guix.texi

Whether to check for updates of the files corresponding to
@var{database}.

For instance, when @var{database} is @code{hosts}, setting this flag
instructs nscd to check for updates in @file{/etc/hosts} and to take
them into account.

@item @code{persistent?} (default: @code{#t})
Whether the cache should be stored persistently on disk.

@item @code{shared?} (default: @code{#t})
Whether the cache should be shared among users.

@item @code{max-database-size} (default: 32@tie{}MiB)
Maximum size in bytes of the database cache.

@c XXX: 'suggested-size' and 'auto-propagate?' seem to be expert
@c settings, so leave them out.

@end table
@end deftp

@defvr {Scheme Variable} %nscd-default-caches
List of @code{<nscd-cache>} objects used by default by
@code{nscd-configuration} (see above).

It enables persistent and aggressive caching of service and host name
lookups.  The latter provides better host name lookup performance,
resilience in the face of unreliable name servers, and also better
privacy---often the result of host name lookups is in local cache, so
external name servers do not even need to be queried.
@end defvr

@anchor{syslog-configuration-type}
@cindex syslog
@cindex logging
@deftp {Data Type} syslog-configuration
This data type represents the configuration of the syslog daemon.

@table @asis
@item @code{syslogd} (default: @code{#~(string-append #$inetutils "/libexec/syslogd")})
The syslog daemon to use.

@item @code{config-file} (default: @code{%default-syslog.conf})
The syslog configuration file to use.

@end table
@end deftp

@anchor{syslog-service}
@cindex syslog
@deffn {Scheme Procedure} syslog-service @var{config}
Return a service that runs a syslog daemon according to @var{config}.

@xref{syslogd invocation,,, inetutils, GNU Inetutils}, for more
information on the configuration file syntax.
@end deffn

@defvr {Scheme Variable} guix-service-type
This is the type of the service that runs the build daemon,
@command{guix-daemon} (@pxref{Invoking guix-daemon}).  Its value must be a
@code{guix-configuration} record as described below.
@end defvr

@anchor{guix-configuration-type}
@deftp {Data Type} guix-configuration
This data type represents the configuration of the Guix build daemon.
@xref{Invoking guix-daemon}, for more information.

@table @asis
@item @code{guix} (default: @var{guix})
The Guix package to use.

@item @code{build-group} (default: @code{"guixbuild"})
Name of the group for build user accounts.

@item @code{build-accounts} (default: @code{10})
Number of build user accounts to create.

@item @code{authorize-key?} (default: @code{#t})
@cindex substitutes, authorization thereof
Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
(@pxref{Substitutes}).

@vindex %default-authorized-guix-keys
@item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
The list of authorized key files for archive imports, as a list of
string-valued gexps (@pxref{Invoking guix archive}).  By default, it
contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}).

@item @code{use-substitutes?} (default: @code{#t})
Whether to use substitutes.

@item @code{substitute-urls} (default: @code{%default-substitute-urls})
The list of URLs where to look for substitutes by default.

@item @code{max-silent-time} (default: @code{0})
@itemx @code{timeout} (default: @code{0})
The number of seconds of silence and the number of seconds of activity,
respectively, after which a build process times out.  A value of zero
disables the timeout.

@item @code{log-compression} (default: @code{'bzip2})
The type of compression used for build logs---one of @code{gzip},
@code{bzip2}, or @code{none}.

@item @code{extra-options} (default: @code{'()})
List of extra command-line options for @command{guix-daemon}.

@item @code{log-file} (default: @code{"/var/log/guix-daemon.log"})
File where @command{guix-daemon}'s standard output and standard error
are written.

@item @code{http-proxy} (default: @code{#f})
The HTTP proxy used for downloading fixed-output derivations and
substitutes.

@item @code{tmpdir} (default: @code{#f})
A directory path where the @command{guix-daemon} will perform builds.

@end table
@end deftp

@deffn {Scheme Procedure} udev-service [#:udev @var{eudev} #:rules @code{'()}]
Run @var{udev}, which populates the @file{/dev} directory dynamically.
udev rules can be provided as a list of files through the @var{rules}
variable.  The procedures @code{udev-rule} and @code{file->udev-rule} from
@code{(gnu services base)} simplify the creation of such rule files.
@end deffn

@deffn {Scheme Procedure} udev-rule [@var{file-name} @var{contents}]
Return a udev-rule file named @var{file-name} containing the rules
defined by the @var{contents} literal.

