Next: Unattended Upgrades, Previous: Log Rotation, Up: Services [Contents][Index]
The (gnu services networking)
module provides services to configure
the network interface.
This is the type of services that run dhcp, a Dynamic Host Configuration
Protocol (DHCP) client, on all the non-loopback network interfaces. Its value
is the DHCP client package to use, isc-dhcp
by default.
This type defines a service that runs a DHCP daemon. To create a
service of this type, you must supply a <dhcpd-configuration>
.
For example:
(service dhcpd-service-type (dhcpd-configuration (config-file (local-file "my-dhcpd.conf")) (interfaces '("enp0s25"))))
package
(default: isc-dhcp
)The package that provides the DHCP daemon. This package is expected to provide the daemon at sbin/dhcpd relative to its output directory. The default package is the ISC’s DHCP server.
config-file
(default: #f
)The configuration file to use. This is required. It will be passed to
dhcpd
via its -cf
option. This may be any “file-like”
object (see file-like objects). See man
dhcpd.conf
for details on the configuration file syntax.
version
(default: "4"
)The DHCP version to use. The ISC DHCP server supports the values “4”,
“6”, and “4o6”. These correspond to the dhcpd
program
options -4
, -6
, and -4o6
. See man dhcpd
for
details.
run-directory
(default: "/run/dhcpd"
)The run directory to use. At service activation time, this directory will be created if it does not exist.
pid-file
(default: "/run/dhcpd/dhcpd.pid"
)The PID file to use. This corresponds to the -pf
option of
dhcpd
. See man dhcpd
for details.
interfaces
(default: '()
)The names of the network interfaces on which dhcpd should listen for
broadcasts. If this list is not empty, then its elements (which must be
strings) will be appended to the dhcpd
invocation when starting
the daemon. It may not be necessary to explicitly specify any
interfaces here; see man dhcpd
for details.
This is the type for statically-configured network interfaces.
'()
] [#:requirement '(udev)
]Return a service that starts interface with address ip. If netmask is true, use it as the network mask. If gateway is true, it must be a string specifying the default network gateway. requirement can be used to declare a dependency on another service before configuring the interface.
This procedure can be called several times, one for each network
interface of interest. Behind the scenes what it does is extend
static-networking-service-type
with additional network interfaces
to handle.
For example:
(static-networking-service "eno1" "192.168.1.82" #:gateway "192.168.1.2" #:name-servers '("192.168.1.2"))
Return a service that runs Wicd, a network management daemon that aims to simplify wired and wireless networking.
This service adds the wicd package to the global profile, providing
several commands to interact with the daemon and configure networking:
wicd-client
, a graphical user interface, and the wicd-cli
and wicd-curses
user interfaces.
This is the service type for the
ModemManager
service. The value for this service type is a
modem-manager-configuration
record.
This service is part of %desktop-services
(see Desktop Services).
Data type representing the configuration of ModemManager.
modem-manager
(default: modem-manager
)The ModemManager package to use.
This is the service type for the
USB_ModeSwitch
service. The value for this service type is
a usb-modeswitch-configuration
record.
When plugged in, some USB modems (and other USB devices) initially present themselves as a read-only storage medium and not as a modem. They need to be modeswitched before they are usable. The USB_ModeSwitch service type installs udev rules to automatically modeswitch these devices when they are plugged in.
This service is part of %desktop-services
(see Desktop Services).
Data type representing the configuration of USB_ModeSwitch.
usb-modeswitch
(default: usb-modeswitch
)The USB_ModeSwitch package providing the binaries for modeswitching.
usb-modeswitch-data
(default: usb-modeswitch-data
)The package providing the device data and udev rules file used by USB_ModeSwitch.
config-file
(default: #~(string-append #$usb-modeswitch:dispatcher "/etc/usb_modeswitch.conf")
)Which config file to use for the USB_ModeSwitch dispatcher. By default the
config file shipped with USB_ModeSwitch is used which disables logging to
/var/log among other default settings. If set to #f
, no config
file is used.
This is the service type for the
NetworkManager
service. The value for this service type is a
network-manager-configuration
record.
This service is part of %desktop-services
(see Desktop Services).
Data type representing the configuration of NetworkManager.
network-manager
(default: network-manager
)The NetworkManager package to use.
dns
(default: "default"
)Processing mode for DNS, which affects how NetworkManager uses the
resolv.conf
configuration file.
NetworkManager will update resolv.conf
to reflect the nameservers
provided by currently active connections.
NetworkManager will run dnsmasq
as a local caching nameserver, using a
conditional forwarding configuration if you are connected to a VPN, and
then update resolv.conf
to point to the local nameserver.
With this setting, you can share your network connection. For example when
you want to share your network connection to another laptop via an
Ethernet cable, you can open nm-connection-editor
and configure the
Wired connection’s method for IPv4 and IPv6 to be “Shared to other computers”
and reestablish the connection (or reboot).
