* gnu/services/base.scm (run-with-writable-store)
(guix-ownership-change-program): New procedures.
(<guix-configuration>)[privileged?]: New field.
(guix-shepherd-service): Rename to…
(guix-shepherd-services): … this. Add the ‘guix-ownership’ service.
Change ‘guix-daemon’ service to depend on it; when unprivileged,
prefix ‘daemon-command’ by ‘run-with-writable-store’ and
omit ‘--build-users-group’; adjust socket activation endpoints.
(guix-accounts): When unprivileged, create the “guix-daemon” user and
group in addition to the others.
(guix-service-type)[extensions]: Adjust to name change.
* gnu/tests/base.scm (run-guix-daemon-test): Add ‘name’ parameter.
(%test-guix-daemon): Adjust accordingly.
(%test-guix-daemon-unprivileged): New test.
* doc/guix.texi (Base Services): Document ‘privileged?’.
(Migrating to the Unprivileged Daemon): Explain that this is automatic
on Guix System.
Reviewed-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Change-Id: I28a9a22e617416c551dccb24e43a253b544ba163
* doc/guix.texi (Build Environment Setup): Add “Migrating to the
Unprivileged Daemon” section.
(Upgrading Guix): Link to it.
Change-Id: I2bac3f4419d85b7c718c6c4a3908387b4f6ee582
Otherwise the service could fail starting if the networking interface takes
some time to be created during the boot (one such example are WireGuard
interfaces).
* gnu/services/messaging.scm (ngircd-configuration)
[shepherd-requirement]: Add networking.
* doc/guix.texi (Messaging Services): Update.
Change-Id: I387ae5780a35cad5b74d9883ac53f13de1a08c78
This reverts commit b17268b53e, which was
meant for the ‘emacs-team’ branch as part of a patch series.
Change-Id: I9d9b01924698aaf5bb6ac2c8472311976eeaacc6
* doc/contributing.texi (Emacs Packages): Removeoutdated commentary on
testing. We now run the tests by default like is done in other build systems.
Change-Id: I245a0a412615a1177fbd1b6e723fda3749f7e49f
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/services/sound.scm (speakersafetyd-configuration) [log-file]: New field.
(speakersafetyd): Use it via #:log-file.
Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
* gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
(speakersafetyd-accounts): New procedure.
(speakersafetyd-activation): Likewise.
(speakersafetyd-shepherd-service): Specify the #:group, #:user and
#:supplementary-groups arguments.
(speakersafetyd-service-type): Extend activation-service-type.
Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
The use of make-systemd-constructor appears to cause problems when connecting
via TLS (see: https://github.com/ngircd/ngircd/issues/330).
* gnu/services/messaging.scm (ngircd-global): [pid-file]: Set default value
and remove maybeness. Adjust doc.
* gnu/services/messaging.scm (ngircd-configuration): Adjust comment.
(ngircd-wrapper): Expose writable PID file and preserve pid namespace.
(ngircd-shepherd-service): Replace make-systemd-constructor with
make-forkexec-constructor and adjust surrounding accordingly.
(ngircd-activation): New procedure.
(ngircd-service-type): Extend activation-service-type with it.
Change-Id: Ic7c135ab45122e180107cde8bb9976426e3afbc4
This was the original intention, as PAM authentication cannot be easily
satisfied when the service runs as non-root, which is the case.
* gnu/services/messaging.scm (ngircd-configuration) <options>: Remove maybe
and set default value.
* doc/guix.texi (Messaging Services): Update.
Change-Id: I8435cf5be7206f9165d69cbbac11c205bf928c8f
* gnu/services/mail.scm (opensmtpd-configuration): Add log-file field.
(opensmtpd-shepherd-service)[start]: Add a command line flag to not
daemonize. Drop #:pid-file. Add #:log-file.
* doc/guix.texi (Mail Services): Document the additional parameter.
Change-Id: I485e040d680ccb39fa62e49d2e6ea916f047972c
Signed-off-by: Andreas Enge <andreas@enge.fr>
* gnu/services/web.scm (anonip-log-files): New procedure.
(anonip-service-type): Use it to extend ‘log-rotation-service-type’.
* doc/guix.texi (Log Rotation): Document it.
Change-Id: I903bb79e0992b794bb0a40e504283cd57a8a087b
* gnu/services/messaging.scm (ngircd-configuration): Adjust comment.
(ngircd-wrapper): Nest bindings within the (maybe-value-set? ssl) check, to
avoid errors when not providing an explicit value to the ssl field.
(ngircd-service-type) [default-value]: New field.
Change-Id: I1d2d7973cc9314e9bbc5870bf7b5f872d074b49b
* gnu/services/version-control.scm (<gitolite-configuration>): Add admin-name
field.
(gitolite-activation): Use it.
* doc/guix.texi (Version Control Services): Document it. Remove the wrong
default value of admin-pubkey. State the need for .pub extension.
Change-Id: Idadf4b2697cee6d1da10e6ba03bdc2e1d729c417
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
In preparation for further customizability of the git configuration, extract
the current setup into a separate record type.
