a fingerprint sensor.

Variable: fprintd-service-type

The service type for fprintd, which provides the fingerprint reading capability.

(service fprintd-service-type)

System Control Service

The (gnu services sysctl) provides a service to configure kernel parameters at boot.

Variable: sysctl-service-type

The service type for sysctl, which modifies kernel parameters under /proc/sys/. To enable IPv4 forwarding, it can be instantiated as:

(service sysctl-service-type
         (sysctl-configuration
           (settings '(("net.ipv4.ip_forward" . "1")))))

Since sysctl-service-type is used in the default lists of services, %base-services and %desktop-services, you can use modify-services to change its configuration and add the kernel parameters that you want (see modify-services).

(modify-services %base-services
  (sysctl-service-type config =>
                       (sysctl-configuration
                         (settings (append '(("net.ipv4.ip_forward" . "1"))
                                           %default-sysctl-settings)))))
Data Type: sysctl-configuration

The data type representing the configuration of sysctl.

sysctl (default: (file-append procps "/sbin/sysctl")

The sysctl executable to use.

settings (default: %default-sysctl-settings)

An association list specifies kernel parameters and their values.

Variable: %default-sysctl-settings

An association list specifying the default sysctl parameters on Guix System.

PC/SC Smart Card Daemon Service

The (gnu services security-token) module provides the following service to run pcscd, the PC/SC Smart Card Daemon. pcscd is the daemon program for pcsc-lite and the MuscleCard framework. It is a resource manager that coordinates communications with smart card readers, smart cards and cryptographic tokens that are connected to the system.

Variable: pcscd-service-type

Service type for the pcscd service. Its value must be a pcscd-configuration object. To run pcscd in the default configuration, instantiate it as:

(service pcscd-service-type)
Data Type: pcscd-configuration

The data type representing the configuration of pcscd.

pcsc-lite (default: pcsc-lite)

The pcsc-lite package that provides pcscd.

usb-drivers (default: (list ccid))

List of packages that provide USB drivers to pcscd. Drivers are expected to be under pcsc/drivers in the store directory of the package.

LIRC Service

The (gnu services lirc) module provides the following service.

Variable: lirc-service-type

Type for a service that runs LIRC, a daemon that decodes infrared signals from remote controls.

The value for this service is a <lirc-configuration> object.

Data Type: lirc-configuration

Data type representing the configuration of lircd.

lirc (default: lirc) (type: file-like)

Package object for lirc.

device (default: #f) (type: string)
driver (default: #f) (type: string)
config-file (default: #f) (type: string-or-file-like)

TODO. See lircd manual for details.

extra-options (default: '()) (type: list-of-string)

Additional command-line options to pass to lircd.

SPICE Service

The (gnu services spice) module provides the following service.

Variable: spice-vdagent-service-type

Type of the service that runs VDAGENT, a daemon that enables sharing the clipboard with a vm and setting the guest display resolution when the graphical console window resizes.

Data Type: spice-vdagent-configuration

Data type representing the configuration of spice-vdagent-service-type.

spice-vdagent (default: spice-vdagent) (type: file-like)

Package object for VDAGENT.

inputattach Service

The inputattach service allows you to use input devices such as Wacom tablets, touchscreens, or joysticks with the Xorg display server.

Variable: inputattach-service-type

Type of a service that runs inputattach on a device and dispatches events from it.

Data Type: inputattach-configuration
device-type (default: "wacom")

The type of device to connect to. Run inputattach --help, from the inputattach package, to see the list of supported device types.

device (default: "/dev/ttyS0")

The device file to connect to the device.

baud-rate (default: #f)

Baud rate to use for the serial connection. Should be a number or #f.

log-file (default: #f)

If true, this must be the name of a file to log messages to.

Dictionary Service

The (gnu services dict) module provides the following service:

Variable: dicod-service-type

This is the type of the service that runs the dicod daemon, an implementation of DICT server (see Dicod in GNU Dico Manual).

You can add open localhost to your ~/.dico file to make localhost the default server for dico client (see Initialization File in GNU Dico Manual).

注: This service is also available for Guix Home, where it runs directly with your user privileges (see home-dicod-service-type).

Data Type: dicod-configuration

Data type representing the configuration of dicod.

dico (default: dico)

Package object of the GNU Dico dictionary server.

interfaces (default: ’("localhost"))

This is the list of IP addresses and ports and possibly socket file names to listen to (see listen directive in GNU Dico Manual).

handlers (default: ’())

List of <dicod-handler> objects denoting handlers (module instances).

databases (default: (list %dicod-database:gcide))

List of <dicod-database> objects denoting dictionaries to be served.

Data Type: dicod-handler

Data type representing a dictionary handler (module instance).