In the following example, a rule for a USB device is defined to be
stored in the file @file{90-usb-thing.rules}.  The rule runs a script
upon detecting a USB device with a given product identifier.

@example
(define %example-udev-rule
  (udev-rule
    "90-usb-thing.rules"
    (string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
                   "ATTR@{product@}==\"Example\", "
                   "RUN+=\"/path/to/script\"")))
@end example

The @command{herd rules udev} command, as root, returns the name of the
directory containing all the active udev rules.
@end deffn

Here we show how the default @var{udev-service} can be extended with it.

@example
(operating-system
 ;; @dots{}
 (services
 (modify-services %desktop-services
   (udev-service-type config =>
     (udev-configuration (inherit config)
      (rules (append (udev-configuration-rules config)
                     (list %example-udev-rule))))))))
@end example

@deffn {Scheme Procedure} file->udev-rule [@var{file-name} @var{file}]
Return a udev file named @var{file-name} containing the rules defined
within @var{file}, a file-like object.

The following example showcases how we can use an existing rule file.

@example
(use-modules (guix download)     ;for url-fetch
             (guix packages)     ;for origin
             ;; @dots{})

(define %android-udev-rules
  (file->udev-rule
    "51-android-udev.rules"
    (let ((version "20170910"))
      (origin
       (method url-fetch)
       (uri (string-append "https://raw.githubusercontent.com/M0Rf30/"
                           "android-udev-rules/" version "/51-android.rules"))
       (sha256
        (base32 "0lmmagpyb6xsq6zcr2w1cyx9qmjqmajkvrdbhjx32gqf1d9is003"))))))
@end example
@end deffn

Additionally, Guix package definitions can be included in @var{rules} in
order to extend the udev rules with the definitions found under their
@file{lib/udev/rules.d} sub-directory.  In lieu of the previous
@var{file->udev-rule} example, we could have used the
@var{android-udev-rules} package which exists in Guix in the @code{(gnu
packages android)} module.

The following example shows how to use the @var{android-udev-rules}
package so that the Android tool @command{adb} can detect devices
without root privileges.  It also details how to create the
@code{adbusers} group, which is required for the proper functioning of
the rules defined within the @var{android-udev-rules} package.  To
create such a group, we must define it both as part of the
@var{supplementary-groups} of our @var{user-account} declaration, as
well as in the @var{groups} field of the @var{operating-system} record.

@example
(use-modules (gnu packages android)  ;for android-udev-rules
             (gnu system shadow)     ;for user-group
             ;; @dots{})

(operating-system
  ;; @dots{}
  (users (cons (user-acount
                ;; @dots{}
                (supplementary-groups
                 '("adbusers"   ;for adb
                   "wheel" "netdev" "audio" "video"))
                ;; @dots{})))

  (groups (cons (user-group (system? #t) (name "adbusers"))
                %base-groups))

  ;; @dots{}

  (services
   (modify-services %desktop-services
     (udev-service-type
      config =>
      (udev-configuration (inherit config)
                          (rules (cons android-udev-rules
                                       (udev-configuration-rules config))))))))
@end example

@defvr {Scheme Variable} urandom-seed-service-type
Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
when rebooting.  It also tries to seed @file{/dev/urandom} from
@file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
readable.
@end defvr

@defvr {Scheme Variable} %random-seed-file
This is the name of the file where some random bytes are saved by
@var{urandom-seed-service} to seed @file{/dev/urandom} when rebooting.
It defaults to @file{/var/lib/random-seed}.
@end defvr

@cindex mouse
@cindex gpm
@defvr {Scheme Variable} gpm-service-type
This is the type of the service that runs GPM, the @dfn{general-purpose
mouse daemon}, which provides mouse support to the Linux console.  GPM
allows users to use the mouse in the console, notably to select, copy,
and paste text.

The value for services of this type must be a @code{gpm-configuration}
(see below).  This service is not part of @code{%base-services}.
@end defvr

@deftp {Data Type} gpm-configuration
Data type representing the configuration of GPM.

