From 54d6223d2c240c0214c123e0b0aa977a01a3c209 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 9 May 2015 16:41:38 +0200 Subject: doc: Rename OS config example. * gnu/system/os-config.tmpl: Rename to... * gnu/system/examples/bare-bones.tmpl: ... this. * Makefile.am (EXAMPLES): Adjust accordingly. * doc.am (doc/os-config.texi): Likewise. * gnu/system/install.scm (configuration-template-service)[template]: Likewise. --- gnu/system/examples/bare-bones.tmpl | 47 +++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 gnu/system/examples/bare-bones.tmpl (limited to 'gnu/system/examples') diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl new file mode 100644 index 0000000000..e14c95733a --- /dev/null +++ b/gnu/system/examples/bare-bones.tmpl @@ -0,0 +1,47 @@ +;; This is an operating system configuration template. + +(use-modules (gnu)) +(use-service-modules xorg networking dbus avahi) +(use-package-modules xorg avahi) + +(operating-system + (host-name "antelope") + (timezone "Europe/Paris") + (locale "en_US.UTF-8") + + ;; Assuming /dev/sdX is the target hard disk, and "root" is + ;; the label of the target root file system. + (bootloader (grub-configuration (device "/dev/sdX"))) + (file-systems (cons (file-system + (device "root") + (title 'label) + (mount-point "/") + (type "ext4")) + %base-file-systems)) + + ;; This is where user accounts are specified. The "root" + ;; account is implicit, and is initially created with the + ;; empty password. + (users (list (user-account + (name "alice") + (comment "Bob's sister") + (group "users") + + ;; Adding the account to the "wheel" group + ;; makes it a sudoer. Adding it to "audio" + ;; and "video" allows the user to play sound + ;; and access the webcam. + (supplementary-groups '("wheel" + "audio" "video")) + (home-directory "/home/alice")))) + + ;; Globally-installed packages. + (packages (cons xterm %base-packages)) + + ;; Add services to the baseline: the SLiM log-in manager + ;; for Xorg sessions, a DHCP client, Avahi, and D-Bus. + (services (cons* (slim-service) + (dhcp-client-service) + (avahi-service) + (dbus-service (list avahi)) + %base-services))) -- cgit v1.2.3 From 36ffaca2469e6a98e23f59c4a7e82ed985710310 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 9 May 2015 23:16:11 +0200 Subject: doc: Add desktop configuration example. * gnu/system/examples/bare-bones.tmpl: Change 'packages' and 'host-name'. Remove D-Bus, Avahi, and SLiM services, and add lsh instead. * gnu/system/examples/desktop.tmpl: New file. * Makefile.am (EXAMPLES): Add it. --- Makefile.am | 3 ++- gnu/system/examples/bare-bones.tmpl | 23 ++++++++++---------- gnu/system/examples/desktop.tmpl | 42 +++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 13 deletions(-) create mode 100644 gnu/system/examples/desktop.tmpl (limited to 'gnu/system/examples') diff --git a/Makefile.am b/Makefile.am index b20421a753..6478aeb8e0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -135,7 +135,8 @@ KCONFIGS = \ # Templates, examples. EXAMPLES = \ - gnu/system/examples/bare-bones.tmpl + gnu/system/examples/bare-bones.tmpl \ + gnu/system/examples/desktop.tmpl GOBJECTS = $(MODULES:%.scm=%.go) guix/config.go guix/tests.go diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl index e14c95733a..8f4faca2d3 100644 --- a/gnu/system/examples/bare-bones.tmpl +++ b/gnu/system/examples/bare-bones.tmpl @@ -1,12 +1,13 @@ -;; This is an operating system configuration template. +;; This is an operating system configuration template +;; for a "bare bones" setup, with no X11 display server. (use-modules (gnu)) -(use-service-modules xorg networking dbus avahi) -(use-package-modules xorg avahi) +(use-service-modules networking ssh) +(use-package-modules admin) (operating-system - (host-name "antelope") - (timezone "Europe/Paris") + (host-name "komputilo") + (timezone "Europe/Berlin") (locale "en_US.UTF-8") ;; Assuming /dev/sdX is the target hard disk, and "root" is @@ -36,12 +37,10 @@ (home-directory "/home/alice")))) ;; Globally-installed packages. - (packages (cons xterm %base-packages)) + (packages (cons tcpdump %base-packages)) - ;; Add services to the baseline: the SLiM log-in manager - ;; for Xorg sessions, a DHCP client, Avahi, and D-Bus. - (services (cons* (slim-service) - (dhcp-client-service) - (avahi-service) - (dbus-service (list avahi)) + ;; Add services to the baseline: a DHCP client and + ;; an SSH server. + (services (cons* (dhcp-client-service) + (lsh-service #:port-number 2222) %base-services))) diff --git a/gnu/system/examples/desktop.tmpl b/gnu/system/examples/desktop.tmpl new file mode 100644 index 0000000000..07e3f0b1d6 --- /dev/null +++ b/gnu/system/examples/desktop.tmpl @@ -0,0 +1,42 @@ +;; This is an operating system configuration template +;; for a "desktop" setup with X11. + +(use-modules (gnu) (gnu system nss)) +(use-service-modules desktop) +(use-package-modules xfce ratpoison wicd avahi xorg) + +(operating-system + (host-name "antelope") + (timezone "Europe/Paris") + (locale "en_US.UTF-8") + + ;; Assuming /dev/sdX is the target hard disk, and "root" is + ;; the label of the target root file system. + (bootloader (grub-configuration (device "/dev/sdX"))) + (file-systems (cons (file-system + (device "root") + (title 'label) + (mount-point "/") + (type "ext4")) + %base-file-systems)) + + (users (list (user-account + (name "bob") + (comment "Alice's brother") + (group "users") + (supplementary-groups '("wheel" + "audio" "video")) + (home-directory "/home/bob")))) + + ;; Add Xfce and Ratpoison; that allows us to choose + ;; sessions using either of these at the log-in screen. + (packages (cons* xfce ratpoison ;desktop environments + xterm wicd avahi ;useful tools + %base-packages)) + + ;; Use the "desktop" services, which include the X11 + ;; log-in service, networking with Wicd, and more. + (services %desktop-services) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss)) -- cgit v1.2.3 From efb5e833ba0450c5136e7a282c83789bd623afd1 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 11 May 2015 22:59:29 +0200 Subject: doc: Document X.509 certificates. * doc/guix.texi (Using the Configuration System): Add xref to "X.509 Certificates". (X.509 Certificates): New section. * gnu/system/examples/desktop.tmpl: Use NSS-CERTS. --- doc/guix.texi | 46 +++++++++++++++++++++++++++++++++++++++- gnu/system/examples/desktop.tmpl | 3 ++- 2 files changed, 47 insertions(+), 2 deletions(-) (limited to 'gnu/system/examples') diff --git a/doc/guix.texi b/doc/guix.texi index 698b63fac5..137b39bed2 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3998,6 +3998,7 @@ instance to support new system services. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. * Setuid Programs:: Programs running with root privileges. +* X.509 Certificates:: Authenticating HTTPS servers. * Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. * GRUB Configuration:: Configuring the boot loader. @@ -4058,7 +4059,8 @@ more, would look like this: @end lisp @xref{Desktop Services}, for the exact list of services provided by -@var{%desktop-services}. +@var{%desktop-services}. @xref{X.509 Certificates}, for background +information about the @code{nss-certs} package that is used here. Assuming the above snippet is stored in the @file{my-system-config.scm} file, the @command{guix system reconfigure my-system-config.scm} command @@ -5172,6 +5174,48 @@ Under the hood, the actual setuid programs are created in the files in this directory refer to the ``real'' binaries, which are in the store. +@node X.509 Certificates +@subsection X.509 Certificates + +@cindex HTTPS, certificates +@cindex X.509 certificates +@cindex TLS +Web servers available over