Next: Scheduled Job Execution, Up: Services [Contents][Index]
The (gnu services base)
module provides definitions for the basic
services that one expects from the system. The services exported by
this module are listed below.
This variable contains a list of basic services (see Service Types and Services, for more information on service objects) one would expect from the system: a login service (mingetty) on each tty, syslogd, the libc name service cache daemon (nscd), the udev device manager, and more.
This is the default value of the services
field of
operating-system
declarations. Usually, when customizing a
system, you will want to append services to %base-services
, like
this:
(append (list (service avahi-service-type) (service openssh-service-type)) %base-services)
This is the service that sets up “special files” such as
/bin/sh; an instance of it is part of %base-services
.
The value associated with special-files-service-type
services
must be a list of tuples where the first element is the “special file”
and the second element is its target. By default it is:
`(("/bin/sh" ,(file-append bash "/bin/sh")))
If you want to add, say, /usr/bin/env
to your system, you can
change it to:
`(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))
Since this is part of %base-services
, you can use
modify-services
to customize the set of special files
(see modify-services
). But the simple way
to add a special file is via the extra-special-file
procedure
(see below).
Use target as the “special file” file.
For example, adding the following lines to the services
field of
your operating system declaration leads to a /usr/bin/env
symlink:
(extra-special-file "/usr/bin/env" (file-append coreutils "/bin/env"))
Return a service that sets the host name to name.
Install the given fonts on the specified ttys (fonts are per
virtual console on the kernel Linux). The value of this service is a list of
tty/font pairs. The font can be the name of a font provided by the kbd
package or any valid argument to setfont
, as in this example:
`(("tty1" . "LatGrkCyr-8x16") ("tty2" . ,(file-append font-tamzen "/share/kbd/consolefonts/TamzenForPowerline10x20.psf")) ("tty3" . ,(file-append font-terminus "/share/consolefonts/ter-132n"))) ; for HDPI
Return a service to run login according to config, a
<login-configuration>
object, which specifies the message of the day,
among other things.
This is the data type representing the configuration of login.
motd
A file-like object containing the “message of the day”.
allow-empty-passwords?
(default: #t
)Allow empty passwords by default so that first-time users can log in when the ’root’ account has just been created.
Return a service to run mingetty according to config, a
<mingetty-configuration>
object, which specifies the tty to run, among
other things.
This is the data type representing the configuration of Mingetty, which provides the default implementation of virtual console log-in.
tty
The name of the console this Mingetty runs on—e.g., "tty1"
.
auto-login
(default: #f
)When true, this field must be a string denoting the user name under
which the system automatically logs in. When it is #f
, a
user name and password must be entered to log in.
login-program
(default: #f
)This must be either #f
, in which case the default log-in program
is used (login
from the Shadow tool suite), or a gexp denoting
the name of the log-in program.
login-pause?
(default: #f
)When set to #t
in conjunction with auto-login, the user
will have to press a key before the log-in shell is launched.
clear-on-logout?
(default: #t
)When set to #t
, the screen will be cleared after logout.
mingetty
(default: mingetty)The Mingetty package to use.
Return a service to run agetty according to config, an
<agetty-configuration>
object, which specifies the tty to run,
among other things.
This is the data type representing the configuration of agetty, which
implements virtual and serial console log-in. See the agetty(8)
man page for more information.
tty
The name of the console this agetty runs on, as a string—e.g.,
"ttyS0"
. This argument is optional, it will default to
a reasonable default serial port used by the kernel Linux.
For this, if there is a value for an option agetty.tty
in the kernel
command line, agetty will extract the device name of the serial port
from it and use that.
If not and if there is a value for an option console
with a tty in
the Linux command line, agetty will extract the device name of the
serial port from it and use that.
In both cases, agetty will leave the other serial device settings (baud rate etc.) alone—in the hope that Linux pinned them to the correct values.
baud-rate
(default: #f
)A string containing a comma-separated list of one or more baud rates, in descending order.
term
(default: #f
)A string containing the value used for the TERM
environment
variable.
eight-bits?
(default: #f
)When #t
, the tty is assumed to be 8-bit clean, and parity detection is
disabled.
auto-login
(default: #f
)When passed a login name, as a string, the specified user will be logged in automatically without prompting for their login name or password.
no-reset?
(default: #f
)When #t
, don’t reset terminal cflags (control modes).
host
(default: #f
)This accepts a string containing the “login_host”, which will be written into the /var/run/utmpx file.
remote?
(default: #f
)When set to #t
in conjunction with host, this will add an
-r
fakehost option to the command line of the login program
specified in login-program.
flow-control?