名字

Name of the handler (module instance).

module (default: #f)

Name of the dicod module of the handler (instance). If it is #f, the module has the same name as the handler. (see Modules in GNU Dico Manual).

options

List of strings or gexps representing the arguments for the module handler

Data Type: dicod-database

Data type representing a dictionary database.

名字

Name of the database, will be used in DICT commands.

handler

Name of the dicod handler (module instance) used by this database (see Handlers in GNU Dico Manual).

complex? (default: #f)

Whether the database configuration complex. The complex configuration will need a corresponding <dicod-handler> object, otherwise not.

options

List of strings or gexps representing the arguments for the database (see Databases in GNU Dico Manual).

Variable: %dicod-database:gcide

A <dicod-database> object serving the GNU Collaborative International Dictionary of English using the gcide package.

The following is an example dicod-service-type configuration.

(service dicod-service-type
         (dicod-configuration
          (handlers (list
                     (dicod-handler
                      (name "wordnet")
                      (module "wordnet")
                      (options
                       (list #~(string-append "wnhome=" #$wordnet))))))
          (databases (list
                      (dicod-database
                       (name "wordnet")
                       (complex? #t)
                       (handler "wordnet"))
                      %dicod-database:gcide))))

Docker Service

The (gnu services docker) module provides the following services.

Variable: containerd-service-type

This service type operates containerd containerd, a daemon responsible for overseeing the entire container lifecycle on its host system. This includes image handling, storage management, container execution, supervision, low-level storage operations, network connections, and more.

Data Type: containerd-configuration

This is the data type representing the configuration of containerd.

containerd (default: containerd)

The containerd daemon package to use.

debug? (default #f)

Enable or disable debug output.

environment-variables (default: '())

List of environment variables to set for containerd.

This must be a list of strings where each string has the form ‘key=value’ as in this example:

(list "HTTP_PROXY=socks5://127.0.0.1:9150"
      "HTTPS_PROXY=socks5://127.0.0.1:9150")
Variable: docker-service-type

This is the type of the service that runs Docker, a daemon that can execute application bundles (sometimes referred to as “containers”) in isolated environments.

The containerd-service-type service need to be added to a system configuration, otherwise a message about not any service provides containerd will be displayed during guix system reconfigure.

Data Type: docker-configuration

This is the data type representing the configuration of Docker and Containerd.

docker (default: docker)

The Docker daemon package to use.

docker-cli (default: docker-cli)

The Docker client package to use.

containerd (default: containerd)

This field is deprecated in favor of containerd-service-type service.

proxy (default docker-libnetwork-cmd-proxy)

The Docker user-land networking proxy package to use.

enable-proxy? (default #t)

Enable or disable the use of the Docker user-land networking proxy.

debug? (default #f)

Enable or disable debug output.

enable-iptables? (default #t)

Enable or disable the addition of iptables rules.

environment-variables (default: '())

List of environment variables to set for dockerd.

This must be a list of strings where each string has the form ‘key=value’ as in this example:

(list "LANGUAGE=eo:ca:eu"
      "TMPDIR=/tmp/dockerd")
config-file (type: maybe-file-like)

JSON configuration file pass to dockerd.

Variable: singularity-service-type

This is the type of the service that allows you to run Singularity, a Docker-style tool to create and run application bundles (aka. “containers”). The value for this service is the Singularity package to use.

The service does not install a daemon; instead, it installs helper programs as setuid-root (see Privileged Programs) such that unprivileged users can invoke singularity run and similar commands.

Rootless Podman Service

The (gnu services containers) module provides the following service.

Variable: rootless-podman-service-type

This is the service type for Podman is a container management tool.

In addition to providing a drop-in replacement for Docker, Podman offers the ability to run containers in “root-less” mode, meaning that regular users can deploy containers without elevated privileges. It does so mainly by leveraging two Linux kernel features: unprivileged user namespaces, and subordinate user and group IDs (see the subordinate user and group ID service).

The rootless-podman-service-type sets up the system to allow unprivileged users to run podman commands:

(use-service-modules containers networking )

(operating-system
  ;; …
  (users (cons (user-account
                (name "alice")
                (comment "Bob's sister")
                (group "users")

                ;; Adding the account to the "cgroup" group
                ;; makes it possible to run podman commands.
                (supplementary-groups '("cgroup" "wheel"
                                        "audio" "video")))
               %base-user-accounts))
  (services
    (append (list (service iptables-service-type)
                  (service rootless-podman-service-type
                           (rootless-podman-configuration
                             (subgids
                               (list (subid-range (name "alice"))))
                             (subuids
                               (list (subid-range (name "alice")))))))
            %base-services)))

The iptables-service-type is required for Podman to be able to setup its own networks. Due to the change in user groups and file systems it is recommended to reboot (or at least logout), before trying to run Podman commands.