HTTPS (that is, HTTP over the transport-layer +security mechanism, TLS) send client programs an @dfn{X.509 certificate} +that the client can then use to @emph{authenticate} the server. To do +that, clients verify that the server's certificate is signed by a +so-called @dfn{certificate authority} (CA). But to verify the CA's +signature, clients must have first acquired the CA's certificate. + +Web browsers such as GNU@tie{}IceCat include their own set of CA +certificates, such that they are able to verify CA signatures +out-of-the-box. + +However, most other programs that can talk HTTPS---@command{wget}, +@command{git}, @command{w3m}, etc.---need to be told where CA +certificates can be found. + +@cindex @code{nss-certs} +In GuixSD, this is done by adding a package that provides certificates +to the @code{packages} field of the @code{operating-system} declaration +(@pxref{operating-system Reference}). GuixSD includes one such package, +@code{nss-certs}, which is a set of CA certificates provided as part of +Mozilla's Network Security Services. + +Note that it is @emph{not} part of @var{%base-packages}, so you need to +explicitly add it. The @file{/etc/ssl/certs} directory, which is where +most applications and libraries look for certificates by default, points +to the certificates installed globally. + +Unprivileged users can also install their own certificate package in +their profile. A number of environment variables need to be defined so +that applications and libraries know where to find them. Namely, the +OpenSSL library honors the @code{SSL_CERT_DIR} and @code{SSL_CERT_FILE} +variables. Some applications add their own environment variables; for +instance, the Git version control system honors the certificate bundle +pointed to by the @code{GIT_SSL_CAINFO} environment variable. + + @node Name Service Switch @subsection Name Service Switch diff --git a/gnu/system/examples/desktop.tmpl b/gnu/system/examples/desktop.tmpl index 07e3f0b1d6..b2919f7221 100644 --- a/gnu/system/examples/desktop.tmpl +++ b/gnu/system/examples/desktop.tmpl @@ -3,7 +3,7 @@ (use-modules (gnu) (gnu system nss)) (use-service-modules desktop) -(use-package-modules xfce ratpoison wicd avahi xorg) +(use-package-modules xfce ratpoison wicd avahi xorg certs) (operating-system (host-name "antelope") @@ -32,6 +32,7 @@ ;; sessions using either of these at the log-in screen. (packages (cons* xfce ratpoison ;desktop environments xterm wicd avahi ;useful tools + nss-certs ;for HTTPS access %base-packages)) ;; Use the "desktop" services, which include the X11 -- cgit v1.2.3 From b599e9ebf5e05c0acc76081a2feb4d4c17cfbe0f Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 11 May 2015 22:39:26 -0400 Subject: install: desktop.tmpl: Add "netdev" to the user's supplementary groups. * gnu/system/examples/desktop.tmpl: Add "netdev" to the user's supplementary groups. --- gnu/system/examples/desktop.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/system/examples') diff --git a/gnu/system/examples/desktop.tmpl b/gnu/system/examples/desktop.tmpl index b2919f7221..c78188eb61 100644 --- a/gnu/system/examples/desktop.tmpl +++ b/gnu/system/examples/desktop.tmpl @@ -24,7 +24,7 @@ (name "bob") (comment "Alice's brother") (group "users") - (supplementary-groups '("wheel" + (supplementary-groups '("wheel" "netdev" "audio" "video")) (home-directory "/home/bob")))) -- cgit v1.2.3 From bf87f38ace7f0cbad5558c1ef027b9f02988e393 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 25 May 2015 16:54:05 +0200 Subject: system: Define '%base-user-accounts'. * gnu/system/shadow.scm (%base-user-accounts): New variable. * gnu/system.scm ()[users]: Use it as the default value. * gnu/system/examples/bare-bones.tmpl (users): Use it. * gnu/system/examples/desktop.tmpl (users): Likewise. * doc/guix.texi (operating-system Reference, User