@table @asis
@item @code{options} (default: @code{%default-gpm-options})
Command-line options passed to @command{gpm}.  The default set of
options instruct @command{gpm} to listen to mouse events on
@file{/dev/input/mice}.  @xref{Command Line,,, gpm, gpm manual}, for
more information.

@item @code{gpm} (default: @code{gpm})
The GPM package to use.

@end table
@end deftp

@anchor{guix-publish-service-type}
@deffn {Scheme Variable} guix-publish-service-type
This is the service type for @command{guix publish} (@pxref{Invoking
guix publish}).  Its value must be a @code{guix-publish-configuration}
object, as described below.

This assumes that @file{/etc/guix} already contains a signing key pair as
created by @command{guix archive --generate-key} (@pxref{Invoking guix
archive}).  If that is not the case, the service will fail to start.
@end deffn

@deftp {Data Type} guix-publish-configuration
Data type representing the configuration of the @code{guix publish}
service.

@table @asis
@item @code{guix} (default: @code{guix})
The Guix package to use.

@item @code{port} (default: @code{80})
The TCP port to listen for connections.

@item @code{host} (default: @code{"localhost"})
The host (and thus, network interface) to listen to.  Use
@code{"0.0.0.0"} to listen on all the network interfaces.

@item @code{compression} (default: @code{'(("gzip" 3))})
This is a list of compression method/level tuple used when compressing
substitutes.  For example, to compress all substitutes with @emph{both} lzip
at level 7 and gzip at level 9, write:

@example
'(("lzip" 7) ("gzip" 9))
@end example

Level 9 achieves the best compression ratio at the expense of increased CPU
usage, whereas level 1 achieves fast compression.

An empty list disables compression altogether.

@item @code{nar-path} (default: @code{"nar"})
The URL path at which ``nars'' can be fetched.  @xref{Invoking guix
publish, @code{--nar-path}}, for details.

@item @code{cache} (default: @code{#f})
When it is @code{#f}, disable caching and instead generate archives on
demand.  Otherwise, this should be the name of a directory---e.g.,
@code{"/var/cache/guix/publish"}---where @command{guix publish} caches
archives and meta-data ready to be sent.  @xref{Invoking guix publish,
@option{--cache}}, for more information on the tradeoffs involved.

@item @code{workers} (default: @code{#f})
When it is an integer, this is the number of worker threads used for
caching; when @code{#f}, the number of processors is used.
@xref{Invoking guix publish, @option{--workers}}, for more information.

@item @code{ttl} (default: @code{#f})
When it is an integer, this denotes the @dfn{time-to-live} in seconds
of the published archives.  @xref{Invoking guix publish, @option{--ttl}},
for more information.
@end table
@end deftp

@anchor{rngd-service}
@deffn {Scheme Procedure} rngd-service [#:rng-tools @var{rng-tools}] @
            [#:device "/dev/hwrng"]
Return a service that runs the @command{rngd} program from @var{rng-tools}
to add @var{device} to the kernel's entropy pool.  The service will fail if
@var{device} does not exist.
@end deffn

@anchor{pam-limits-service}
@cindex session limits
@cindex ulimit
@cindex priority
@cindex realtime
@cindex jackd
@deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}]

Return a service that installs a configuration file for the
@uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html,
@code{pam_limits} module}.  The procedure optionally takes a list of
@code{pam-limits-entry} values, which can be used to specify
@code{ulimit} limits and nice priority limits to user sessions.

The following limits definition sets two hard and soft limits for all
login sessions of users in the @code{realtime} group:

@example
(pam-limits-service
 (list
  (pam-limits-entry "@@realtime" 'both 'rtprio 99)
  (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited)))
@end example

The first entry increases the maximum realtime priority for
non-privileged processes; the second entry lifts any restriction of the
maximum address space that can be locked in memory.  These settings are
commonly used for real-time audio systems.
@end deffn

@node Scheduled Job Execution
@subsection Scheduled Job Execution

@cindex cron
@cindex mcron
@cindex scheduling jobs
The @code{(gnu services mcron)} module provides an interface to
GNU@tie{}mcron, a daemon to run jobs at scheduled times (@pxref{Top,,,
mcron, GNU@tie{}mcron}).  GNU@tie{}mcron is similar to the traditional
Unix @command{cron} daemon; the main difference is that it is
implemented in Guile Scheme, which provides a lot of flexibility when
specifying the scheduling of jobs and their actions.