To test your installation you can run:

$ podman run -it --rm docker.io/alpine cat /etc/*release*
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
Data Type: rootless-podman-configuration

Available rootless-podman-configuration fields are:

podman (default: podman) (type: package)

The Podman package that will be installed in the system profile.

group-name (default: "cgroup") (type: string)

The name of the group that will own /sys/fs/cgroup resources. Users that want to use rootless Podman have to be in this group.

containers-registries (type: lowerable)

A string or a gexp evaluating to the path of Podman’s containers/registries.conf configuration file.

containers-storage (type: lowerable)

A string or a gexp evaluating to the path of Podman’s containers/storage.conf configuration file.

containers-policy (type: lowerable)

A string or a gexp evaluating to the path of Podman’s containers/policy.json configuration file.

pam-limits (type: list-of-pam-limits-entries)

The PAM limits to be set for rootless Podman.

subgids (default: ()) (type: list-of-subid-ranges)

A list of subid ranges representing the subgids that will be available for each configured user.

subuids (default: ()) (type: list-of-subid-ranges)

A list of subid ranges representing the subuids that will be available for each configured user.

OCI backed services

Should you wish to manage your Docker containers with the same consistent interface you use for your other Shepherd services, oci-container-service-type is the tool to use: given an Open Container Initiative (OCI) container image, it will run it in a Shepherd service. One example where this is useful: it lets you run services that are available as Docker/OCI images but not yet packaged for Guix.

Variable: oci-container-service-type

This is a thin wrapper around Docker’s CLI that executes OCI images backed processes as Shepherd Services.

(service oci-container-service-type
         (list
          (oci-container-configuration
           (network "host")
           (image
            (oci-image
             (repository "guile")
             (tag "3")
             (value (specifications->manifest '("guile")))
             (pack-options '(#:symlinks (("/bin/guile" -> "bin/guile"))
                             #:max-layers 2))))
           (entrypoint "/bin/guile")
           (command
            '("-c" "(display \"hello!\n\")")))
          (oci-container-configuration
           (image "prom/prometheus")
           (ports
             '(("9000" . "9000")
               ("9090" . "9090"))))
          (oci-container-configuration
           (image "grafana/grafana:10.0.1")
           (network "host")
           (volumes
             '("/var/lib/grafana:/var/lib/grafana")))))

In this example three different Shepherd services are going to be added to the system. Each oci-container-configuration record translates to a docker run invocation and its fields directly map to options. You can refer to the upstream documentation for the semantics of each value. If the images are not found, they will be pulled. The services with (network "host") are going to be attached to the host network and are supposed to behave like native processes with regard to networking.

Data Type: oci-container-configuration

Available oci-container-configuration fields are:

user (default: "oci-container") (type: string)

The user under whose authority docker commands will be run.

group (default: "docker") (type: string)

The group under whose authority docker commands will be run.

command (default: '()) (type: list-of-strings)

Overwrite the default command (CMD) of the image.

entrypoint (default: "") (type: string)

Overwrite the default entrypoint (ENTRYPOINT) of the image.

host-environment (default: '()) (type: list)

Set environment variables in the host environment where docker run is invoked. This is especially useful to pass secrets from the host to the container without having them on the docker run’s command line: by setting the MYSQL_PASSWORD on the host and by passing --env MYSQL_PASSWORD through the extra-arguments field, it is possible to securely set values in the container environment. This field’s value can be a list of pairs or strings, even mixed:

(list '("LANGUAGE\" . "eo:ca:eu")
      "JAVA_HOME=/opt/java")

Pair members can be strings, gexps or file-like objects. Strings are passed directly to make-forkexec-constructor.

environment (default: '()) (type: list)

Set environment variables. This can be a list of pairs or strings, even mixed:

(list '("LANGUAGE" . "eo:ca:eu")
      "JAVA_HOME=/opt/java")

Pair members can be strings, gexps or file-like objects. Strings are passed directly to the Docker CLI. You can refer to the upstream documentation for semantics.

image (type: string-or-oci-image)

The image used to build the container. It can be a string or an oci-image record. Strings are resolved by the Docker Engine, and follow the usual format myregistry.local:5000/testing/test-image:tag.

provision (default: "") (type: string)

Set the name of the provisioned Shepherd service.

requirement (default: '()) (type: list-of-symbols)

Set additional Shepherd services dependencies to the provisioned Shepherd service.

log-file (type: maybe-string)

When log-file is set, it names the file to which the service’s standard output and standard error are redirected. log-file is created if it does not exist, otherwise it is appended to.

auto-start? (default: #t) (type: boolean)