(default: #f
)When set to #t
, enable hardware (RTS/CTS) flow control.
no-issue?
(default: #f
)When set to #t
, the contents of the /etc/issue file will
not be displayed before presenting the login prompt.
init-string
(default: #f
)This accepts a string that will be sent to the tty or modem before sending anything else. It can be used to initialize a modem.
no-clear?
(default: #f
)When set to #t
, agetty will not clear the screen before showing
the login prompt.
login-program
(default: (file-append shadow "/bin/login"))This must be either a gexp denoting the name of a log-in program, or
unset, in which case the default value is the login
from the
Shadow tool suite.
local-line
(default: #f
)Control the CLOCAL line flag. This accepts one of three symbols as
arguments, 'auto
, 'always
, or 'never
. If #f
,
the default value chosen by agetty is 'auto
.
extract-baud?
(default: #f
)When set to #t
, instruct agetty to try to extract the baud rate
from the status messages produced by certain types of modems.
skip-login?
(default: #f
)When set to #t
, do not prompt the user for a login name. This
can be used with login-program field to use non-standard login
systems.
no-newline?
(default: #f
)When set to #t
, do not print a newline before printing the
/etc/issue file.
login-options
(default: #f
)This option accepts a string containing options that are passed to the login program. When used with the login-program, be aware that a malicious user could try to enter a login name containing embedded options that could be parsed by the login program.
login-pause
(default: #f
)When set to #t
, wait for any key before showing the login prompt.
This can be used in conjunction with auto-login to save memory by
lazily spawning shells.
chroot
(default: #f
)Change root to the specified directory. This option accepts a directory path as a string.
hangup?
(default: #f
)Use the Linux system call vhangup
to do a virtual hangup of the
specified terminal.
keep-baud?
(default: #f
)When set to #t
, try to keep the existing baud rate. The baud
rates from baud-rate are used when agetty receives a BREAK
character.
timeout
(default: #f
)When set to an integer value, terminate if no user name could be read within timeout seconds.
detect-case?
(default: #f
)When set to #t
, turn on support for detecting an uppercase-only
terminal. This setting will detect a login name containing only
uppercase letters as indicating an uppercase-only terminal and turn on
some upper-to-lower case conversions. Note that this will not support
Unicode characters.
wait-cr?
(default: #f
)When set to #t
, wait for the user or modem to send a
carriage-return or linefeed character before displaying
/etc/issue or login prompt. This is typically used with the
init-string option.
no-hints?
(default: #f
)When set to #t
, do not print hints about Num, Caps, and Scroll
locks.
no-hostname?
(default: #f
)By default, the hostname is printed. When this option is set to
#t
, no hostname will be shown at all.
long-hostname?
(default: #f
)By default, the hostname is only printed until the first dot. When this
option is set to #t
, the fully qualified hostname by
gethostname
or getaddrinfo
is shown.
erase-characters
(default: #f
)This option accepts a string of additional characters that should be interpreted as backspace when the user types their login name.
kill-characters
(default: #f
)This option accepts a string that should be interpreted to mean “ignore all previous characters” (also called a “kill” character) when the user types their login name.
chdir
(default: #f
)This option accepts, as a string, a directory path that will be changed to before login.
delay
(default: #f
)This options accepts, as an integer, the number of seconds to sleep before opening the tty and displaying the login prompt.
nice
(default: #f
)This option accepts, as an integer, the nice value with which to run the
login
program.
extra-options
(default: '()
)This option provides an “escape hatch” for the user to provide arbitrary
command-line arguments to agetty
as a list of strings.
shepherd-requirement
(default: '()
)The option can be used to provides extra shepherd requirements (for example
'syslogd
) to the respective 'term-
* shepherd service.
Return a service to run kmscon
according to config, a <kmscon-configuration>
object, which
specifies the tty to run, among other things.
This is the data type representing the configuration of Kmscon, which implements virtual console log-in.
virtual-terminal
The name of the console this Kmscon runs on—e.g., "tty1"
.
login-program
(default: #~(string-append #$shadow "/bin/login")
)A gexp denoting the name of the log-in program. The default log-in program is
login
from the Shadow tool suite.
login-arguments
(default: '("-p")
)A list of arguments to pass to login
.
auto-login
(default: #f
)When passed a login name, as a string, the specified user will be logged in automatically without prompting for their login name or password.
hardware-acceleration?
(default: #f)Whether to use hardware acceleration.
font-engine
(default: "pango"
)Font engine used in Kmscon.
font-size
(default: 12
)Font size used in Kmscon.
keyboard-layout
(default: #f
)If this is #f
, Kmscon uses the default keyboard layout—usually US
English (“qwerty”) for a 105-key PC keyboard.