The example below defines an operating system that runs the
@command{updatedb} (@pxref{Invoking updatedb,,, find, Finding Files})
and the @command{guix gc} commands (@pxref{Invoking guix gc}) daily, as
well as the @command{mkid} command on behalf of an unprivileged user
(@pxref{mkid invocation,,, idutils, ID Database Utilities}).  It uses
gexps to introduce job definitions that are passed to mcron
(@pxref{G-Expressions}).

@lisp
(use-modules (guix) (gnu) (gnu services mcron))
(use-package-modules base idutils)

(define updatedb-job
  ;; Run 'updatedb' at 3AM every day.  Here we write the
  ;; job's action as a Scheme procedure.
  #~(job '(next-hour '(3))
         (lambda ()
           (execl (string-append #$findutils "/bin/updatedb")
                  "updatedb"
                  "--prunepaths=/tmp /var/tmp /gnu/store"))))

(define garbage-collector-job
  ;; Collect garbage 5 minutes after midnight every day.
  ;; The job's action is a shell command.
  #~(job "5 0 * * *"            ;Vixie cron syntax
         "guix gc -F 1G"))

(define idutils-job
  ;; Update the index database as user "charlie" at 12:15PM
  ;; and 19:15PM.  This runs from the user's home directory.
  #~(job '(next-minute-from (next-hour '(12 19)) '(15))
         (string-append #$idutils "/bin/mkid src")
         #:user "charlie"))

(operating-system
  ;; @dots{}
  (services (cons (service mcron-service-type
                           (mcron-configuration
                            (jobs (list garbage-collector-job
                                        updatedb-job
                                        idutils-job))))
                  %base-services)))
@end lisp

@xref{Guile Syntax, mcron job specifications,, mcron, GNU@tie{}mcron},
for more information on mcron job specifications.  Below is the
reference of the mcron service.

On a running system, you can use the @code{schedule} action of the service to
visualize the mcron jobs that will be executed next:

@example
# herd schedule mcron
@end example

@noindent
The example above lists the next five tasks that will be executed, but you can
also specify the number of tasks to display:

@example
# herd schedule mcron 10
@end example

@defvr {Scheme Variable} mcron-service-type
This is the type of the @code{mcron} service, whose value is an
@code{mcron-configuration} object.

This service type can be the target of a service extension that provides
it additional job specifications (@pxref{Service Composition}).  In
other words, it is possible to define services that provide additional
mcron jobs to run.
@end defvr

@deftp {Data Type} mcron-configuration
Data type representing the configuration of mcron.

@table @asis
@item @code{mcron} (default: @var{mcron})
The mcron package to use.

@item @code{jobs}
This is a list of gexps (@pxref{G-Expressions}), where each gexp
corresponds to an mcron job specification (@pxref{Syntax, mcron job
specifications,, mcron, GNU@tie{}mcron}).
@end table
@end deftp


@node Log Rotation
@subsection Log Rotation

@cindex rottlog
@cindex log rotation
@cindex logging
Log files such as those found in @file{/var/log} tend to grow endlessly,
so it's a good idea to @dfn{rotate} them once in a while---i.e., archive
their contents in separate files, possibly compressed.  The @code{(gnu
services admin)} module provides an interface to GNU@tie{}Rot[t]log, a
log rotation tool (@pxref{Top,,, rottlog, GNU Rot[t]log Manual}).

The example below defines an operating system that provides log rotation
with the default settings, for commonly encountered log files.

@lisp
(use-modules (guix) (gnu))
(use-service-modules admin mcron)
(use-package-modules base idutils)

(operating-system
  ;; @dots{}
  (services (cons (service rottlog-service-type)
                  %base-services)))
@end lisp

@defvr {Scheme Variable} rottlog-service-type
This is the type of the Rottlog service, whose value is a
@code{rottlog-configuration} object.

Other services can extend this one with new @code{log-rotation} objects
(see below), thereby augmenting the set of files to be rotated.