You can also set up a host-to-guest connection to QEMU VMs
(see Installing Guix in a VM). With a host-to-guest connection, you can
e.g. access a Web server running on the VM (see Web Services) from a Web
browser on your host system, or connect to the VM via SSH
(see openssh-service-type
). To set up a
host-to-guest connection, run this command once:
nmcli connection add type tun \ connection.interface-name tap0 \ tun.mode tap tun.owner $(id -u) \ ipv4.method shared \ ipv4.addresses 172.28.112.1/24
Then each time you launch your QEMU VM (see Running Guix in a VM), pass
-nic tap,ifname=tap0,script=no,downscript=no to
qemu-system-...
.
NetworkManager will not modify resolv.conf
.
vpn-plugins
(default: '()
)This is the list of available plugins for virtual private networks
(VPNs). An example of this is the network-manager-openvpn
package, which allows NetworkManager to manage VPNs via OpenVPN.
This is the service type to run Connman, a network connection manager.
Its value must be an
connman-configuration
record as in this example:
(service connman-service-type (connman-configuration (disable-vpn? #t)))
See below for details about connman-configuration
.
Data Type representing the configuration of connman.
connman
(default: connman)The connman package to use.
disable-vpn?
(default: #f
)When true, disable connman’s vpn plugin.
This is the service type to run WPA supplicant, an authentication daemon required to authenticate against encrypted WiFi or ethernet networks.
Data type representing the configuration of WPA Supplicant.
It takes the following parameters:
wpa-supplicant
(default: wpa-supplicant
)The WPA Supplicant package to use.
requirement
(default: '(user-processes loopback syslogd)
List of services that should be started before WPA Supplicant starts.
dbus?
(default: #t
)Whether to listen for requests on D-Bus.
pid-file
(default: "/var/run/wpa_supplicant.pid"
)Where to store the PID file.
interface
(default: #f
)If this is set, it must specify the name of a network interface that WPA supplicant will control.
config-file
(default: #f
)Optional configuration file to use.
extra-options
(default: '()
)List of additional command-line arguments to pass to the daemon.
This is the service type to run the hostapd daemon to set up WiFi (IEEE 802.11) access points and
authentication servers. Its associated value must be a
hostapd-configuration
as shown below:
;; Use wlan1 to run the access point for "My Network". (service hostapd-service-type (hostapd-configuration (interface "wlan1") (ssid "My Network") (channel 12)))
This data type represents the configuration of the hostapd service, with the following fields:
package
(default: hostapd
)The hostapd package to use.
interface
(default: "wlan0"
)The network interface to run the WiFi access point.
ssid
The SSID (service set identifier), a string that identifies this network.
broadcast-ssid?
(default: #t
)Whether to broadcast this SSID.
channel
(default: 1
)The WiFi channel to use.
driver
(default: "nl80211"
)The driver interface type. "nl80211"
is used with all Linux
mac80211 drivers. Use "none"
if building hostapd as a standalone
RADIUS server that does # not control any wireless/wired driver.
extra-settings
(default: ""
)Extra settings to append as-is to the hostapd configuration file. See https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for the configuration file reference.
This is the type of a service to simulate WiFi networking, which can be
useful in virtual machines for testing purposes. The service loads the
Linux kernel
mac80211_hwsim
module and starts hostapd to create a pseudo WiFi
network that can be seen on wlan0
, by default.
The service’s value is a hostapd-configuration
record.
This is the service type to set up an iptables configuration. iptables is a packet filtering framework supported by the Linux kernel. This service supports configuring iptables for both IPv4 and IPv6. A simple example configuration rejecting all incoming connections except those to the ssh port 22 is shown below.
(service iptables-service-type (iptables-configuration (ipv4-rules (plain-file "iptables.rules" "*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT ")) (ipv6-rules (plain-file "ip6tables.rules" "*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT "))))
The data type representing the configuration of iptables.
iptables
(default: iptables
)The iptables package that provides iptables-restore
and
ip6tables-restore
.
ipv4-rules
(default: %iptables-accept-all-rules
)The iptables rules to use. It will be passed to iptables-restore
.
This may be any “file-like” object (see file-like
objects).
ipv6-rules
(default: %iptables-accept-all-rules
)The ip6tables rules to use. It will be passed to ip6tables-restore
.
This may be any “file-like” object (see file-like
objects).
This is the service type to set up a nftables configuration. nftables is a
netfilter project that aims to replace the existing iptables, ip6tables,
arptables and ebtables framework. It provides a new packet filtering
framework, a new user-space utility nft
, and a compatibility layer
for iptables. This service comes with a default ruleset
%default-nftables-ruleset
that rejecting all incoming connections
except those to the ssh port 22. To use it, simply write:
(service nftables-service-type)
The data type representing the configuration of nftables.
package
(default: nftables
)The nftables package that provides nft
.
ruleset
(default: %default-nftables-ruleset
)The nftables ruleset to use. This may be any “file-like” object (see file-like objects).
This is the type of the service running the Network Time Protocol (NTP) daemon, ntpd
. The daemon will keep the
system clock synchronized with that of the specified NTP servers.