Whether this service should be started automatically by the Shepherd. If it is #f, the service has to be started manually with herd start.

respawn? (default: #f) (type: boolean)

Whether to have Shepherd restart the service when it stops, for instance when the underlying process dies.

shepherd-actions (default: '()) (type: list-of-symbols)

This is a list of shepherd-action records defining actions supported by the service.

network (default: "") (type: string)

Set a Docker network for the spawned container.

ports (default: '()) (type: list)

Set the port or port ranges to expose from the spawned container. This can be a list of pairs or strings, even mixed:

(list '("8080" . "80")
      "10443:443")

Pair members can be strings, gexps or file-like objects. Strings are passed directly to the Docker CLI. You can refer to the upstream documentation for semantics.

volumes (default: '()) (type: list)

Set volume mappings for the spawned container. This can be a list of pairs or strings, even mixed:

(list '("/root/data/grafana" . "/var/lib/grafana")
      "/gnu/store:/gnu/store")

Pair members can be strings, gexps or file-like objects. Strings are passed directly to the Docker CLI. You can refer to the upstream documentation for semantics.

container-user (default: "") (type: string)

Set the current user inside the spawned container. You can refer to the upstream documentation for semantics.

workdir (default: "") (type: string)

Set the current working directory for the spawned Shepherd service. You can refer to the upstream documentation for semantics.

extra-arguments (default: '()) (type: list)

A list of strings, gexps or file-like objects that will be directly passed to the docker run invocation.

Data Type: oci-image

Available oci-image fields are:

repository (type: string)

A string like myregistry.local:5000/testing/test-image that names the OCI image.

tag (default: "latest") (type: string)

A string representing the OCI image tag. Defaults to latest.

value (type: oci-lowerable-image)

A manifest or operating-system record that will be lowered into an OCI compatible tarball. Otherwise this field’s value can be a gexp or a file-like object that evaluates to an OCI compatible tarball.

pack-options (default: '()) (type: list)

An optional set of keyword arguments that will be passed to the docker-image procedure from guix scripts pack. They can be used to replicate guix pack behavior:

(oci-image
  (repository "guile")
  (tag "3")
  (value
    (specifications->manifest '("guile")))
  (pack-options '(#:symlinks (("/bin/guile" -> "bin/guile"))
                  #:max-layers 2)))

If the value field is an operating-system record, this field’s value will be ignored.

system (default: "") (type: string)

Attempt to build for a given system, e.g. "i686-linux"

target (default: "") (type: string)

Attempt to cross-build for a given triple, e.g. "aarch64-linux-gnu"

grafts? (default: #f) (type: boolean)

Whether to allow grafting or not in the pack build.

Subordinate User and Group ID Service

Among the virtualization facilities implemented by the Linux kernel is the concept of subordinate IDs. Subordinate IDs allow for mapping user and group IDs inside process namespaces to user and group IDs of the host system. Subordinate user ID ranges (subuids) allow users to map virtual user IDs inside containers to the user ID of an unprivileged user of the host system. Subordinate group ID ranges (subgids), instead map virtual group IDs to the group ID of an unprivileged user on the host system. You can access subuid(5) and subgid(5) Linux man pages for more details.

The (gnu system shadow) module exposes the subids-service-type, its configuration record subids-configuration and its extension record subids-extension.

With subids-service-type, subuids and subgids ranges can be reserved for users that desire so:

(use-modules (gnu system shadow)     ;for 'subids-service-type'
             (gnu system accounts)   ;for 'subid-range'
             )

(operating-system
  ;; …
  (services
    (list
      (simple-service 'alice-bob-subids
                      subids-service-type
                      (subids-extension
                        (subgids
                         (list
                          (subid-range (name "alice"))))
                        (subuids
                         (list
                          (subid-range (name "alice"))
                          (subid-range (name "bob")
                                       (start 100700)))))))))

Users (definitely other services), usually, are supposed to extend the service instead of adding subids directly to subids-configuration, unless the want to change the default behavior for root. With default settings the subids-service-type adds, if it’s not already there, a configuration for the root account to both /etc/subuid and /etc/subgid, possibly starting at the minimum possible subid. Otherwise the root subuids and subgids ranges are fitted wherever possible.