This service type can define mcron jobs (@pxref{Scheduled Job
Execution}) to run the rottlog service.
@end defvr

@deftp {Data Type} rottlog-configuration
Data type representing the configuration of rottlog.

@table @asis
@item @code{rottlog} (default: @code{rottlog})
The Rottlog package to use.

@item @code{rc-file} (default: @code{(file-append rottlog "/etc/rc")})
The Rottlog configuration file to use (@pxref{Mandatory RC Variables,,,
rottlog, GNU Rot[t]log Manual}).

@item @code{rotations} (default: @code{%default-rotations})
A list of @code{log-rotation} objects as defined below.

@item @code{jobs}
This is a list of gexps where each gexp corresponds to an mcron job
specification (@pxref{Scheduled Job Execution}).
@end table
@end deftp

@deftp {Data Type} log-rotation
Data type representing the rotation of a group of log files.

Taking an example from the Rottlog manual (@pxref{Period Related File
Examples,,, rottlog, GNU Rot[t]log Manual}), a log rotation might be
defined like this:

@example
(log-rotation
  (frequency 'daily)
  (files '("/var/log/apache/*"))
  (options '("storedir apache-archives"
             "rotate 6"
             "notifempty"
             "nocompress")))
@end example

The list of fields is as follows:

@table @asis
@item @code{frequency} (default: @code{'weekly})
The log rotation frequency, a symbol.

@item @code{files}
The list of files or file glob patterns to rotate.

@item @code{options} (default: @code{'()})
The list of rottlog options for this rotation (@pxref{Configuration
parameters,,, rottlog, GNU Rot[t]lg Manual}).

@item @code{post-rotate} (default: @code{#f})
Either @code{#f} or a gexp to execute once the rotation has completed.
@end table
@end deftp

@defvr {Scheme Variable} %default-rotations
Specifies weekly rotation of @var{%rotated-files} and
a couple of other files.
@end defvr

@defvr {Scheme Variable} %rotated-files
The list of syslog-controlled files to be rotated.  By default it is:
@code{'("/var/log/messages" "/var/log/secure")}.
@end defvr

@node Networking Services
@subsection Networking Services

The @code{(gnu services networking)} module provides services to configure
the network interface.

@cindex DHCP, networking service
@defvr {Scheme Variable} dhcp-client-service-type
This is the type of services that run @var{dhcp}, a Dynamic Host Configuration
Protocol (DHCP) client, on all the non-loopback network interfaces.  Its value
is the DHCP client package to use, @code{isc-dhcp} by default.
@end defvr

@deffn {Scheme Procedure} dhcpd-service-type
This type defines a service that runs a DHCP daemon.  To create a
service of this type, you must supply a @code{<dhcpd-configuration>}.
For example:

@example
(service dhcpd-service-type
         (dhcpd-configuration
          (config-file (local-file "my-dhcpd.conf"))
          (interfaces '("enp0s25"))))
@end example
@end deffn

@deftp {Data Type} dhcpd-configuration
@table @asis
@item @code{package} (default: @code{isc-dhcp})
The package that provides the DHCP daemon.  This package is expected to
provide the daemon at @file{sbin/dhcpd} relative to its output
directory.  The default package is the
@uref{https://www.isc.org/products/DHCP, ISC's DHCP server}.
@item @code{config-file} (default: @code{#f})
The configuration file to use.  This is required.  It will be passed to
@code{dhcpd} via its @code{-cf} option.  This may be any ``file-like''
object (@pxref{G-Expressions, file-like objects}).  See @code{man
dhcpd.conf} for details on the configuration file syntax.
@item @code{version} (default: @code{"4"})
The DHCP version to use.  The ISC DHCP server supports the values ``4'',
``6'', and ``4o6''.  These correspond to the @code{dhcpd} program
options @code{-4}, @code{-6}, and @code{-4o6}.  See @code{man dhcpd} for
details.
@item @code{run-directory} (default: @code{"/run/dhcpd"})
The run directory to use.  At service activation time, this directory
will be created if it does not exist.
@item @code{pid-file} (default: @code{"/run/dhcpd/dhcpd.pid"})
The PID file to use.  This corresponds to the @code{-pf} option of
@code{dhcpd}.  See @code{man dhcpd} for details.
@item @code{interfaces} (default: @code{'()})
The names of the network interfaces on which dhcpd should listen for
broadcasts.  If this list is not empty, then its elements (which must be
strings) will be appended to the @code{dhcpd} invocation when starting
the daemon.  It may not be necessary to explicitly specify any
interfaces here; see @code{man dhcpd} for details.
@end table
@end deftp