The value of this service is an ntpd-configuration
object, as described
below.
This is the data type for the NTP service configuration.
servers
(default: %ntp-servers
)This is the list of servers (<ntp-server>
records) with which
ntpd
will be synchronized. See the ntp-server
data type
definition below.
allow-large-adjustment?
(default: #t
)This determines whether ntpd
is allowed to make an initial
adjustment of more than 1,000 seconds.
ntp
(default: ntp
)The NTP package to use.
List of host names used as the default NTP servers. These are servers of the NTP Pool Project.
The data type representing the configuration of a NTP server.
type
(default: 'server
)The type of the NTP server, given as a symbol. One of 'pool
,
'server
, 'peer
, 'broadcast
or 'manycastclient
.
address
The address of the server, as a string.
options
NTPD options to use with that specific server, given as a list of option names and/or of option names and values tuples. The following example define a server to use with the options iburst and prefer, as well as version 3 and a maxpoll time of 16 seconds.
(ntp-server (type 'server) (address "some.ntp.server.org") (options `(iburst (version 3) (maxpoll 16) prefer))))
Run the ntpd
, the Network Time Protocol (NTP) daemon, as implemented
by OpenNTPD. The daemon will keep the system
clock synchronized with that of the given servers.
(service openntpd-service-type (openntpd-configuration (listen-on '("127.0.0.1" "::1")) (sensor '("udcf0 correction 70000")) (constraint-from '("www.gnu.org")) (constraints-from '("https://www.google.com/"))))
This variable is a list of the server addresses defined in
%ntp-servers
.
openntpd
(default: (file-append openntpd "/sbin/ntpd")
)The openntpd executable to use.
listen-on
(default: '("127.0.0.1" "::1")
)A list of local IP addresses or hostnames the ntpd daemon should listen on.
query-from
(default: '()
)A list of local IP address the ntpd daemon should use for outgoing queries.
sensor
(default: '()
)Specify a list of timedelta sensor devices ntpd should use. ntpd
will listen to each sensor that actually exists and ignore non-existent ones.
See upstream documentation for more
information.
server
(default: '()
)Specify a list of IP addresses or hostnames of NTP servers to synchronize to.
servers
(default: %openntp-servers
)Specify a list of IP addresses or hostnames of NTP pools to synchronize to.
constraint-from
(default: '()
)ntpd
can be configured to query the ‘Date’ from trusted HTTPS servers via TLS.
This time information is not used for precision but acts as an authenticated
constraint, thereby reducing the impact of unauthenticated NTP
man-in-the-middle attacks.
Specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide
a constraint.
constraints-from
(default: '()
)As with constraint from, specify a list of URLs, IP addresses or hostnames of
HTTPS servers to provide a constraint. Should the hostname resolve to multiple
IP addresses, ntpd
will calculate a median constraint from all of them.
This service runs the inetd
(see inetd invocation in GNU Inetutils) daemon. inetd
listens for
connections on internet sockets, and lazily starts the specified server
program when a connection is made on one of these sockets.
The value of this service is an inetd-configuration
object. The
following example configures the inetd
daemon to provide the
built-in echo
service, as well as an smtp service which
forwards smtp traffic over ssh to a server smtp-server
behind a
gateway hostname
:
(service inetd-service-type (inetd-configuration (entries (list (inetd-entry (name "echo") (socket-type 'stream) (protocol "tcp") (wait? #f) (user "root")) (inetd-entry (node "127.0.0.1") (name "smtp") (socket-type 'stream) (protocol "tcp") (wait? #f) (user "root") (program (file-append openssh "/bin/ssh")) (arguments '("ssh" "-qT" "-i" "/path/to/ssh_key" "-W" "smtp-server:25" "user@hostname")))))))
See below for more details about inetd-configuration
.
Data type representing the configuration of inetd
.
program
(default: (file-append inetutils "/libexec/inetd")
)The inetd
executable to use.
entries
(default: '()
)A list of inetd
service entries. Each entry should be created
by the inetd-entry
constructor.
Data type representing an entry in the inetd
configuration.
Each entry corresponds to a socket where inetd
will listen for
requests.
node
(default: #f
)Optional string, a comma-separated list of local addresses
inetd
should use when listening for this service.
See Configuration file in GNU Inetutils for a complete
description of all options.
name
A string, the name must correspond to an entry in /etc/services
.
socket-type
One of 'stream
, 'dgram
, 'raw
, 'rdm
or
'seqpacket
.
protocol
A string, must correspond to an entry in /etc/protocols
.
wait?
(default: #t
)Whether inetd
should wait for the server to exit before
listening to new service requests.
user
A string containing the user (and, optionally, group) name of the user
as whom the server should run. The group name can be specified in a
suffix, separated by a colon or period, i.e. "user"
,
"user:group"
or "user.group"
.
program
(default: "internal"
)The server program which will serve the requests, or "internal"
if inetd
should use a built-in service.
arguments
(default: '()
)A list strings or file-like objects, which are the server program’s
arguments, starting with the zeroth argument, i.e. the name of the
program itself. For inetd
’s internal services, this entry
must be '()
or '("internal")
.