The above configuration will yield the following:

# cat /etc/subgid
root:100000:65536
alice:165536:65536
# cat /etc/subuid
root:100000:700
bob:100700:65536
alice:166236:65536
Data Type: subids-configuration

With default settings the subids-service-type adds, if it’s not already there, a configuration for the root account to both /etc/subuid and /etc/subgid, possibly starting at the minimum possible subid. To disable the default behavior and provide your own definition for the root subid ranges you can set to #f the add-root? field:

(use-modules (gnu system shadow)     ;for 'subids-service-type'
             (gnu system accounts)   ;for 'subid-range'
             )

(operating-system
  ;; …
  (services
    (list
      (service subids-service-type
               (subids-configuration
                (add-root? #f)
                (subgids
                  (subid-range (name "root")
                               (start 120000)
                               (count 100)))
                (subuids
                  (subid-range (name "root")
                               (start 120000)
                               (count 100)))))
      (simple-service 'alice-bob-subids
                      subids-service-type
                      (subids-extension
                        (subgids
                         (list
                          (subid-range (name "alice"))))
                        (subuids
                         (list
                          (subid-range (name "alice"))
                          (subid-range (name "bob")
                                       (start 100700)))))))))

Available subids-configuration fields are:

add-root? (default: #t) (type: boolean)

Whether to automatically configure subuids and subgids for root.

subgids (default: '()) (type: list-of-subid-ranges)

The list of subid-ranges that will be serialized to /etc/subgid. If a range doesn’t specify a start it will be fitted based on its number of requrested subids. If a range doesn’t specify a count the default size of 65536 will be assumed.

subuids (default: '()) (type: list-of-subid-ranges)

The list of subid-ranges that will be serialized to /etc/subuid. If a range doesn’t specify a start it will be fitted based on its number of requrested subids. If a range doesn’t specify a count the default size of 65536 will be assumed.

Data Type: subids-extension

Available subids-extension fields are:

subgids (default: '()) (type: list-of-subid-ranges)

The list of subid-ranges that will be appended to subids-configuration-subgids. Entries with the same name are deduplicated upon merging.

subuids (default: '()) (type: list-of-subid-ranges)

The list of subid-ranges that will be appended to subids-configuration-subuids. Entries with the same name are deduplicated upon merging.

Data Type: subid-range

The subid-range record is defined at (gnu system accounts). Available fields are:

name (type: string)

The name of the user or group that will own this range.

start (default: #f) (type: integer)

The first requested subid. When false the first available subid with enough contiguous subids will be assigned.

count (default: #f) (type: integer)

The number of total allocated subids. When #f the default of 65536 will be assumed .

Auditd Service

The (gnu services auditd) module provides the following service.

Variable: auditd-service-type

This is the type of the service that runs auditd, a daemon that tracks security-relevant information on your system.

Examples of things that can be tracked:

  1. File accesses
  2. System calls
  3. Invoked commands
  4. Failed login attempts
  5. Firewall filtering
  6. Network access

auditctl from the audit package can be used in order to add or remove events to be tracked (until the next reboot). In order to permanently track events, put the command line arguments of auditctl into a file called audit.rules in the configuration directory (see below). aureport from the audit package can be used in order to view a report of all recorded events. The audit daemon by default logs into the file /var/log/audit.log.

Data Type: auditd-configuration

This is the data type representing the configuration of auditd.

audit (default: audit)

The audit package to use.

configuration-directory (default: %default-auditd-configuration-directory)

The directory containing the configuration file for the audit package, which must be named auditd.conf, and optionally some audit rules to instantiate on startup.

R-Shiny service

The (gnu services science) module provides the following service.

Variable: rshiny-service-type

This is a type of service which is used to run a webapp created with r-shiny. This service sets the R_LIBS_USER environment variable and runs the provided script to call runApp.

Data Type: rshiny-configuration

This is the data type representing the configuration of rshiny.

package (default: r-shiny)

The package to use.

binary (default "rshiny")

The name of the binary or shell script located at package/bin/ to run when the service is run.

The common way to create this file is as follows:


(let* ((out       (assoc-ref %outputs "out"))
       (targetdir (string-append out "/share/" ,name))
       (app       (string-append out "/bin/" ,name))
       (Rbin      (search-input-file %build-inputs "/bin/Rscript")))
  ;; …
  (mkdir-p (string-append out "/bin"))
  (call-with-output-file app
    (lambda (port)
      (format port
"#!~a
library(shiny)
setwd(\"~a\")
runApp(launch.browser=0, port=4202)~%\n"
      Rbin targetdir))))

Nix service

The (gnu services nix) module provides the following service.

