guix.texi

         (lambda ()
           (execl (string-append #$findutils "/bin/updatedb")
                  "updatedb"
                  "--prunepaths=/tmp /var/tmp /gnu/store"))))

(define garbage-collector-job
  ;; Collect garbage 5 minutes after midnight every day.
  ;; The job's action is a shell command.
  #~(job "5 0 * * *"            ;Vixie cron syntax
         "guix gc -F 1G"))

(define idutils-job
  ;; Update the index database as user "charlie" at 12:15PM
  ;; and 19:15PM.  This runs from the user's home directory.
  #~(job '(next-minute-from (next-hour '(12 19)) '(15))
         (string-append #$idutils "/bin/mkid src")
         #:user "charlie"))

(operating-system
  ;; @dots{}
  (services (cons (service mcron-service-type
                           (mcron-configuration
                            (jobs (list garbage-collector-job
                                        updatedb-job
                                        idutils-job))))
                  %base-services)))
@end lisp

@xref{Guile Syntax, mcron job specifications,, mcron, GNU@tie{}mcron},
for more information on mcron job specifications.  Below is the
reference of the mcron service.

On a running system, you can use the @code{schedule} action of the service to
visualize the mcron jobs that will be executed next:

@example
# herd schedule mcron
@end example

@noindent
The example above lists the next five tasks that will be executed, but you can
also specify the number of tasks to display:

@example
# herd schedule mcron 10
@end example

@defvr {Scheme Variable} mcron-service-type
This is the type of the @code{mcron} service, whose value is an
@code{mcron-configuration} object.

This service type can be the target of a service extension that provides
it additional job specifications (@pxref{Service Composition}).  In
other words, it is possible to define services that provide additional
mcron jobs to run.
@end defvr

@deftp {Data Type} mcron-configuration
Data type representing the configuration of mcron.

@table @asis
@item @code{mcron} (default: @var{mcron})
The mcron package to use.

@item @code{jobs}
This is a list of gexps (@pxref{G-Expressions}), where each gexp
corresponds to an mcron job specification (@pxref{Syntax, mcron job
specifications,, mcron, GNU@tie{}mcron}).
@end table
@end deftp


@node Log Rotation
@subsection Log Rotation

@cindex rottlog
@cindex log rotation
@cindex logging
Log files such as those found in @file{/var/log} tend to grow endlessly,
so it's a good idea to @dfn{rotate} them once in a while---i.e., archive
their contents in separate files, possibly compressed.  The @code{(gnu
services admin)} module provides an interface to GNU@tie{}Rot[t]log, a
log rotation tool (@pxref{Top,,, rottlog, GNU Rot[t]log Manual}).

The example below defines an operating system that provides log rotation
with the default settings, for commonly encountered log files.

@lisp
(use-modules (guix) (gnu))
(use-service-modules admin mcron)
(use-package-modules base idutils)

(operating-system
  ;; @dots{}
  (services (cons (service rottlog-service-type)
                  %base-services)))
@end lisp

@defvr {Scheme Variable} rottlog-service-type
This is the type of the Rottlog service, whose value is a
@code{rottlog-configuration} object.

Other services can extend this one with new @code{log-rotation} objects
(see below), thereby augmenting the set of files to be rotated.

This service type can define mcron jobs (@pxref{Scheduled Job
Execution}) to run the rottlog service.
@end defvr

@deftp {Data Type} rottlog-configuration
Data type representing the configuration of rottlog.

@table @asis
@item @code{rottlog} (default: @code{rottlog})
The Rottlog package to use.

@item @code{rc-file} (default: @code{(file-append rottlog "/etc/rc")})
The Rottlog configuration file to use (@pxref{Mandatory RC Variables,,,
rottlog, GNU Rot[t]log Manual}).

@item @code{rotations} (default: @code{%default-rotations})
A list of @code{log-rotation} objects as defined below.

@item @code{jobs}
This is a list of gexps where each gexp corresponds to an mcron job
specification (@pxref{Scheduled Job Execution}).
@end table
@end deftp

@deftp {Data Type} log-rotation
Data type representing the rotation of a group of log files.