See Configuration file in GNU Inetutils for a more detailed discussion of each configuration field.
This is the type of the service running a OpenDHT node, dhtnode
. The daemon can be used to host your
own proxy service to the distributed hash table (DHT), for example to
connect to with Jami, among other applications.
Important: When using the OpenDHT proxy server, the IP addresses it “sees” from the clients should be addresses reachable from other peers. In practice this means that a publicly reachable address is best suited for a proxy server, outside of your private network. For example, hosting the proxy server on a IPv4 private local network and exposing it via port forwarding could work for external peers, but peers local to the proxy would have their private addresses shared with the external peers, leading to connectivity problems.
The value of this service is a opendht-configuration
object, as
described below.
This is the data type for the OpenDHT service configuration.
Available opendht-configuration
fields are:
opendht-configuration
parameter: package opendhtThe opendht
package to use.
opendht-configuration
parameter: boolean peer-discovery?Whether to enable the multicast local peer discovery mechanism.
Defaults to ‘#f’.
opendht-configuration
parameter: boolean enable-logging?Whether to enable logging messages to syslog. It is disabled by default as it is rather verbose.
Defaults to ‘#f’.
opendht-configuration
parameter: boolean debug?Whether to enable debug-level logging messages. This has no effect if logging is disabled.
Defaults to ‘#f’.
opendht-configuration
parameter: maybe-string bootstrap-hostThe node host name that is used to make the first connection to the
network. A specific port value can be provided by appending the
:PORT
suffix. By default, it uses the Jami bootstrap nodes, but
any host can be specified here. It’s also possible to disable
bootsrapping by setting this to the 'disabled
symbol.
Defaults to ‘"bootstrap.jami.net:4222"’.
opendht-configuration
parameter: maybe-number portThe UDP port to bind to. When set to 'disabled
, an available
port is automatically selected.
Defaults to ‘4222’.
opendht-configuration
parameter: maybe-number proxy-server-portSpawn a proxy server listening on the specified port.
Defaults to ‘disabled’.
opendht-configuration
parameter: maybe-number proxy-server-port-tlsSpawn a proxy server listening to TLS connections on the specified port.
Defaults to ‘disabled’.
This is the type for a service that runs the Tor anonymous networking daemon. The service is configured using a
<tor-configuration>
record. By default, the Tor daemon runs as the
tor
unprivileged user, which is a member of the tor
group.
tor
(default: tor
)The package that provides the Tor daemon. This package is expected to provide the daemon at bin/tor relative to its output directory. The default package is the Tor Project’s implementation.
config-file
(default: (plain-file "empty" "")
)The configuration file to use. It will be appended to a default configuration
file, and the final configuration file will be passed to tor
via its
-f
option. This may be any “file-like” object (see file-like objects). See man tor
for details on the configuration file
syntax.
hidden-services
(default: '()
)The list of <hidden-service>
records to use. For any hidden service
you include in this list, appropriate configuration to enable the hidden
service will be automatically added to the default configuration file. You
may conveniently create <hidden-service>
records using the
tor-hidden-service
procedure described below.
socks-socket-type
(default: 'tcp
)The default socket type that Tor should use for its SOCKS socket. This must
be either 'tcp
or 'unix
. If it is 'tcp
, then by default
Tor will listen on TCP port 9050 on the loopback interface (i.e., localhost).
If it is 'unix
, then Tor will listen on the UNIX domain socket
/var/run/tor/socks-sock, which will be made writable by members of the
tor
group.
If you want to customize the SOCKS socket in more detail, leave
socks-socket-type
at its default value of 'tcp
and use
config-file
to override the default by providing your own
SocksPort
option.
control-socket?
(default: #f
)Whether or not to provide a “control socket” by which Tor can be
controlled to, for instance, dynamically instantiate tor onion services.
If #t
, Tor will listen for control commands on the UNIX domain socket
/var/run/tor/control-sock, which will be made writable by members of the
tor
group.
Define a new Tor hidden service called name and implementing mapping. mapping is a list of port/host tuples, such as:
'((22 "127.0.0.1:22") (80 "127.0.0.1:8080"))
In this example, port 22 of the hidden service is mapped to local port 22, and port 80 is mapped to local port 8080.
This creates a /var/lib/tor/hidden-services/name directory, where
the hostname file contains the .onion
host name for the hidden
service.
See the Tor project’s documentation for more information.
The (gnu services rsync)
module provides the following services:
You might want an rsync daemon if you have files that you want available so anyone (or just yourself) can download existing files or upload new files.
This is the service type for the rsync daemon,
The value for this service type is a
rsync-configuration
record as in this example:
(service rsync-service-type)
See below for details about rsync-configuration
.
Data type representing the configuration for rsync-service
.
package
(default: rsync)rsync
package to use.
address
(default: #f
)IP address on which rsync
listens for incoming connections.