Variable: nix-service-type

This is the type of the service that runs build daemon of the Nix package manager. Here is an example showing how to use it:

(use-modules (gnu))
(use-service-modules nix)
(use-package-modules package-management)

(operating-system
  ;; …
  (packages (append (list nix)
                    %base-packages))

  (services (append (list (service nix-service-type))
                    %base-services)))

After guix system reconfigure configure Nix for your user:

  • Add a Nix channel and update it. See Nix channels for more information about the available channels. If you would like to use the unstable Nix channel you can do this by running:
    $ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
    $ nix-channel --update
    
  • Create your Nix profile directory:
    $ sudo mkdir -p /nix/var/nix/profiles/per-user/$USER
    $ sudo chown $USER:root /nix/var/nix/profiles/per-user/$USER
    
  • Create a symlink to your profile and activate Nix profile:
    $ ln -s "/nix/var/nix/profiles/per-user/$USER/profile" ~/.nix-profile
    $ source /run/current-system/profile/etc/profile.d/nix.sh
    
Data Type: nix-configuration

This data type represents the configuration of the Nix daemon.

nix (default: nix)

The Nix package to use.

sandbox (default: #t)

Specifies whether builds are sandboxed by default.

build-directory (default: "/tmp")

The directory where build directory are stored during builds. This is useful to change if, for example, the default location does not have enough space to hold build trees for big packages.

This is similar to setting the TMPDIR environment variable for guix-daemon. TMPDIR, for more info.

build-sandbox-items (default: '())

This is a list of strings or objects appended to the build-sandbox-items field of the configuration file.

extra-config (default: '())

This is a list of strings or objects appended to the configuration file. It is used to pass extra text to be added verbatim to the configuration file.

extra-options (default: '())

Extra command line options for nix-service-type.

Fail2Ban service

fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IP addresses that show malicious signs – repeated password failures, attempts to make use of exploits, etc.

fail2ban-service-type service type is provided by the (gnu services security) module.

This service type runs the fail2ban daemon. It can be configured in various ways, which are:

Basic configuration

The basic parameters of the Fail2Ban service can be configured via its fail2ban configuration, which is documented below.

User-specified jail extensions

The fail2ban-jail-service function can be used to add new Fail2Ban jails.

Shepherd extension mechanism

Service developers can extend the fail2ban-service-type service type itself via the usual service extension mechanism.

Variable: fail2ban-service-type

This is the type of the service that runs fail2ban daemon. Below is an example of a basic, explicit configuration:

(append
 (list
  (service fail2ban-service-type
           (fail2ban-configuration
            (extra-jails
             (list
              (fail2ban-jail-configuration
               (name "sshd")
               (enabled? #t))))))
  ;; There is no implicit dependency on an actual SSH
  ;; service, so you need to provide one.
  (service openssh-service-type))
 %base-services)
Procedure: fail2ban-jail-service svc-type jail

Extend svc-type, a <service-type> object with jail, a fail2ban-jail-configuration object.

For example:

(append
 (list
  (service
   ;; The 'fail2ban-jail-service' procedure can extend any service type
   ;; with a fail2ban jail.  This removes the requirement to explicitly
   ;; extend services with fail2ban-service-type.
   (fail2ban-jail-service
    openssh-service-type
    (fail2ban-jail-configuration
     (name "sshd")
     (enabled? #t)))
   (openssh-configuration ...))))

Below is the reference for the different jail-service-type configuration records.

Data Type: fail2ban-configuration

Available fail2ban-configuration fields are:

fail2ban (default: fail2ban) (type: package)

The fail2ban package to use. It is used for both binaries and as base default configuration that is to be extended with <fail2ban-jail-configuration> objects.

run-directory (default: "/var/run/fail2ban") (type: string)

The state directory for the fail2ban daemon.

jails (default: '()) (type: list-of-fail2ban-jail-configurations)

Instances of <fail2ban-jail-configuration> collected from extensions.

extra-jails (default: '()) (type: list-of-fail2ban-jail-configurations)

Instances of <fail2ban-jail-configuration> explicitly provided.

extra-content (default: '()) (type: text-config)

Extra raw content to add to the end of the jail.local file, provided as a list of file-like objects.

Data Type: fail2ban-ignore-cache-configuration

Available fail2ban-ignore-cache-configuration fields are:

key (type: string)

Cache key.

max-count (type: integer)

Cache size.

max-time (type: integer)

Cache time.

Data Type: fail2ban-jail-action-configuration

Available fail2ban-jail-action-configuration fields are:

name (type: string)

Action name.

arguments (default: '()) (type: list-of-arguments)

Action arguments.