* gnu/services/version-control.scm (<gitolite-git-configuration>): New record
type.
(gitolite-git-configuration-compiler): And gexp compiler for it.
(<gitolite-configuration>): Add git-config field.
(gitolite-activation): Use it.
* doc/guix.texi (Version Control Services): Document both.
Change-Id: I7658698a93f938f62f41a4fa45b72de1eeb14414
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
`file-database-service-type' appends 'bin/updatedb' path to the `package'
field provided by `file-database-configuration'. This prevents users from
using alternate packages which also provide 'updatedb' but in a different
location.
For example, the `plocate' package installs 'updatedb' in 'sbin/updatedb'.
Fallback to 'sbin/' if 'updatedb' is not found in 'bin/'.
* gnu/services/admin.scm (<file-database-configuration>)[package]:
Update docstring.
(file-database-shepherd-services): Locate 'updatedb' binary.
* doc/guix.texi (File Search Services): Update accordingly.
Change-Id: Ic741716044be3a8f51a157510f9f923bd66c41d7
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>
* doc/guix.texi (Networking Services): Replace
'go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird'
with 'lyrebird'. The old name was deprecated in
b80dcf5a07.
Change-Id: Iffcd1e30aecd0bccff2cfa9b8cab126556c0498b
Signed-off-by: Zheng Junjie <z572@z572.online>
This makes libvirt able to boot images that require a UEFI bootloader, with
the available firmwares exposed to libvirt made configurable via a new
configuration field. For more background on the problem this fixes, see the
same issue that was reported in NixOS (see:
https://github.com/NixOS/nixpkgs/issues/115996).
* gnu/services/virtualization.scm: (list-of-file-likes?): New predicate.
(libvirt-configuration): [firmwares]: New field.
(/etc/qemu/firmware): New procedure.
(libvirt-service-type): Extend the etc-service-type with it.
(generate-libvirt-documentation): Delete obsolete procedure.
* doc/guix.texi: Re-generate doc.
* gnu/tests/virtualization.scm (run-libvirt-test): Augment memory from 256 to
512 MiB. Test it.
Series-to: 77110@debbugs.gnu.org
Change-Id: I40694964405f13681520bf1e28b7365b0200d8f7
Many thanks to Reepca Russelstein for their review and guidance on these
changes.
* nix/libstore/build.cc (guestUID, guestGID): New variables.
(DerivationGoal)[readiness]: New field.
(initializeUserNamespace): New function.
(DerivationGoal::runChild): When ‘readiness.readSide’ is positive, read
from it.
(DerivationGoal::startBuilder): Call ‘chown’
only when ‘buildUser.enabled()’ is true. Pass CLONE_NEWUSER to ‘clone’
when ‘buildUser.enabled()’ is false or not running as root. Retry
‘clone’ without CLONE_NEWUSER upon EPERM.
(DerivationGoal::registerOutputs): Make ‘actualPath’ writable before
‘rename’.
(DerivationGoal::deleteTmpDir): Catch ‘SysError’ around ‘_chown’ call.
* nix/libstore/local-store.cc (LocalStore::createUser): Do nothing if
‘dirs’ already exists. Warn instead of failing when failing to chown
‘dir’.
* guix/substitutes.scm (%narinfo-cache-directory): Check for
‘_NIX_OPTIONS’ rather than getuid() == 0 to determine the cache
location.
* doc/guix.texi (Build Environment Setup): Reorganize a bit. Add
section headings “Daemon Running as Root” and “The Isolated Build
Environment”. Add “Daemon Running Without Privileges” subsection.
Remove paragraph about ‘--disable-chroot’.
(Invoking guix-daemon): Warn against ‘--disable-chroot’ and explain why.
* tests/derivations.scm ("builder is outside the store"): New test.
Reviewed-by: Reepca Russelstein <reepca@russelstein.xyz>
* doc/guix-cookbook.texi (Virtual Machines): [Routed network for
libvirt] {Creating a virtual network switch}: Remove unnecessarily
noncommital language ("a few components/configurations, such as...").
Correct 'TUN interface', as bridges are currently used. Add a link to
the libvirt Wiki for more information.
Change-Id: I6ffdeca8e4d32155c8cce547d4930bf1b0cb471b
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
* doc/guix-cookbook.texi (Virtual Machines) [Routed network for
libvirt]: Replace the term 'virtual bridge' with 'virtual network
switch'. This is the term used by the libvirt Wiki to refer to the
combined setup of a 'virtual bridge' network interface, dnsmasq instance
bound to it, and firewall rules associated with it; 'bridge' is
ambiguous because it is sometimes used with this meaning, and sometimes
to refer specifically to the virtual network device called a 'bridge'.
Change-Id: Ibd10fe76321eb61e9ca23d8124634d1108d4faad
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
* gnu/home/services/messaging.scm (home-snuik-service-type): New variable.
* doc/guix.texi (Messaging Home Services): Document it.
Change-Id: I1e278e7d8ed04efcb1a2ce9e12e69cb6a31a9fa4