Taking an example from the Rottlog manual (@pxref{Period Related File
Examples,,, rottlog, GNU Rot[t]log Manual}), a log rotation might be
defined like this:

@example
(log-rotation
  (frequency 'daily)
  (files '("/var/log/apache/*"))
  (options '("storedir apache-archives"
             "rotate 6"
             "notifempty"
             "nocompress")))
@end example

The list of fields is as follows:

@table @asis
@item @code{frequency} (default: @code{'weekly})
The log rotation frequency, a symbol.

@item @code{files}
The list of files or file glob patterns to rotate.

@item @code{options} (default: @code{'()})
The list of rottlog options for this rotation (@pxref{Configuration
parameters,,, rottlog, GNU Rot[t]lg Manual}).

@item @code{post-rotate} (default: @code{#f})
Either @code{#f} or a gexp to execute once the rotation has completed.
@end table
@end deftp

@defvr {Scheme Variable} %default-rotations
Specifies weekly rotation of @var{%rotated-files} and
a couple of other files.
@end defvr

@defvr {Scheme Variable} %rotated-files
The list of syslog-controlled files to be rotated.  By default it is:
@code{'("/var/log/messages" "/var/log/secure")}.
@end defvr

@node Networking Services
@subsection Networking Services

The @code{(gnu services networking)} module provides services to configure
the network interface.

@cindex DHCP, networking service
@defvr {Scheme Variable} dhcp-client-service-type
This is the type of services that run @var{dhcp}, a Dynamic Host Configuration
Protocol (DHCP) client, on all the non-loopback network interfaces.  Its value
is the DHCP client package to use, @code{isc-dhcp} by default.
@end defvr

@deffn {Scheme Procedure} dhcpd-service-type
This type defines a service that runs a DHCP daemon.  To create a
service of this type, you must supply a @code{<dhcpd-configuration>}.
For example:

@example
(service dhcpd-service-type
         (dhcpd-configuration
          (config-file (local-file "my-dhcpd.conf"))
          (interfaces '("enp0s25"))))
@end example
@end deffn

@deftp {Data Type} dhcpd-configuration
@table @asis
@item @code{package} (default: @code{isc-dhcp})
The package that provides the DHCP daemon.  This package is expected to
provide the daemon at @file{sbin/dhcpd} relative to its output
directory.  The default package is the
@uref{http://www.isc.org/products/DHCP, ISC's DHCP server}.
@item @code{config-file} (default: @code{#f})
The configuration file to use.  This is required.  It will be passed to
@code{dhcpd} via its @code{-cf} option.  This may be any ``file-like''
object (@pxref{G-Expressions, file-like objects}).  See @code{man
dhcpd.conf} for details on the configuration file syntax.
@item @code{version} (default: @code{"4"})
The DHCP version to use.  The ISC DHCP server supports the values ``4'',
``6'', and ``4o6''.  These correspond to the @code{dhcpd} program
options @code{-4}, @code{-6}, and @code{-4o6}.  See @code{man dhcpd} for
details.
@item @code{run-directory} (default: @code{"/run/dhcpd"})
The run directory to use.  At service activation time, this directory
will be created if it does not exist.
@item @code{pid-file} (default: @code{"/run/dhcpd/dhcpd.pid"})
The PID file to use.  This corresponds to the @code{-pf} option of
@code{dhcpd}.  See @code{man dhcpd} for details.
@item @code{interfaces} (default: @code{'()})
The names of the network interfaces on which dhcpd should listen for
broadcasts.  If this list is not empty, then its elements (which must be
strings) will be appended to the @code{dhcpd} invocation when starting
the daemon.  It may not be necessary to explicitly specify any
interfaces here; see @code{man dhcpd} for details.
@end table
@end deftp

@defvr {Scheme Variable} static-networking-service-type
This is the type for statically-configured network interfaces.
@c TODO Document <static-networking> data structures.
@end defvr

@deffn {Scheme Procedure} static-networking-service @var{interface} @var{ip} @
       [#:netmask #f] [#:gateway #f] [#:name-servers @code{'()}] @
       [#:requirement @code{'(udev)}]
Return a service that starts @var{interface} with address @var{ip}.  If
@var{netmask} is true, use it as the network mask.  If @var{gateway} is true,
it must be a string specifying the default network gateway.  @var{requirement}
can be used to declare a dependency on another service before configuring the
interface.