Otherwise this must be a keyboard-layout
object specifying the
keyboard layout. See Keyboard Layout, for more information on how to
specify the keyboard layout.
kmscon
(default: kmscon)The Kmscon package to use.
Return a service that runs the libc name service cache daemon (nscd) with the
given config—an <nscd-configuration>
object. See Name Service Switch, for an example.
For convenience, the Shepherd service for nscd provides the following actions:
invalidate
This invalidate the given cache. For instance, running:
herd invalidate nscd hosts
invalidates the host name lookup cache of nscd.
statistics
Running herd statistics nscd
displays information about nscd usage
and caches.
This is the default <nscd-configuration>
value (see below) used
by nscd-service
. It uses the caches defined by
%nscd-default-caches
; see below.
This is the data type representing the name service cache daemon (nscd) configuration.
name-services
(default: '()
)List of packages denoting name services that must be visible to
the nscd—e.g., (list nss-mdns)
.
glibc
(default: glibc)Package object denoting the GNU C Library providing the nscd
command.
log-file
(default: "/var/log/nscd.log"
)Name of the nscd log file. This is where debugging output goes when
debug-level
is strictly positive.
debug-level
(default: 0
)Integer denoting the debugging levels. Higher numbers mean that more debugging output is logged.
caches
(default: %nscd-default-caches
)List of <nscd-cache>
objects denoting things to be cached; see
below.
Data type representing a cache database of nscd and its parameters.
database
This is a symbol representing the name of the database to be cached.
Valid values are passwd
, group
, hosts
, and
services
, which designate the corresponding NSS database
(see NSS Basics in The GNU C Library Reference Manual).
positive-time-to-live
negative-time-to-live
(default: 20
)A number representing the number of seconds during which a positive or negative lookup result remains in cache.
check-files?
(default: #t
)Whether to check for updates of the files corresponding to database.
For instance, when database is hosts
, setting this flag
instructs nscd to check for updates in /etc/hosts and to take
them into account.
persistent?
(default: #t
)Whether the cache should be stored persistently on disk.
shared?
(default: #t
)Whether the cache should be shared among users.
max-database-size
(default: 32 MiB)Maximum size in bytes of the database cache.
List of <nscd-cache>
objects used by default by
nscd-configuration
(see above).
It enables persistent and aggressive caching of service and host name lookups. The latter provides better host name lookup performance, resilience in the face of unreliable name servers, and also better privacy—often the result of host name lookups is in local cache, so external name servers do not even need to be queried.
This data type represents the configuration of the syslog daemon.
syslogd
(default: #~(string-append #$inetutils "/libexec/syslogd")
)The syslog daemon to use.
config-file
(default: %default-syslog.conf
)The syslog configuration file to use.
Return a service that runs a syslog daemon according to config.
See syslogd invocation in GNU Inetutils, for more information on the configuration file syntax.
This is the type of the service that runs the build daemon,
guix-daemon
(see Invoking guix-daemon). Its value must be a
guix-configuration
record as described below.
This data type represents the configuration of the Guix build daemon. See Invoking guix-daemon, for more information.
guix
(default: guix)The Guix package to use.
build-group
(default: "guixbuild"
)Name of the group for build user accounts.
build-accounts
(default: 10
)Number of build user accounts to create.
authorize-key?
(default: #t
)Whether to authorize the substitute keys listed in
authorized-keys
—by default that of
ci.guix.gnu.org
and
bordeaux.guix.gnu.org
(see Substitutes).
When authorize-key?
is true, /etc/guix/acl cannot be
changed by invoking guix archive --authorize
. You must
instead adjust guix-configuration
as you wish and reconfigure the
system. This ensures that your operating system configuration file is
self-contained.
Note: When booting or reconfiguring to a system where
authorize-key?
is true, the existing /etc/guix/acl file is backed up as /etc/guix/acl.bak if it was determined to be a manually modified file. This is to facilitate migration from earlier versions, which allowed for in-place modifications to /etc/guix/acl.
authorized-keys
(default: %default-authorized-guix-keys
)The list of authorized key files for archive imports, as a list of
string-valued gexps (see Invoking guix archive). By default, it
contains that of ci.guix.gnu.org
and
bordeaux.guix.gnu.org
(see Substitutes). See
substitute-urls
below for an example on how to change it.
use-substitutes?
(default: #t
)Whether to use substitutes.
substitute-urls
(default: %default-substitute-urls
)The list of URLs where to look for substitutes by default.