@defvr {Scheme Variable} static-networking-service-type
This is the type for statically-configured network interfaces.
@c TODO Document <static-networking> data structures.
@end defvr

@deffn {Scheme Procedure} static-networking-service @var{interface} @var{ip} @
       [#:netmask #f] [#:gateway #f] [#:name-servers @code{'()}] @
       [#:requirement @code{'(udev)}]
Return a service that starts @var{interface} with address @var{ip}.  If
@var{netmask} is true, use it as the network mask.  If @var{gateway} is true,
it must be a string specifying the default network gateway.  @var{requirement}
can be used to declare a dependency on another service before configuring the
interface.

This procedure can be called several times, one for each network
interface of interest.  Behind the scenes what it does is extend
@code{static-networking-service-type} with additional network interfaces
to handle.

For example:

@example
(static-networking-service "eno1" "192.168.1.82"
                           #:gateway "192.168.1.2"
                           #:name-servers '("192.168.1.2"))
@end example
@end deffn

@cindex wicd
@cindex wireless
@cindex WiFi
@cindex network management
@deffn {Scheme Procedure} wicd-service [#:wicd @var{wicd}]
Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
management daemon that aims to simplify wired and wireless networking.

This service adds the @var{wicd} package to the global profile, providing
several commands to interact with the daemon and configure networking:
@command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
and @command{wicd-curses} user interfaces.
@end deffn

@cindex ModemManager

@defvr {Scheme Variable} modem-manager-service-type
This is the service type for the
@uref{https://wiki.gnome.org/Projects/ModemManager, ModemManager}
service. The value for this service type is a
@code{modem-manager-configuration} record.

This service is part of @code{%desktop-services} (@pxref{Desktop
Services}).
@end defvr

@deftp {Data Type} modem-manager-configuration
Data type representing the configuration of ModemManager.

@table @asis
@item @code{modem-manager} (default: @code{modem-manager})
The ModemManager package to use.

@end table
@end deftp

@cindex USB_ModeSwitch
@cindex Modeswitching

@defvr {Scheme Variable} usb-modeswitch-service-type
This is the service type for the
@uref{http://www.draisberghof.de/usb_modeswitch/, USB_ModeSwitch} service. The
value for this service type is a @code{usb-modeswitch-configuration} record.

When plugged in, some USB modems (and other USB devices) initially present
themselves as a read-only storage medium and not as a modem.  They need to be
@dfn{modeswitched} before they are usable.  The USB_ModeSwitch service type
installs udev rules to automatically modeswitch these devices when they are
plugged in.

This service is part of @code{%desktop-services} (@pxref{Desktop
Services}).
@end defvr

@deftp {Data Type} usb-modeswitch-configuration
Data type representing the configuration of USB_ModeSwitch.

@table @asis
@item @code{usb-modeswitch} (default: @code{usb-modeswitch})
The USB_ModeSwitch package providing the binaries for modeswitching.

@item @code{usb-modeswitch-data} (default: @code{usb-modeswitch-data})
The package providing the device data and udev rules file used by
USB_ModeSwitch.

@item @code{config-file} (default: @code{#~(string-append #$usb-modeswitch:dispatcher "/etc/usb_modeswitch.conf")})
Which config file to use for the USB_ModeSwitch dispatcher.  By default the
config file shipped with USB_ModeSwitch is used which disables logging to
@file{/var/log} among other default settings.  If set to @code{#f}, no config
file is used.

@end table
@end deftp

@cindex NetworkManager

@defvr {Scheme Variable} network-manager-service-type
This is the service type for the
@uref{https://wiki.gnome.org/Projects/NetworkManager, NetworkManager}
service. The value for this service type is a
@code{network-manager-configuration} record.

This service is part of @code{%desktop-services} (@pxref{Desktop
Services}).
@end defvr

@deftp {Data Type} network-manager-configuration
Data type representing the configuration of NetworkManager.