This procedure can be called several times, one for each network
interface of interest.  Behind the scenes what it does is extend
@code{static-networking-service-type} with additional network interfaces
to handle.

For example:

@example
(static-networking-service "eno1" "192.168.1.82"
                           #:gateway "192.168.1.2"
                           #:name-servers '("192.168.1.2"))
@end example
@end deffn

@cindex wicd
@cindex wireless
@cindex WiFi
@cindex network management
@deffn {Scheme Procedure} wicd-service [#:wicd @var{wicd}]
Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
management daemon that aims to simplify wired and wireless networking.

This service adds the @var{wicd} package to the global profile, providing
several commands to interact with the daemon and configure networking:
@command{wicd-client}, a graphical user interface, and the @command{wicd-cli}
and @command{wicd-curses} user interfaces.
@end deffn

@cindex ModemManager

@defvr {Scheme Variable} modem-manager-service-type
This is the service type for the
@uref{https://wiki.gnome.org/Projects/ModemManager, ModemManager}
service. The value for this service type is a
@code{modem-manager-configuration} record.

This service is part of @code{%desktop-services} (@pxref{Desktop
Services}).
@end defvr

@deftp {Data Type} modem-manager-configuration
Data type representing the configuration of ModemManager.

@table @asis
@item @code{modem-manager} (default: @code{modem-manager})
The ModemManager package to use.

@end table
@end deftp

@cindex NetworkManager

@defvr {Scheme Variable} network-manager-service-type
This is the service type for the
@uref{https://wiki.gnome.org/Projects/NetworkManager, NetworkManager}
service. The value for this service type is a
@code{network-manager-configuration} record.

This service is part of @code{%desktop-services} (@pxref{Desktop
Services}).
@end defvr

@deftp {Data Type} network-manager-configuration
Data type representing the configuration of NetworkManager.

@table @asis
@item @code{network-manager} (default: @code{network-manager})
The NetworkManager package to use.

@item @code{dns} (default: @code{"default"})
Processing mode for DNS, which affects how NetworkManager uses the
@code{resolv.conf} configuration file.

@table @samp
@item default
NetworkManager will update @code{resolv.conf} to reflect the nameservers
provided by currently active connections.

@item dnsmasq
NetworkManager will run @code{dnsmasq} as a local caching nameserver,
using a "split DNS" configuration if you are connected to a VPN, and
then update @code{resolv.conf} to point to the local nameserver.

@item none
NetworkManager will not modify @code{resolv.conf}.
@end table

@item @code{vpn-plugins} (default: @code{'()})
This is the list of available plugins for virtual private networks
(VPNs).  An example of this is the @code{network-manager-openvpn}
package, which allows NetworkManager to manage VPNs @i{via} OpenVPN.

@end table
@end deftp

@cindex Connman
@deffn {Scheme Variable} connman-service-type
This is the service type to run @url{https://01.org/connman,Connman},
a network connection manager.

Its value must be an
@code{connman-configuration} record as in this example:

@example
(service connman-service-type
         (connman-configuration
           (disable-vpn? #t)))
@end example

See below for details about @code{connman-configuration}.
@end deffn

@deftp {Data Type} connman-configuration
Data Type representing the configuration of connman.

@table @asis
@item @code{connman} (default: @var{connman})
The connman package to use.

@item @code{disable-vpn?} (default: @code{#f})
When true, disable connman's vpn plugin.
@end table
@end deftp

@cindex WPA Supplicant
@defvr {Scheme Variable} wpa-supplicant-service-type
This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA
supplicant}, an authentication daemon required to authenticate against
encrypted WiFi or ethernet networks.
@end defvr

@deftp {Data Type} wpa-supplicant-configuration
Data type representing the configuration of WPA Supplicant.

It takes the following parameters:

@table @asis
@item @code{wpa-supplicant} (default: @code{wpa-supplicant})
The WPA Supplicant package to use.

@item @code{dbus?} (default: @code{#t})
Whether to listen for requests on D-Bus.

@item @code{pid-file} (default: @code{"/var/run/wpa_supplicant.pid"})
Where to store the PID file.