Suppose you would like to fetch substitutes from guix.example.org
in addition to ci.guix.gnu.org
. You will need to do
two things: (1) add guix.example.org
to substitute-urls
,
and (2) authorize its signing key, having done appropriate checks
(see Substitute Server Authorization). The configuration below does
exactly that:
(guix-configuration (substitute-urls (append (list "https://guix.example.org") %default-substitute-urls)) (authorized-keys (append (list (local-file "./guix.example.org-key.pub")) %default-authorized-guix-keys)))
This example assumes that the file ./guix.example.org-key.pub
contains the public key that guix.example.org
uses to sign
substitutes.
generate-substitute-key?
(default: #t
)Whether to generate a substitute key pair under /etc/guix/signing-key.pub and /etc/guix/signing-key.sec if there is not already one.
This key pair is used when exporting store items, for instance with
guix publish
(see Invoking guix publish) or guix
archive
(see Invoking guix archive). Generating a key pair takes a
few seconds when enough entropy is available and is only done once; you
might want to turn it off for instance in a virtual machine that does
not need it and where the extra boot time is a problem.
max-silent-time
(default: 0
)timeout
(default: 0
)The number of seconds of silence and the number of seconds of activity, respectively, after which a build process times out. A value of zero disables the timeout.
log-compression
(default: 'gzip
)The type of compression used for build logs—one of gzip
,
bzip2
, or none
.
discover?
(default: #f
)Whether to discover substitute servers on the local network using mDNS and DNS-SD.
extra-options
(default: '()
)List of extra command-line options for guix-daemon
.
log-file
(default: "/var/log/guix-daemon.log"
)File where guix-daemon
’s standard output and standard error
are written.
http-proxy
(default: #f
)The URL of the HTTP and HTTPS proxy used for downloading fixed-output derivations and substitutes.
It is also possible to change the daemon’s proxy at run time through the
set-http-proxy
action, which restarts it:
herd set-http-proxy guix-daemon http://localhost:8118
To clear the proxy settings, run:
herd set-http-proxy guix-daemon
tmpdir
(default: #f
)A directory path where the guix-daemon
will perform builds.
'()
]Run udev, which populates the /dev directory dynamically.
udev rules can be provided as a list of files through the rules
variable. The procedures udev-rule
, udev-rules-service
and file->udev-rule
from (gnu services base)
simplify the
creation of such rule files.
The herd rules udev
command, as root, returns the name of the
directory containing all the active udev rules.
Return a udev-rule file named file-name containing the rules defined by the contents literal.
In the following example, a rule for a USB device is defined to be stored in the file 90-usb-thing.rules. The rule runs a script upon detecting a USB device with a given product identifier.
(define %example-udev-rule (udev-rule "90-usb-thing.rules" (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", " "ATTR{product}==\"Example\", " "RUN+=\"/path/to/script\"")))
Return a service that extends udev-service-type
with rules
and account-service-type
with groups as system groups.
This works by creating a singleton service type
name-udev-rules
, of which the returned service is an
instance.
Here we show how it can be used to extend udev-service-type
with the
previously defined rule %example-udev-rule
.
(operating-system ;; … (services (cons (udev-rules-service 'usb-thing %example-udev-rule) %desktop-services)))
Return a udev file named file-name containing the rules defined within file, a file-like object.
The following example showcases how we can use an existing rule file.
(use-modules (guix download) ;for url-fetch (guix packages) ;for origin …) (define %android-udev-rules (file->udev-rule "51-android-udev.rules" (let ((version "20170910")) (origin (method url-fetch) (uri (string-append "https://raw.githubusercontent.com/M0Rf30/" "android-udev-rules/" version "/51-android.rules")) (sha256 (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003"))))))
Additionally, Guix package definitions can be included in rules in
order to extend the udev rules with the definitions found under their
lib/udev/rules.d sub-directory. In lieu of the previous
file->udev-rule example, we could have used the
android-udev-rules package which exists in Guix in the (gnu
packages android)
module.
The following example shows how to use the android-udev-rules
package so that the Android tool adb
can detect devices
without root privileges. It also details how to create the
adbusers
group, which is required for the proper functioning of
the rules defined within the android-udev-rules
package. To
create such a group, we must define it both as part of the
supplementary-groups
of our user-account
declaration, as
well as in the groups of the udev-rules-service
procedure.
