Previous: Hurd Services, Up: 服务 [Contents][Index]
The (gnu services authentication)
module provides a DBus service to
read and identify fingerprints via a fingerprint sensor.
The service type for fprintd
, which provides the fingerprint
reading capability.
(service fprintd-service-type)
The (gnu services sysctl)
provides a service to configure kernel
parameters at boot.
The service type for sysctl
, which modifies kernel parameters
under /proc/sys/. To enable IPv4 forwarding, it can be instantiated
as:
(service sysctl-service-type
(sysctl-configuration
(settings '(("net.ipv4.ip_forward" . "1")))))
Since sysctl-service-type
is used in the default lists of services,
%base-services
and %desktop-services
, you can use
modify-services
to change its configuration and add the kernel
parameters that you want (see modify-services
).
(modify-services %base-services
(sysctl-service-type config =>
(sysctl-configuration
(settings (append '(("net.ipv4.ip_forward" . "1"))
%default-sysctl-settings)))))
The data type representing the configuration of sysctl
.
sysctl
(default: (file-append procps "/sbin/sysctl"
)The sysctl
executable to use.
settings
(default: %default-sysctl-settings
)An association list specifies kernel parameters and their values.
An association list specifying the default sysctl
parameters on
Guix System.
The (gnu services security-token)
module provides the following
service to run pcscd
, the PC/SC Smart Card Daemon.
pcscd
is the daemon program for pcsc-lite and the MuscleCard
framework. It is a resource manager that coordinates communications with
smart card readers, smart cards and cryptographic tokens that are connected
to the system.
Service type for the pcscd
service. Its value must be a
pcscd-configuration
object. To run pcscd in the default
configuration, instantiate it as:
(service pcscd-service-type)
The data type representing the configuration of pcscd
.
pcsc-lite
(default: pcsc-lite
)The pcsc-lite package that provides pcscd.
usb-drivers
(default: (list ccid)
)List of packages that provide USB drivers to pcscd. Drivers are expected to be under pcsc/drivers in the store directory of the package.
The (gnu services lirc)
module provides the following service.
Return a service that runs LIRC, a daemon that decodes infrared signals from remote controls.
Optionally, device, driver and config-file (configuration
file name) may be specified. See lircd
manual for details.
Finally, extra-options is a list of additional command-line options
passed to lircd
.
The (gnu services spice)
module provides the following service.
Returns a service that runs VDAGENT, a daemon that enables sharing the clipboard with a vm and setting the guest display resolution when the graphical console window resizes.
The inputattach service allows you to use input devices such as Wacom tablets, touchscreens, or joysticks with the Xorg display server.
Type of a service that runs inputattach
on a device and dispatches
events from it.
device-type
(default: "wacom"
)The type of device to connect to. Run inputattach --help
, from
the inputattach
package, to see the list of supported device types.
device
(default: "/dev/ttyS0"
)The device file to connect to the device.
baud-rate
(default: #f
)Baud rate to use for the serial connection. Should be a number or
#f
.
log-file
(default: #f
)If true, this must be the name of a file to log messages to.
The (gnu services dict)
module provides the following service:
This is the type of the service that runs the dicod
daemon, an
implementation of DICT server (see Dicod in GNU Dico Manual).
Return a service that runs the dicod
daemon, an implementation of
DICT server (see Dicod in GNU Dico Manual).
The optional config argument specifies the configuration for
dicod
, which should be a <dicod-configuration>
object, by
default it serves the GNU Collaborative International Dictionary of English.
You can add open localhost
to your ~/.dico file to make
localhost
the default server for dico
client
(see Initialization File in GNU Dico Manual).
Data type representing the configuration of dicod.
dico
(default: dico)Package object of the GNU Dico dictionary server.
interfaces
(default: ’("localhost"))This is the list of IP addresses and ports and possibly socket file names to
listen to (see listen
directive in GNU Dico
Manual).
handlers
(default: ’())List of <dicod-handler>
objects denoting handlers (module instances).
databases
(default: (list %dicod-database:gcide))List of <dicod-database>
objects denoting dictionaries to be served.
Data type representing a dictionary handler (module instance).
名字
Name of the handler (module instance).
module
(default: #f)Name of the dicod module of the handler (instance). If it is #f
, the
module has the same name as the handler. (see Modules in GNU Dico
Manual).
options
List of strings or gexps representing the arguments for the module handler
Data type representing a dictionary database.
名字
Name of the database, will be used in DICT commands.
handler
Name of the dicod handler (module instance) used by this database (see Handlers in GNU Dico Manual).
complex?
(default: #f)Whether the database configuration complex. The complex configuration will
need a corresponding <dicod-handler>
object, otherwise not.
options
List of strings or gexps representing the arguments for the database (see Databases in GNU Dico Manual).
A <dicod-database>
object serving the GNU Collaborative International
Dictionary of English using the gcide
package.
The following is an example dicod-service
configuration.