@table @asis
@item @code{network-manager} (default: @code{network-manager})
The NetworkManager package to use.

@item @code{dns} (default: @code{"default"})
Processing mode for DNS, which affects how NetworkManager uses the
@code{resolv.conf} configuration file.

@table @samp
@item default
NetworkManager will update @code{resolv.conf} to reflect the nameservers
provided by currently active connections.

@item dnsmasq
NetworkManager will run @code{dnsmasq} as a local caching nameserver, using a
@dfn{conditional forwarding} configuration if you are connected to a VPN, and
then update @code{resolv.conf} to point to the local nameserver.

With this setting, you can share your network connection.  For example when
you want to share your network connection to another laptop @i{via} an
Ethernet cable, you can open @command{nm-connection-editor} and configure the
Wired connection's method for IPv4 and IPv6 to be ``Shared to other computers''
and reestablish the connection (or reboot).

You can also set up a @dfn{host-to-guest connection} to QEMU VMs
(@pxref{Installing Guix in a VM}).  With a host-to-guest connection, you can
e.g.@: access a Web server running on the VM (@pxref{Web Services}) from a Web
browser on your host system, or connect to the VM @i{via} SSH
(@pxref{Networking Services, @code{openssh-service-type}}).  To set up a
host-to-guest connection, run this command once:

@example
nmcli connection add type tun \
 connection.interface-name tap0 \
 tun.mode tap tun.owner $(id -u) \
 ipv4.method shared \
 ipv4.addresses 172.28.112.1/24
@end example

Then each time you launch your QEMU VM (@pxref{Running Guix in a VM}), pass
@option{-nic tap,ifname=tap0,script=no,downscript=no} to
@command{qemu-system-...}.

@item none
NetworkManager will not modify @code{resolv.conf}.
@end table

@item @code{vpn-plugins} (default: @code{'()})
This is the list of available plugins for virtual private networks
(VPNs).  An example of this is the @code{network-manager-openvpn}
package, which allows NetworkManager to manage VPNs @i{via} OpenVPN.

@end table
@end deftp

@cindex Connman
@deffn {Scheme Variable} connman-service-type
This is the service type to run @url{https://01.org/connman,Connman},
a network connection manager.

Its value must be an
@code{connman-configuration} record as in this example:

@example
(service connman-service-type
         (connman-configuration
           (disable-vpn? #t)))
@end example

See below for details about @code{connman-configuration}.
@end deffn

@deftp {Data Type} connman-configuration
Data Type representing the configuration of connman.

@table @asis
@item @code{connman} (default: @var{connman})
The connman package to use.

@item @code{disable-vpn?} (default: @code{#f})
When true, disable connman's vpn plugin.
@end table
@end deftp

@cindex WPA Supplicant
@defvr {Scheme Variable} wpa-supplicant-service-type
This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA
supplicant}, an authentication daemon required to authenticate against
encrypted WiFi or ethernet networks.
@end defvr

@deftp {Data Type} wpa-supplicant-configuration
Data type representing the configuration of WPA Supplicant.

It takes the following parameters:

@table @asis
@item @code{wpa-supplicant} (default: @code{wpa-supplicant})
The WPA Supplicant package to use.

@item @code{dbus?} (default: @code{#t})
Whether to listen for requests on D-Bus.

@item @code{pid-file} (default: @code{"/var/run/wpa_supplicant.pid"})
Where to store the PID file.

@item @code{interface} (default: @code{#f})
If this is set, it must specify the name of a network interface that
WPA supplicant will control.

@item @code{config-file} (default: @code{#f})
Optional configuration file to use.

@item @code{extra-options} (default: @code{'()})
List of additional command-line arguments to pass to the daemon.
@end table
@end deftp

@cindex iptables
@defvr {Scheme Variable} iptables-service-type
This is the service type to set up an iptables configuration.  iptables is a
packet filtering framework supported by the Linux kernel.  This service
supports configuring iptables for both IPv4 and IPv6.  A simple example
configuration rejecting all incoming connections except those to the ssh port
22 is shown below.

@lisp
(service iptables-service-type
         (iptables-configuration
          (ipv4-rules (plain-file "iptables.rules" "*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
"))
          (ipv6-rules (plain-file "ip6tables.rules" "*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
"))))
@end lisp
@end defvr

@deftp {Data Type} iptables-configuration
The data type representing the configuration of iptables.