If unspecified, it defaults to listening on all available addresses.
port-number
(default: 873
)TCP port on which rsync
listens for incoming connections. If port
is less than 1024
rsync
needs to be started as the
root
user and group.
pid-file
(default: "/var/run/rsyncd/rsyncd.pid"
)Name of the file where rsync
writes its PID.
lock-file
(default: "/var/run/rsyncd/rsyncd.lock"
)Name of the file where rsync
writes its lock file.
log-file
(default: "/var/log/rsyncd.log"
)Name of the file where rsync
writes its log file.
use-chroot?
(default: #t)Whether to use chroot for rsync
shared directory.
share-path
(default: /srv/rsync)Location of the rsync
shared directory.
share-comment
(default: "Rsync share"
)Comment of the rsync
shared directory.
read-only?
(default: #f)Read-write permissions to shared directory.
timeout
(default: 300
)I/O timeout in seconds.
user
(default: "root")Owner of the rsync
process.
group
(default: "root")Group of the rsync
process.
uid
(default: "rsyncd")User name or user ID that file transfers to and from that module should take
place as when the daemon was run as root
.
gid
(default: "rsyncd")Group name or group ID that will be used when accessing the module.
The (gnu services syncthing)
module provides the following services:
You might want a syncthing daemon if you have files between two or more computers and want to sync them in real time, safely protected from prying eyes.
This is the service type for the syncthing daemon, The value for this service type is a
syncthing-configuration
record as in this example:
(service syncthing-service-type (syncthing-configuration (user "alice")))
See below for details about syncthing-configuration
.
Data type representing the configuration for syncthing-service-type
.
syncthing
(default: syncthing)syncthing
package to use.
arguments
(default: ’())List of command-line arguments passing to syncthing
binary.
logflags
(default: 0)Sum of logging flags, see Syncthing documentation logflags.
user
(default: #f)The user as which the Syncthing service is to be run. This assumes that the specified user exists.
group
(default: "users")The group as which the Syncthing service is to be run. This assumes that the specified group exists.
home
(default: #f)Common configuration and data directory. The default configuration
directory is $HOME of the specified Syncthing user
.
Furthermore, (gnu services ssh)
provides the following services.
Run the lshd
program from lsh to listen on port port-number.
host-key must designate a file containing the host key, and readable
only by root.
When daemonic? is true, lshd
will detach from the
controlling terminal and log its output to syslogd, unless one sets
syslog-output? to false. Obviously, it also makes lsh-service
depend on existence of syslogd service. When pid-file? is true,
lshd
writes its PID to the file called pid-file.
When initialize? is true, automatically create the seed and host key upon service activation if they do not exist yet. This may take long and require interaction.
When initialize? is false, it is up to the user to initialize the randomness generator (see lsh-make-seed in LSH Manual), and to create a key pair with the private key stored in file host-key (see lshd basics in LSH Manual).
When interfaces is empty, lshd listens for connections on all the network interfaces; otherwise, interfaces must be a list of host names or addresses.
allow-empty-passwords? specifies whether to accept log-ins with empty passwords, and root-login? specifies whether to accept log-ins as root.
The other options should be self-descriptive.
This is the type for the OpenSSH secure
shell daemon, sshd
. Its value must be an
openssh-configuration
record as in this example:
(service openssh-service-type (openssh-configuration (x11-forwarding? #t) (permit-root-login 'prohibit-password) (authorized-keys `(("alice" ,(local-file "alice.pub")) ("bob" ,(local-file "bob.pub"))))))
See below for details about openssh-configuration
.
This service can be extended with extra authorized keys, as in this example:
(service-extension openssh-service-type (const `(("charlie" ,(local-file "charlie.pub")))))
This is the configuration record for OpenSSH’s sshd
.
openssh
(default openssh)The Openssh package to use.
pid-file
(default: "/var/run/sshd.pid"
)Name of the file where sshd
writes its PID.
port-number
(default: 22
)TCP port on which sshd
listens for incoming connections.
permit-root-login
(default: #f
)This field determines whether and when to allow logins as root. If
#f
, root logins are disallowed; if #t
, they are allowed.
If it’s the symbol 'prohibit-password
, then root logins are
permitted but not with password-based authentication.
allow-empty-passwords?
(default: #f
)When true, users with empty passwords may log in. When false, they may not.
password-authentication?
(default: #t
)When true, users may log in with their password. When false, they have other authentication methods.
public-key-authentication?
(default: #t
)When true, users may log in using public key authentication. When false, users have to use other authentication method.
Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only by protocol version 2.
x11-forwarding?
(default: #f
)When true, forwarding of X11 graphical client connections is
enabled—in other words, ssh
options -X and
-Y will work.
allow-agent-forwarding?
(default: #t
)Whether to allow agent forwarding.
allow-tcp-forwarding?
(default: #t
)Whether to allow TCP forwarding.
gateway-ports?
(default: #f
)Whether to allow gateway ports.
challenge-response-authentication?
(default: #f
)Specifies whether challenge response authentication is allowed (e.g. via PAM).
use-pam?