Accounts): Adjust accordingly. --- doc/guix.texi | 10 +++++++++- gnu/system.scm | 2 +- gnu/system/examples/bare-bones.tmpl | 5 +++-- gnu/system/examples/desktop.tmpl | 5 +++-- gnu/system/shadow.scm | 11 +++++++++++ 5 files changed, 27 insertions(+), 6 deletions(-) (limited to 'gnu/system/examples') diff --git a/doc/guix.texi b/doc/guix.texi index cfb626c705..6507b9c436 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4453,7 +4453,7 @@ A list of strings identifying devices to be used for ``swap space'' (@pxref{Memory Concepts,,, libc, The GNU C Library Reference Manual}). For example, @code{'("/dev/sda3")}. -@item @code{users} (default: @code{'()}) +@item @code{users} (default: @code{%base-user-accounts}) @itemx @code{groups} (default: @var{%base-groups}) List of user accounts and groups. @xref{User Accounts}. @@ -4832,6 +4832,14 @@ to be present on the system. This includes groups such as ``root'', specific devices such as ``audio'', ``disk'', and ``cdrom''. @end defvr +@defvr {Scheme Variable} %base-user-accounts +This is the list of basic system accounts that programs may expect to +find on a GNU/Linux system, such as the ``nobody'' account. + +Note that the ``root'' account is not included here. It is a +special-case and is automatically added whether or not it is specified. +@end defvr + @node Locales @subsection Locales diff --git a/gnu/system.scm b/gnu/system.scm index 79de80a3eb..c4a3bee0eb 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -119,7 +119,7 @@ (default '())) (users operating-system-users ; list of user accounts - (default '())) + (default %base-user-accounts)) (groups operating-system-groups ; list of user groups (default %base-groups)) diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl index 8f4faca2d3..dc5cfc81a4 100644 --- a/gnu/system/examples/bare-bones.tmpl +++ b/gnu/system/examples/bare-bones.tmpl @@ -23,7 +23,7 @@ ;; This is where user accounts are specified. The "root" ;; account is implicit, and is initially created with the ;; empty password. - (users (list (user-account + (users (cons (user-account (name "alice") (comment "Bob's sister") (group "users") @@ -34,7 +34,8 @@ ;; and access the webcam. (supplementary-groups '("wheel" "audio" "video")) - (home-directory "/home/alice")))) + (home-directory "/home/alice")) + %base-user-accounts)) ;; Globally-installed packages. (packages (cons tcpdump %base-packages)) diff --git a/gnu/system/examples/desktop.tmpl b/gnu/system/examples/desktop.tmpl index c78188eb61..988b8f937f 100644 --- a/gnu/system/examples/desktop.tmpl +++ b/gnu/system/examples/desktop.tmpl @@ -20,13 +20,14 @@ (type "ext4")) %base-file-systems)) - (users (list (user-account + (users (cons (user-account (name "bob") (comment "Alice's brother") (group "users") (supplementary-groups '("wheel" "netdev" "audio" "video")) - (home-directory "/home/bob")))) + (home-directory "/home/bob")) + %base-user-accounts)) ;; Add Xfce and Ratpoison; that allows us to choose ;; sessions using either of these at the log-in screen. diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm index a778b87306..aa97652678 100644 --- a/gnu/system/shadow.scm +++ b/gnu/system/shadow.scm @@ -54,6 +54,7 @@ default-skeletons skeleton-directory %base-groups + %base-user-accounts assert-valid-users/groups)) ;;; Commentary: @@ -113,6 +114,16 @@ (system-group (name "tape")) (system-group (name "kvm"))))) ; for /dev/kvm +(define %base-user-accounts + ;; List of standard user accounts. Note that "root" is a special case, so + ;; it's not listed here. + (list (user-account + (name "nobody") + (uid 65534) + (group "nogroup") + (home-directory "/var/empty") + (system? #t)))) + (define (default-skeletons) "Return the default skeleton files for /etc/skel. These files are copied by 'useradd' in the home directory of newly created user accounts." -- cgit v1.2.3