Data Type: fail2ban-jail-configuration

Available fail2ban-jail-configuration fields are:

name (type: string)

Required name of this jail configuration.

enabled? (default: #t) (type: boolean)

Whether this jail is enabled.

backend (type: maybe-symbol)

Backend to use to detect changes in the log-path. The default is ’auto. To consult the defaults of the jail configuration, refer to the /etc/fail2ban/jail.conf file of the fail2ban package.

max-retry (type: maybe-integer)

The number of failures before a host gets banned (e.g. (max-retry 5)).

max-matches (type: maybe-integer)

The number of matches stored in ticket (resolvable via tag <matches>) in action.

find-time (type: maybe-string)

The time window during which the maximum retry count must be reached for an IP address to be banned. A host is banned if it has generated max-retry during the last find-time seconds (e.g. (find-time "10m")). It can be provided in seconds or using Fail2Ban’s "time abbreviation format", as described in man 5 jail.conf.

ban-time (type: maybe-string)

The duration, in seconds or time abbreviated format, that a ban should last. (e.g. (ban-time "10m")).

ban-time-increment? (type: maybe-boolean)

Whether to consider past bans to compute increases to the default ban time of a specific IP address.

ban-time-factor (type: maybe-string)

The coefficient to use to compute an exponentially growing ban time.

ban-time-formula (type: maybe-string)

This is the formula used to calculate the next value of a ban time.

ban-time-multipliers (type: maybe-string)

Used to calculate next value of ban time instead of formula.

ban-time-max-time (type: maybe-string)

The maximum number of seconds a ban should last.

ban-time-rnd-time (type: maybe-string)

The maximum number of seconds a randomized ban time should last. This can be useful to stop “clever” botnets calculating the exact time an IP address can be unbanned again.

ban-time-overall-jails? (type: maybe-boolean)

When true, it specifies the search of an IP address in the database should be made across all jails. Otherwise, only the current jail of the ban IP address is considered.

ignore-self? (type: maybe-boolean)

Never ban the local machine’s own IP address.

ignore-ip (default: '()) (type: list-of-strings)

A list of IP addresses, CIDR masks or DNS hosts to ignore. fail2ban will not ban a host which matches an address in this list.

ignore-cache (type: maybe-fail2ban-ignore-cache-configuration)

Provide cache parameters for the ignore failure check.

filter (type: maybe-fail2ban-jail-filter-configuration)

The filter to use by the jail, specified via a <fail2ban-jail-filter-configuration> object. By default, jails have names matching their filter name.

log-time-zone (type: maybe-string)

The default time zone for log lines that do not have one.

log-encoding (type: maybe-symbol)

The encoding of the log files handled by the jail. Possible values are: 'ascii, 'utf-8 and 'auto.

log-path (default: '()) (type: list-of-strings)

The file names of the log files to be monitored.

action (default: '()) (type: list-of-fail2ban-jail-actions)

A list of <fail2ban-jail-action-configuration>.

extra-content (default: '()) (type: text-config)

Extra content for the jail configuration, provided as a list of file-like objects.

Data Type: fail2ban-jail-filter-configuration

Available fail2ban-jail-filter-configuration fields are:

name (type: string)

Filter to use.

mode (type: maybe-string)

Mode for filter.

Resize File System Service

This service type lets you resize a live file system during boot, which can be convenient if a Guix image is flashed on an SD Card (e.g. for an embedded device) or uploaded to a VPS. In both cases the medium the image will reside upon may be larger than the image you want to produce.

For an embedded device booting from an SD card you may use something like:

(service resize-file-system-service-type
         (resize-file-system-configuration
          (file-system
           (file-system (device (file-system-label "root"))
                        (type "ext4")))))

警告: Be extra cautious to use the correct device and type. The service has little error handling of its own and relies on the underlying tools. Wrong use could end in loss of data or the corruption of the operating system.

Partitions and file systems are grown to the maximum size available. File systems can only grow when they are on the last partition on a device and have empty space available.

This service supports the ext2, ext3, ext4, btrfs, and bcachefs file systems.

file-system (default: #f) (type: file-system)

The file-system object to resize (see 文件系统). This object must have the device and type fields set. Other fields are ignored.

cloud-utils (default: cloud-utils) (type: file-like)

The cloud-utils package to use. This package is used for the growpart command.

e2fsprogs (default: e2fsprogs) (type: file-like)

The e2fsprogs package to use, used for resizing ext2, ext3, and ext4 file systems.

btrfs-progs (default: btrfs-progs) (type: file-like)

The btrfs-progs package to use, used for resizing the btrfs file system.

bcachefs-tools (default: bcachefs-tools) (type: file-like)

The bcachefs-tools package to use, used for resizing the bcachefs file system.

Backup Services

The (gnu services backup) module offers services for backing up file system trees. For now, it provides the restic-backup-service-type.