(default: #t
)Enables the Pluggable Authentication Module interface. If set to
#t
, this will enable PAM authentication using
challenge-response-authentication?
and
password-authentication?
, in addition to PAM account and session
module processing for all authentication types.
Because PAM challenge response authentication usually serves an
equivalent role to password authentication, you should disable either
challenge-response-authentication?
or
password-authentication?
.
print-last-log?
(default: #t
)Specifies whether sshd
should print the date and time of the
last user login when a user logs in interactively.
subsystems
(default: '(("sftp" "internal-sftp"))
)Configures external subsystems (e.g. file transfer daemon).
This is a list of two-element lists, each of which containing the subsystem name and a command (with optional arguments) to execute upon subsystem request.
The command internal-sftp
implements an in-process SFTP
server. Alternatively, one can specify the sftp-server
command:
(service openssh-service-type (openssh-configuration (subsystems `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
accepted-environment
(default: '()
)List of strings describing which environment variables may be exported.
Each string gets on its own line. See the AcceptEnv
option in
man sshd_config
.
This example allows ssh-clients to export the COLORTERM
variable.
It is set by terminal emulators, which support colors. You can use it in
your shell’s resource file to enable colors for the prompt and commands
if this variable is set.
(service openssh-service-type (openssh-configuration (accepted-environment '("COLORTERM"))))
authorized-keys
(default: '()
)This is the list of authorized keys. Each element of the list is a user name followed by one or more file-like objects that represent SSH public keys. For example:
(openssh-configuration (authorized-keys `(("rekado" ,(local-file "rekado.pub")) ("chris" ,(local-file "chris.pub")) ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))
registers the specified public keys for user accounts rekado
,
chris
, and root
.
Additional authorized keys can be specified via
service-extension
.
Note that this does not interfere with the use of ~/.ssh/authorized_keys.
log-level
(default: 'info
)This is a symbol specifying the logging level: quiet
, fatal
,
error
, info
, verbose
, debug
, etc. See the man
page for sshd_config for the full list of level names.
extra-content
(default: ""
)This field can be used to append arbitrary text to the configuration file. It is especially useful for elaborate configurations that cannot be expressed otherwise. This configuration, for example, would generally disable root logins, but permit them from one specific IP address:
(openssh-configuration (extra-content "\ Match Address 192.168.0.1 PermitRootLogin yes"))
Run the Dropbear SSH
daemon with the given config, a <dropbear-configuration>
object.
For example, to specify a Dropbear service listening on port 1234, add
this call to the operating system’s services
field:
(dropbear-service (dropbear-configuration (port-number 1234)))
This data type represents the configuration of a Dropbear SSH daemon.
dropbear
(default: dropbear)The Dropbear package to use.
port-number
(default: 22)The TCP port where the daemon waits for incoming connections.
syslog-output?
(default: #t
)Whether to enable syslog output.
pid-file
(default: "/var/run/dropbear.pid"
)File name of the daemon’s PID file.
root-login?
(default: #f
)Whether to allow root
logins.
allow-empty-passwords?
(default: #f
)Whether to allow empty passwords.
password-authentication?
(default: #t
)Whether to enable password-based authentication.
This is the type for the AutoSSH program that runs a copy of ssh
and monitors it,
restarting it as necessary should it die or stop passing traffic.
AutoSSH can be run manually from the command-line by passing arguments
to the binary autossh
from the package autossh
, but it
can also be run as a Guix service. This latter use case is documented
here.
AutoSSH can be used to forward local traffic to a remote machine using an SSH tunnel, and it respects the ~/.ssh/config of the user it is run as.
For example, to specify a service running autossh as the user
pino
and forwarding all local connections to port 8081
to
remote:8081
using an SSH tunnel, add this call to the operating
system’s services
field:
(service autossh-service-type (autossh-configuration (user "pino") (ssh-options (list "-T" "-N" "-L" "8081:localhost:8081" "remote.net"))))
This data type represents the configuration of an AutoSSH service.
user
(default "autossh"
)The user as which the AutoSSH service is to be run. This assumes that the specified user exists.
poll
(default 600
)Specifies the connection poll time in seconds.
first-poll
(default #f
)Specifies how many seconds AutoSSH waits before the first connection
test. After this first test, polling is resumed at the pace defined in
poll
. When set to #f
, the first poll is not treated
specially and will also use the connection poll specified in
poll
.
gate-time
(default 30
)Specifies how many seconds an SSH connection must be active before it is considered successful.
log-level
(default 1
)The log level, corresponding to the levels used by syslog—so 0
is the most silent while 7
is the chattiest.
max-start
(default #f
)The maximum number of times SSH may be (re)started before AutoSSH exits.
When set to #f
, no maximum is configured and AutoSSH may restart indefinitely.
message
(default ""
)The message to append to the echo message sent when testing connections.
port
(default "0"
)The ports used for monitoring the connection. When set to "0"
,
monitoring is disabled. When set to "n"
where n is
a positive integer, ports n and n+1 are used for
monitoring the connection, such that port n is the base
monitoring port and n+1
is the echo port. When set to
"n:m"
where n and m are positive
integers, the ports n and m are used for monitoring the
connection, such that port n is the base monitoring port and
m is the echo port.
ssh-options
(default '()
)The list of command-line arguments to pass to ssh
when it is
run. Options -f and -M are reserved for AutoSSH and
may cause undefined behaviour.