(dicod-service #:config
(dicod-configuration
(handlers (list (dicod-handler
(name "wordnet")
(module "dictorg")
(options
(list #~(string-append "dbdir=" #$wordnet))))))
(databases (list (dicod-database
(name "wordnet")
(complex? #t)
(handler "wordnet")
(options '("database=wn")))
%dicod-database:gcide))))
The (gnu services docker)
module provides the following services.
This is the type of the service that runs Docker, a daemon that can execute application bundles (sometimes referred to as “containers”) in isolated environments.
This is the data type representing the configuration of Docker and Containerd.
docker
(default: docker
)The Docker daemon package to use.
docker-cli
(default: docker-cli
)The Docker client package to use.
containerd
(default: containerd)The Containerd package to use.
proxy
(default docker-libnetwork-cmd-proxy)The Docker user-land networking proxy package to use.
enable-proxy?
(default #t
)Enable or disable the use of the Docker user-land networking proxy.
debug?
(default #f
)Enable or disable debug output.
enable-iptables?
(default #t
)Enable or disable the addition of iptables rules.
environment-variables
(default: ()
)List of environment variables to set for dockerd
.
This must be a list of strings where each string has the form ‘key=value’ as in this example:
(list "LANGUAGE=eo:ca:eu"
"TMPDIR=/tmp/dockerd")
This is the type of the service that allows you to run Singularity, a Docker-style tool to create and run application bundles (aka. “containers”). The value for this service is the Singularity package to use.
The service does not install a daemon; instead, it installs helper programs
as setuid-root (see setuid程序) such that unprivileged users can
invoke singularity run
and similar commands.
The (gnu services auditd)
module provides the following service.
This is the type of the service that runs auditd, a daemon that tracks security-relevant information on your system.
Examples of things that can be tracked:
auditctl
from the audit
package can be used in order to add
or remove events to be tracked (until the next reboot). In order to
permanently track events, put the command line arguments of auditctl into a
file called audit.rules
in the configuration directory (see below).
aureport
from the audit
package can be used in order to
view a report of all recorded events. The audit daemon by default logs into
the file /var/log/audit.log.
This is the data type representing the configuration of auditd.
audit
(default: audit
)The audit package to use.
configuration-directory
(default: %default-auditd-configuration-directory
)The directory containing the configuration file for the audit package, which
must be named auditd.conf
, and optionally some audit rules to
instantiate on startup.
The (gnu services science)
module provides the following service.
This is a type of service which is used to run a webapp created with
r-shiny
. This service sets the R_LIBS_USER
environment
variable and runs the provided script to call runApp
.
This is the data type representing the configuration of rshiny.
package
(default: r-shiny
)The package to use.
binary
(default "rshiny"
)The name of the binary or shell script located at package/bin/
to run
when the service is run.
The common way to create this file is as follows:
… (let* ((out (assoc-ref %outputs "out")) (targetdir (string-append out "/share/" ,name)) (app (string-append out "/bin/" ,name)) (Rbin (search-input-file %build-inputs "/bin/Rscript"))) ;; … (mkdir-p (string-append out "/bin")) (call-with-output-file app (lambda (port) (format port "#!~a library(shiny) setwd(\"~a\") runApp(launch.browser=0, port=4202)~%\n" Rbin targetdir))))
The (gnu services nix)
module provides the following service.
This is the type of the service that runs build daemon of the Nix package manager. Here is an example showing how to use it:
(use-modules (gnu)) (use-service-modules nix) (use-package-modules package-management) (operating-system ;; … (packages (append (list nix) %base-packages)) (services (append (list (service nix-service-type)) %base-services)))
After guix system reconfigure
configure Nix for your user:
$ ln -s "/nix/var/nix/profiles/per-user/$USER/profile" ~/.nix-profile $ source /run/current-system/profile/etc/profile.d/nix.sh
This data type represents the configuration of the Nix daemon.
nix
(default: nix
)The Nix package to use.
sandbox
(default: #t
)Specifies whether builds are sandboxed by default.
build-sandbox-items
(default: '()
)This is a list of strings or objects appended to the
build-sandbox-items
field of the configuration file.
extra-config
(default: '()
)This is a list of strings or objects appended to the configuration file. It is used to pass extra text to be added verbatim to the configuration file.
extra-options
(default: '()
)Extra command line options for nix-service-type
.
fail2ban
scans log files
(e.g. /var/log/apache/error_log
) and bans IP addresses that show
malicious signs – repeated password failures, attempts to make use of
exploits, etc.
fail2ban-service-type
service type is provided by the (gnu
services security)
module.
This service type runs the fail2ban
daemon. It can be configured in
various ways, which are:
The basic parameters of the Fail2Ban service can be configured via its
fail2ban
configuration, which is documented below.
The fail2ban-jail-service
function can be used to add new Fail2Ban
jails.
Service developers can extend the fail2ban-service-type
service type
itself via the usual service extension mechanism.
This is the type of the service that runs fail2ban
daemon. Below is
an example of a basic, explicit configuration:
(append
(list
(service fail2ban-service-type
(fail2ban-configuration
(extra-jails
(list
(fail2ban-jail-configuration
(name "sshd")
(enabled? #t))))))
;; There is no implicit dependency on an actual SSH
;; service, so you need to provide one.