@item @code{interface} (default: @code{#f})
If this is set, it must specify the name of a network interface that
WPA supplicant will control.

@item @code{config-file} (default: @code{#f})
Optional configuration file to use.

@item @code{extra-options} (default: @code{'()})
List of additional command-line arguments to pass to the daemon.
@end table
@end deftp

@cindex iptables
@defvr {Scheme Variable} iptables-service-type
This is the service type to set up an iptables configuration.  iptables is a
packet filtering framework supported by the Linux kernel.  This service
supports configuring iptables for both IPv4 and IPv6.  A simple example
configuration rejecting all incoming connections except those to the ssh port
22 is shown below.

@lisp
(service iptables-service-type
         (iptables-configuration
          (ipv4-rules (plain-file "iptables.rules" "*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
"))
          (ipv6-rules (plain-file "ip6tables.rules" "*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
"))))
@end lisp
@end defvr

@deftp {Data Type} iptables-configuration
The data type representing the configuration of iptables.

@table @asis
@item @code{iptables} (default: @code{iptables})
The iptables package that provides @code{iptables-restore} and
@code{ip6tables-restore}.
@item @code{ipv4-rules} (default: @code{%iptables-accept-all-rules})
The iptables rules to use.  It will be passed to @code{iptables-restore}.
This may be any ``file-like'' object (@pxref{G-Expressions, file-like
objects}).
@item @code{ipv6-rules} (default: @code{%iptables-accept-all-rules})
The ip6tables rules to use.  It will be passed to @code{ip6tables-restore}.
This may be any ``file-like'' object (@pxref{G-Expressions, file-like
objects}).
@end table
@end deftp

@cindex NTP (Network Time Protocol), service
@cindex real time clock
@defvr {Scheme Variable} ntp-service-type
This is the type of the service running the @uref{http://www.ntp.org,
Network Time Protocol (NTP)} daemon, @command{ntpd}.  The daemon will keep the
system clock synchronized with that of the specified NTP servers.

The value of this service is an @code{ntpd-configuration} object, as described
below.
@end defvr

@deftp {Data Type} ntp-configuration
This is the data type for the NTP service configuration.

@table @asis
@item @code{servers} (default: @code{%ntp-servers})
This is the list of servers (host names) with which @command{ntpd} will be
synchronized.

@item @code{allow-large-adjustment?} (default: @code{#f})
This determines whether @command{ntpd} is allowed to make an initial
adjustment of more than 1,000 seconds.

@item @code{ntp} (default: @code{ntp})
The NTP package to use.
@end table
@end deftp

@defvr {Scheme Variable} %ntp-servers
List of host names used as the default NTP servers.  These are servers of the
@uref{https://www.ntppool.org/en/, NTP Pool Project}.
@end defvr

@cindex OpenNTPD
@deffn {Scheme Procedure} openntpd-service-type
Run the @command{ntpd}, the Network Time Protocol (NTP) daemon, as implemented
by @uref{http://www.openntpd.org, OpenNTPD}.  The daemon will keep the system
clock synchronized with that of the given servers.

@example
(service
 openntpd-service-type
 (openntpd-configuration
  (listen-on '("127.0.0.1" "::1"))
  (sensor '("udcf0 correction 70000"))
  (constraint-from '("www.gnu.org"))
  (constraints-from '("https://www.google.com/"))
  (allow-large-adjustment? #t)))