This is the type for the WebSSH
program that runs a web SSH client. WebSSH can be run manually from the
command-line by passing arguments to the binary wssh
from the
package webssh
, but it can also be run as a Guix service. This
latter use case is documented here.
For example, to specify a service running WebSSH on loopback interface
on port 8888
with reject policy with a list of allowed to
connection hosts, and NGINX as a reverse-proxy to this service listening
for HTTPS connection, add this call to the operating system’s
services
field:
(service webssh-service-type (webssh-configuration (address "127.0.0.1") (port 8888) (policy 'reject) (known-hosts '("localhost ecdsa-sha2-nistp256 AAAA…" "127.0.0.1 ecdsa-sha2-nistp256 AAAA…")))) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (inherit %webssh-configuration-nginx) (server-name '("webssh.example.com")) (listen '("443 ssl")) (ssl-certificate (letsencrypt-certificate "webssh.example.com")) (ssl-certificate-key (letsencrypt-key "webssh.example.com")) (locations (cons (nginx-location-configuration (uri "/.well-known") (body '("root /var/www;"))) (nginx-server-configuration-locations %webssh-configuration-nginx))))))))
Data type representing the configuration for webssh-service
.
package
(default: webssh)webssh
package to use.
user-name
(default: "webssh")User name or user ID that file transfers to and from that module should take place.
group-name
(default: "webssh")Group name or group ID that will be used when accessing the module.
address
(default: #f)IP address on which webssh
listens for incoming connections.
port
(default: 8888)TCP port on which webssh
listens for incoming connections.
policy
(default: #f)Connection policy. reject policy requires to specify known-hosts.
known-hosts
(default: ’())List of hosts which allowed for SSH connection from webssh
.
log-file
(default: "/var/log/webssh.log")Name of the file where webssh
writes its log file.
log-level
(default: #f)Logging level.
This variable contains a string for use in /etc/hosts
(see Host Names in The GNU C Library Reference Manual). Each
line contains a entry that maps a known server name of the Facebook
on-line service—e.g., www.facebook.com
—to the local
host—127.0.0.1
or its IPv6 equivalent, ::1
.
This variable is typically used in the hosts-file
field of an
operating-system
declaration (see /etc/hosts):
(use-modules (gnu) (guix)) (operating-system (host-name "mymachine") ;; ... (hosts-file ;; Create a /etc/hosts file with aliases for "localhost" ;; and "mymachine", as well as for Facebook servers. (plain-file "hosts" (string-append (local-host-aliases host-name) %facebook-host-aliases))))
This mechanism can prevent programs running locally, such as Web browsers, from accessing Facebook.
The (gnu services avahi)
provides the following definition.
This is the service that runs avahi-daemon
, a system-wide
mDNS/DNS-SD responder that allows for service discovery and
“zero-configuration” host name lookups (see https://avahi.org/).
Its value must be an avahi-configuration
record—see below.
This service extends the name service cache daemon (nscd) so that it can
resolve .local
host names using
nss-mdns. See Name Service Switch, for information on host name resolution.
Additionally, add the avahi package to the system profile so that
commands such as avahi-browse
are directly usable.
Data type representation the configuration for Avahi.
host-name
(default: #f
)If different from #f
, use that as the host name to
publish for this machine; otherwise, use the machine’s actual host name.
publish?
(default: #t
)When true, allow host names and services to be published (broadcast) over the network.
publish-workstation?
(default: #t
)When true, avahi-daemon
publishes the machine’s host name and IP
address via mDNS on the local network. To view the host names published on
your local network, you can run:
avahi-browse _workstation._tcp
wide-area?
(default: #f
)When true, DNS-SD over unicast DNS is enabled.
ipv4?
(default: #t
)ipv6?
(default: #t
)These fields determine whether to use IPv4/IPv6 sockets.
domains-to-browse
(default: '()
)This is a list of domains to browse.
This is the type of the Open vSwitch
service, whose value should be an openvswitch-configuration
object.
Data type representing the configuration of Open vSwitch, a multilayer virtual switch which is designed to enable massive network automation through programmatic extension.
package
(default: openvswitch)Package object of the Open vSwitch.
This is the service type for the PageKite service,
a tunneling solution for making localhost servers publicly visible, even from
behind restrictive firewalls or NAT without forwarded ports. The value for
this service type is a pagekite-configuration
record.