(service openssh-service-type))
%base-services)
Extend svc-type, a <service-type>
object with jail, a
fail2ban-jail-configuration
object.
For example:
(append
(list
(service
;; The 'fail2ban-jail-service' procedure can extend any service type
;; with a fail2ban jail. This removes the requirement to explicitly
;; extend services with fail2ban-service-type.
(fail2ban-jail-service
openssh-service-type
(fail2ban-jail-configuration
(name "sshd")
(enabled? #t)))
(openssh-configuration ...))))
Below is the reference for the different jail-service-type
configuration records.
Available fail2ban-configuration
fields are:
fail2ban
(default: fail2ban
) (type: package)The fail2ban
package to use. It is used for both binaries and as
base default configuration that is to be extended with
<fail2ban-jail-configuration>
objects.
run-directory
(default: "/var/run/fail2ban"
) (type: string)The state directory for the fail2ban
daemon.
jails
(default: ()
) (type: list-of-fail2ban-jail-configurations)Instances of <fail2ban-jail-configuration>
collected from extensions.
extra-jails
(default: ()
) (type: list-of-fail2ban-jail-configurations)Instances of <fail2ban-jail-configuration>
explicitly provided.
extra-content
(default: ()
) (type: text-config)Extra raw content to add to the end of the jail.local file, provided as a list of file-like objects.
Available fail2ban-ignore-cache-configuration
fields are:
key
(type: string)Cache key.
max-count
(type: integer)Cache size.
max-time
(type: integer)Cache time.
Available fail2ban-jail-action-configuration
fields are:
name
(type: string)Action name.
arguments
(default: ()
) (type: list-of-arguments)Action arguments.
Available fail2ban-jail-configuration
fields are:
name
(type: string)Required name of this jail configuration.
enabled?
(default: #t
) (type: boolean)Whether this jail is enabled.
backend
(type: maybe-symbol)Backend to use to detect changes in the log-path
. The default is
’auto. To consult the defaults of the jail configuration, refer to the
/etc/fail2ban/jail.conf file of the fail2ban
package.
max-retry
(type: maybe-integer)The number of failures before a host get banned (e.g. (max-retry
5)
).
max-matches
(type: maybe-integer)The number of matches stored in ticket (resolvable via tag <matches>
)
in action.
find-time
(type: maybe-string)The time window during which the maximum retry count must be reached for an
IP address to be banned. A host is banned if it has generated
max-retry
during the last find-time
seconds (e.g.
(find-time "10m")
). It can be provided in seconds or using
Fail2Ban’s "time abbreviation format", as described in man 5
jail.conf
.
ban-time
(type: maybe-string)The duration, in seconds or time abbreviated format, that a ban should
last. (e.g. (ban-time "10m")
).
ban-time-increment?
(type: maybe-boolean)Whether to consider past bans to compute increases to the default ban time of a specific IP address.
ban-time-factor
(type: maybe-string)The coefficient to use to compute an exponentially growing ban time.
ban-time-formula
(type: maybe-string)This is the formula used to calculate the next value of a ban time.
ban-time-multipliers
(type: maybe-string)Used to calculate next value of ban time instead of formula.
ban-time-max-time
(type: maybe-string)The maximum number of seconds a ban should last.
ban-time-rnd-time
(type: maybe-string)The maximum number of seconds a randomized ban time should last. This can be useful to stop “clever” botnets calculating the exact time an IP address can be unbanned again.
ban-time-overall-jails?
(type: maybe-boolean)When true, it specifies the search of an IP address in the database should be made across all jails. Otherwise, only the current jail of the ban IP address is considered.
ignore-self?
(type: maybe-boolean)Never ban the local machine’s own IP address.
ignore-ip
(default: ()
) (type: list-of-strings)A list of IP addresses, CIDR masks or DNS hosts to ignore. fail2ban
will not ban a host which matches an address in this list.
ignore-cache
(type: maybe-fail2ban-ignore-cache-configuration)Provide cache parameters for the ignore failure check.
filter
(type: maybe-fail2ban-jail-filter-configuration)The filter to use by the jail, specified via a
<fail2ban-jail-filter-configuration>
object. By default, jails have
names matching their filter name.
log-time-zone
(type: maybe-string)The default time zone for log lines that do not have one.
log-encoding
(type: maybe-symbol)The encoding of the log files handled by the jail. Possible values are:
'ascii
, 'utf-8
and 'auto
.
log-path
(default: ()
) (type: list-of-strings)The file names of the log files to be monitored.
action
(default: ()
) (type: list-of-fail2ban-jail-actions)A list of <fail2ban-jail-action-configuration>
.
extra-content
(default: ()
) (type: text-config)Extra content for the jail configuration, provided as a list of file-like objects.
Available fail2ban-jail-filter-configuration
fields are:
name
(type: string)Filter to use.
mode
(type: maybe-string)Mode for filter.
Previous: Hurd Services, Up: 服务 [Contents][Index]