(use-modules (gnu packages android) ;for android-udev-rules (gnu system shadow) ;for user-group …) (operating-system ;; … (users (cons (user-account ;; … (supplementary-groups '("adbusers" ;for adb "wheel" "netdev" "audio" "video"))))) ;; … (services (cons (udev-rules-service 'android android-udev-rules #:groups '("adbusers")) %desktop-services)))
Save some entropy in %random-seed-file
to seed /dev/urandom
when rebooting. It also tries to seed /dev/urandom from
/dev/hwrng while booting, if /dev/hwrng exists and is
readable.
This is the name of the file where some random bytes are saved by urandom-seed-service to seed /dev/urandom when rebooting. It defaults to /var/lib/random-seed.
This is the type of the service that runs GPM, the general-purpose mouse daemon, which provides mouse support to the Linux console. GPM allows users to use the mouse in the console, notably to select, copy, and paste text.
The value for services of this type must be a gpm-configuration
(see below). This service is not part of %base-services
.
Data type representing the configuration of GPM.
options
(default: %default-gpm-options
)Command-line options passed to gpm
. The default set of
options instruct gpm
to listen to mouse events on
/dev/input/mice. See Command Line in gpm manual, for
more information.
gpm
(default: gpm
)The GPM package to use.
This is the service type for guix publish
(see Invoking guix publish). Its value must be a guix-publish-configuration
object, as described below.
This assumes that /etc/guix already contains a signing key pair as
created by guix archive --generate-key
(see Invoking guix archive). If that is not the case, the service will fail to start.
Data type representing the configuration of the guix publish
service.
guix
(default: guix
)The Guix package to use.
port
(default: 80
)The TCP port to listen for connections.
host
(default: "localhost"
)The host (and thus, network interface) to listen to. Use
"0.0.0.0"
to listen on all the network interfaces.
advertise?
(default: #f
)When true, advertise the service on the local network via the DNS-SD protocol, using Avahi.
This allows neighboring Guix devices with discovery on (see
guix-configuration
above) to discover this guix publish
instance and to automatically download substitutes from it.
compression
(default: '(("gzip" 3) ("zstd" 3))
)This is a list of compression method/level tuple used when compressing substitutes. For example, to compress all substitutes with both lzip at level 7 and gzip at level 9, write:
'(("lzip" 7) ("gzip" 9))
Level 9 achieves the best compression ratio at the expense of increased CPU usage, whereas level 1 achieves fast compression. See Invoking guix publish, for more information on the available compression methods and the tradeoffs involved.
An empty list disables compression altogether.
nar-path
(default: "nar"
)The URL path at which “nars” can be fetched. See --nar-path, for details.
cache
(default: #f
)When it is #f
, disable caching and instead generate archives on
demand. Otherwise, this should be the name of a directory—e.g.,
"/var/cache/guix/publish"
—where guix publish
caches
archives and meta-data ready to be sent. See --cache, for more information on the tradeoffs involved.
workers
(default: #f
)When it is an integer, this is the number of worker threads used for
caching; when #f
, the number of processors is used.
See --workers, for more information.
cache-bypass-threshold
(default: 10 MiB)When cache
is true, this is the maximum size in bytes of a store
item for which guix publish
may bypass its cache in case of a
cache miss. See --cache-bypass-threshold, for more information.
ttl
(default: #f
)When it is an integer, this denotes the time-to-live in seconds of the published archives. See --ttl, for more information.
negative-ttl
(default: #f
)When it is an integer, this denotes the time-to-live in seconds for the negative lookups. See --negative-ttl, for more information.
Return a service that runs the rngd
program from rng-tools
to add device to the kernel’s entropy pool. The service will fail if
device does not exist.
'()
]Return a service that installs a configuration file for the
pam_limits
module. The procedure optionally takes a list of
pam-limits-entry
values, which can be used to specify
ulimit
limits and nice
priority limits to user sessions.
The following limits definition sets two hard and soft limits for all
login sessions of users in the realtime
group:
(pam-limits-service (list (pam-limits-entry "@realtime" 'both 'rtprio 99) (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
The first entry increases the maximum realtime priority for non-privileged processes; the second entry lifts any restriction of the maximum address space that can be locked in memory. These settings are commonly used for real-time audio systems.
Another useful example is raising the maximum number of open file descriptors that can be used:
(pam-limits-service (list (pam-limits-entry "*" 'both 'nofile 100000)))
In the above example, the asterisk means the limit should apply to any
user. It is important to ensure the chosen value doesn’t exceed the
maximum system value visible in the /proc/sys/fs/file-max file,
else the users would be prevented from login in. For more information
about the Pluggable Authentication Module (PAM) limits, refer to the
‘pam_limits’ man page from the linux-pam
package.
Next: Scheduled Job Execution, Up: Services [Contents][Index]