With restic-backup-service-type, you can periodically back up directories and files with Restic, which supports end-to-end encryption and deduplication. Consider the following configuration:

(use-service-modules backup ) ;for 'restic-backup-service-type'
(use-package-modules sync )   ;for 'rclone'

(operating-system
  ;; …
  (packages (append (list rclone)    ;for use by restic
                    %base-packages))
  (services
    (list
      (service restic-backup-service-type
               (restic-backup-configuration
                 (jobs
                   (list (restic-backup-job
                           (name "remote-ftp")
                           (repository "rclone:remote-ftp:backup/restic")
                           (password-file "/root/.restic")
                           ;; Every day at 23.
                           (schedule "0 23 * * *")
                           (files '("/root/.restic"
                                    "/root/.config/rclone"
                                    "/etc/ssh/ssh_host_rsa_key"
                                    "/etc/ssh/ssh_host_rsa_key.pub"
                                    "/etc/guix/signing-key.pub"
                                    "/etc/guix/signing-key.sec"))))))))))

Each restic-backup-job translates to an mcron job which sets the RESTIC_PASSWORD environment variable by reading the first line of password-file and runs restic backup, creating backups using rclone of all the files listed in the files field.

The restic-backup-service-type installs as well restic-guix to the system profile, a restic utility wrapper that allows for easier interaction with the Guix configured backup jobs. For example the following could be used to instantaneusly trigger a backup for the above shown configuration, without waiting for the scheduled job:

restic-guix backup remote-ftp
Data Type: restic-backup-configuration

Available restic-backup-configuration fields are:

jobs (default: '()) (type: list-of-restic-backup-jobs)

The list of backup jobs for the current system.

Data Type: restic-backup-job

Available restic-backup-job fields are:

restic (default: restic) (type: package)

The restic package to be used for the current job.

user (default: "root") (type: string)

The user used for running the current job.

repository (type: string)

The restic repository target of this job.

name (type: string)

A string denoting a name for this job.

password-file (type: string)

Name of the password file, readable by the configured user, that will be used to set the RESTIC_PASSWORD environment variable for the current job.

schedule (type: gexp-or-string)

A string or a gexp that will be passed as time specification in the mcron job specification (see mcron job specifications in GNU mcron).

files (default: '()) (type: list-of-lowerables)

The list of files or directories to be backed up. It must be a list of values that can be lowered to strings.

verbose? (default: #f) (type: boolean)

Whether to enable verbose output for the current backup job.

extra-flags (default: '()) (type: list-of-lowerables)

A list of values that are lowered to strings. These will be passed as command-line arguments to the current job restic backup invokation.

DLNA/UPnP Services

The (gnu services upnp) module offers services related to UPnP (Universal Plug and Play) and DLNA (Digital Living Network Alliance), networking protocols that can be used for media streaming and device interoperability within a local network. For now, this module provides the readymedia-service-type.

ReadyMedia (formerly known as MiniDLNA) is a DLNA/UPnP-AV media server. The project’s daemon, minidlnad, can serve media files (audio, pictures, and video) to DLNA/UPnP-AV clients available on the network. readymedia-service-type is a Guix service that wraps around ReadyMedia’s minidlnad.

Consider the following configuration:

(use-service-modules upnp )

(operating-system
  
  (services
   (list (service readymedia-service-type
                  (readymedia-configuration
                   (media-directories
                    (list (readymedia-media-directory
                           (path "/media/audio")
                           (types '(A)))
                          (readymedia-media-directory
                           (path "/media/video")
                           (types '(V)))
                          (readymedia-media-directory
                           (path "/media/misc"))))
                   (extra-config '(("notify_interval" . "60")))))
         )))

This sets up the ReadyMedia daemon to serve files from the media folders specified in media-directories. The media-directories field is mandatory. All other fields (such as network ports and the server name) come with a predefined default and can be omitted.

Data Type: readymedia-configuration

Available readymedia-configuration fields are:

readymedia (default: readymedia) (type: package)

The ReadyMedia package to be used for the service.

friendly-name (default: #f) (type: maybe-string)

A custom name that will be displayed on connected clients.

media-directories (type: list)

The list of media folders to serve content from. Each item is a readymedia-media-directory.

cache-directory (default: "/var/cache/readymedia") (type: string)

A folder for ReadyMedia’s cache files. If not existing already, the folder will be created as part of the service activation and the ReadyMedia user will be assigned ownership.

log-directory (default: "/var/log/readymedia") (type: string)

A folder for ReadyMedia’s log files. If not existing already, the folder will be created as part of the service activation and the ReadyMedia user will be assigned ownership.

port (default: #f) (type: maybe-integer)

A custom port that the service will be listening on.

extra-config (default: '()) (type: alist)

An association list of further options, as accepted by ReadyMedia.

Data Type: readymedia-media-directory

A media-directories entry includes a folder path and, optionally, the types of media files included within the folder.

path (type: string)

The media folder location.

types (default: '()) (type: list)

A list indicating the types of file included in the media folder. Valid values are combinations of individual media types, i.e. symbol A for audio, P for pictures, V for video. An empty list means that no type is specified.


Previous: Hurd Services, Up: 服务   [Contents][Index]