Here’s an example exposing the local HTTP and SSH daemons:
(service pagekite-service-type (pagekite-configuration (kites '("http:@kitename:localhost:80:@kitesecret" "raw/22:@kitename:localhost:22:@kitesecret")) (extra-file "/etc/pagekite.rc")))
Data type representing the configuration of PageKite.
package
(default: pagekite)Package object of PageKite.
kitename
(default: #f
)PageKite name for authenticating to the frontend server.
kitesecret
(default: #f
)Shared secret for authenticating to the frontend server. You should probably
put this inside extra-file
instead.
frontend
(default: #f
)Connect to the named PageKite frontend server instead of the pagekite.net service.
kites
(default: '("http:@kitename:localhost:80:@kitesecret")
)List of service kites to use. Exposes HTTP on port 80 by default. The format
is proto:kitename:host:port:secret
.
extra-file
(default: #f
)Extra configuration file to read, which you are expected to create manually. Use this to add additional options and manage shared secrets out-of-band.
The service type for connecting to the Yggdrasil network, an early-stage implementation of a fully end-to-end encrypted IPv6 network.
Yggdrasil provides name-independent routing with cryptographically generated addresses. Static addressing means you can keep the same address as long as you want, even if you move to a new location, or generate a new address (by generating new keys) whenever you want. https://yggdrasil-network.github.io/2018/07/28/addressing.html
Pass it a value of yggdrasil-configuration
to connect it to public
peers and/or local peers.
Here is an example using public peers and a static address. The static
signing and encryption keys are defined in /etc/yggdrasil-private.conf
(the default value for config-file
).
;; part of the operating-system declaration (service yggdrasil-service-type (yggdrasil-configuration (autoconf? #f) ;; use only the public peers (json-config ;; choose one from ;; https://github.com/yggdrasil-network/public-peers '((peers . #("tcp://1.2.3.4:1337")))) ;; /etc/yggdrasil-private.conf is the default value for config-file ))
# sample content for /etc/yggdrasil-private.conf { # Your public encryption key. Your peers may ask you for this to put # into their AllowedEncryptionPublicKeys configuration. EncryptionPublicKey: 378dc5... # Your private encryption key. DO NOT share this with anyone! EncryptionPrivateKey: 0777... # Your public signing key. You should not ordinarily need to share # this with anyone. SigningPublicKey: e1664... # Your private signing key. DO NOT share this with anyone! SigningPrivateKey: 0589d... }
Data type representing the configuration of Yggdrasil.
package
(default: yggdrasil
)Package object of Yggdrasil.
json-config
(default: '()
)Contents of /etc/yggdrasil.conf. Will be merged with
/etc/yggdrasil-private.conf. Note that these settings are stored in
the Guix store, which is readable to all users. Do not store your
private keys in it. See the output of yggdrasil -genconf
for a
quick overview of valid keys and their default values.
autoconf?
(default: #f
)Whether to use automatic mode. Enabling it makes Yggdrasil use adynamic IP and peer with IPv6 neighbors.
log-level
(default: 'info
)How much detail to include in logs. Use 'debug
for more detail.
log-to
(default: 'stdout
)Where to send logs. By default, the service logs standard output to
/var/log/yggdrasil.log. The alternative is 'syslog
, which
sends output to the running syslog service.
config-file
(default: "/etc/yggdrasil-private.conf"
)What HJSON file to load sensitive data from. This is where private keys
should be stored, which are necessary to specify if you don’t want a
randomized address after each restart. Use #f
to disable. Options
defined in this file take precedence over json-config
. Use the output
of yggdrasil -genconf
as a starting point. To configure a static
address, delete everything except these options:
EncryptionPublicKey
EncryptionPrivateKey
SigningPublicKey
SigningPrivateKey
The service type for connecting to the IPFS network,
a global, versioned, peer-to-peer file system. Pass it a
ipfs-configuration
to change the ports used for the gateway and API.
Here’s an example configuration, using some non-standard ports:
(service ipfs-service-type (ipfs-configuration (gateway "/ip4/127.0.0.1/tcp/8880") (api "/ip4/127.0.0.1/tcp/8881")))
Data type representing the configuration of IPFS.
package
(default: go-ipfs
)Package object of IPFS.
gateway
(default: "/ip4/127.0.0.1/tcp/8082"
)Address of the gateway, in ‘multiaddress’ format.
api
(default: "/ip4/127.0.0.1/tcp/5001"
)Address of the API endpoint, in ‘multiaddress’ format.
This is the type for the Keepalived
routing software, keepalived
. Its value must be an
keepalived-configuration
record as in this example for master
machine:
(service keepalived-service-type (keepalived-configuration (config-file (local-file "keepalived-master.conf"))))
where keepalived-master.conf:
vrrp_instance my-group { state MASTER interface enp9s0 virtual_router_id 100 priority 100 unicast_peer { 10.0.0.2 } virtual_ipaddress { 10.0.0.4/24 } }
and for backup machine:
(service keepalived-service-type (keepalived-configuration (config-file (local-file "keepalived-backup.conf"))))
where keepalived-backup.conf:
vrrp_instance my-group { state BACKUP interface enp9s0 virtual_router_id 100 priority 99 unicast_peer { 10.0.0.3 } virtual_ipaddress { 10.0.0.4/24 } }
Next: Unattended Upgrades, Previous: Log Rotation, Up: Services [Contents][Index]