@table @asis
@item @code{iptables} (default: @code{iptables})
The iptables package that provides @code{iptables-restore} and
@code{ip6tables-restore}.
@item @code{ipv4-rules} (default: @code{%iptables-accept-all-rules})
The iptables rules to use.  It will be passed to @code{iptables-restore}.
This may be any ``file-like'' object (@pxref{G-Expressions, file-like
objects}).
@item @code{ipv6-rules} (default: @code{%iptables-accept-all-rules})
The ip6tables rules to use.  It will be passed to @code{ip6tables-restore}.
This may be any ``file-like'' object (@pxref{G-Expressions, file-like
objects}).
@end table
@end deftp

@cindex NTP (Network Time Protocol), service
@cindex real time clock
@defvr {Scheme Variable} ntp-service-type
This is the type of the service running the @uref{http://www.ntp.org,
Network Time Protocol (NTP)} daemon, @command{ntpd}.  The daemon will keep the
system clock synchronized with that of the specified NTP servers.

The value of this service is an @code{ntpd-configuration} object, as described
below.
@end defvr

@deftp {Data Type} ntp-configuration
This is the data type for the NTP service configuration.

@table @asis
@item @code{servers} (default: @code{%ntp-servers})
This is the list of servers (host names) with which @command{ntpd} will be
synchronized.

@item @code{allow-large-adjustment?} (default: @code{#f})
This determines whether @command{ntpd} is allowed to make an initial
adjustment of more than 1,000 seconds.

@item @code{ntp} (default: @code{ntp})
The NTP package to use.
@end table
@end deftp

@defvr {Scheme Variable} %ntp-servers
List of host names used as the default NTP servers.  These are servers of the
@uref{https://www.ntppool.org/en/, NTP Pool Project}.
@end defvr

@cindex OpenNTPD
@deffn {Scheme Procedure} openntpd-service-type
Run the @command{ntpd}, the Network Time Protocol (NTP) daemon, as implemented
by @uref{http://www.openntpd.org, OpenNTPD}.  The daemon will keep the system
clock synchronized with that of the given servers.

@example
(service
 openntpd-service-type
 (openntpd-configuration
  (listen-on '("127.0.0.1" "::1"))
  (sensor '("udcf0 correction 70000"))
  (constraint-from '("www.gnu.org"))
  (constraints-from '("https://www.google.com/"))
  (allow-large-adjustment? #t)))

@end example
@end deffn

@deftp {Data Type} openntpd-configuration
@table @asis
@item @code{openntpd} (default: @code{(file-append openntpd "/sbin/ntpd")})
The openntpd executable to use.
@item @code{listen-on} (default: @code{'("127.0.0.1" "::1")})
A list of local IP addresses or hostnames the ntpd daemon should listen on.
@item @code{query-from} (default: @code{'()})
A list of local IP address the ntpd daemon should use for outgoing queries.
@item @code{sensor} (default: @code{'()})
Specify a list of timedelta sensor devices ntpd should use.  @code{ntpd}
will listen to each sensor that actually exists and ignore non-existent ones.
See @uref{https://man.openbsd.org/ntpd.conf, upstream documentation} for more
information.
@item @code{server} (default: @var{%ntp-servers})
Specify a list of IP addresses or hostnames of NTP servers to synchronize to.
@item @code{servers} (default: @code{'()})
Specify a list of IP addresses or hostnames of NTP pools to synchronize to.
@item @code{constraint-from} (default: @code{'()})
@code{ntpd} can be configured to query the ‘Date’ from trusted HTTPS servers via TLS.
This time information is not used for precision but acts as an authenticated
constraint, thereby reducing the impact of unauthenticated NTP
man-in-the-middle attacks.
Specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide
a constraint.
@item @code{constraints-from} (default: @code{'()})
As with constraint from, specify a list of URLs, IP addresses or hostnames of
HTTPS servers to provide a constraint.  Should the hostname resolve to multiple
IP addresses, @code{ntpd} will calculate a median constraint from all of them.
@item @code{allow-large-adjustment?} (default: @code{#f})