@end example
@end deffn

@deftp {Data Type} openntpd-configuration
@table @asis
@item @code{openntpd} (default: @code{(file-append openntpd "/sbin/ntpd")})
The openntpd executable to use.
@item @code{listen-on} (default: @code{'("127.0.0.1" "::1")})
A list of local IP addresses or hostnames the ntpd daemon should listen on.
@item @code{query-from} (default: @code{'()})
A list of local IP address the ntpd daemon should use for outgoing queries.
@item @code{sensor} (default: @code{'()})
Specify a list of timedelta sensor devices ntpd should use.  @code{ntpd}
will listen to each sensor that acutally exists and ignore non-existant ones.
See @uref{https://man.openbsd.org/ntpd.conf, upstream documentation} for more
information.
@item @code{server} (default: @var{%ntp-servers})
Specify a list of IP addresses or hostnames of NTP servers to synchronize to.
@item @code{servers} (default: @code{'()})
Specify a list of IP addresses or hostnames of NTP pools to synchronize to.
@item @code{constraint-from} (default: @code{'()})
@code{ntpd} can be configured to query the ‘Date’ from trusted HTTPS servers via TLS.
This time information is not used for precision but acts as an authenticated
constraint, thereby reducing the impact of unauthenticated NTP
man-in-the-middle attacks.
Specify a list of URLs, IP addresses or hostnames of HTTPS servers to provide
a constraint.
@item @code{constraints-from} (default: @code{'()})
As with constraint from, specify a list of URLs, IP addresses or hostnames of
HTTPS servers to provide a constraint.  Should the hostname resolve to multiple
IP addresses, @code{ntpd} will calculate a median constraint from all of them.
@item @code{allow-large-adjustment?} (default: @code{#f})
Determines if @code{ntpd} is allowed to make an initial adjustment of more
than 180 seconds.
@end table
@end deftp

@cindex inetd
@deffn {Scheme variable} inetd-service-type
This service runs the @command{inetd} (@pxref{inetd invocation,,,
inetutils, GNU Inetutils}) daemon.  @command{inetd} listens for
connections on internet sockets, and lazily starts the specified server
program when a connection is made on one of these sockets.

The value of this service is an @code{inetd-configuration} object.  The
following example configures the @command{inetd} daemon to provide the
built-in @command{echo} service, as well as an smtp service which
forwards smtp traffic over ssh to a server @code{smtp-server} behind a
gateway @code{hostname}:

@example
(service
 inetd-service-type
 (inetd-configuration
  (entries (list
            (inetd-entry
             (name "echo")
             (socket-type 'stream)
             (protocol "tcp")
             (wait? #f)
             (user "root"))
            (inetd-entry
             (node "127.0.0.1")
             (name "smtp")
             (socket-type 'stream)
             (protocol "tcp")
             (wait? #f)
             (user "root")
             (program (file-append openssh "/bin/ssh"))
             (arguments
              '("ssh" "-qT" "-i" "/path/to/ssh_key"
                "-W" "smtp-server:25" "user@@hostname")))))
@end example

See below for more details about @code{inetd-configuration}.
@end deffn

@deftp {Data Type} inetd-configuration
Data type representing the configuration of @command{inetd}.

@table @asis
@item @code{program} (default: @code{(file-append inetutils "/libexec/inetd")})
The @command{inetd} executable to use.

@item @code{entries} (default: @code{'()})
A list of @command{inetd} service entries.  Each entry should be created
by the @code{inetd-entry} constructor.
@end table
@end deftp

@deftp {Data Type} inetd-entry
Data type representing an entry in the @command{inetd} configuration.
Each entry corresponds to a socket where @command{inetd} will listen for
requests.

@table @asis
@item @code{node} (default: @code{#f})
Optional string, a comma-separated list of local addresses
@command{inetd} should use when listening for this service.
@xref{Configuration file,,, inetutils, GNU Inetutils} for a complete
description of all options.
@item @code{name}
A string, the name must correspond to an entry in @code{/etc/services}.
@item @code{socket-type}
One of @code{'stream}, @code{'dgram}, @code{'raw}, @code{'rdm} or
@code{'seqpacket}.
@item @code{protocol}
A string, must correspond to an entry in @code{/etc/protocols}.
@item @code{wait?} (default: @code{#t})
Whether @command{inetd} should wait for the server to exit before
listening to new service requests.
@item @code{user}
A string containing the user (and, optionally, group) name of the user
as whom the server should run.  The group name can be specified in a
suffix, separated by a colon or period, i.e.@: @code{"user"},
@code{"user:group"} or @code{"user.group"}.
@item @code{program} (default: @code{"internal"})
The server program which will serve the requests, or @code{"internal"}
if @command{inetd} should use a built-in service.
@item @code{arguments} (default: @code{'()})
A list strings or file-like objects, which are the server program's
arguments, starting with the zeroth argument, i.e.@: the name of the
program itself.  For @command{inetd}'s internal services, this entry
must be @code{'()} or @code{'("internal")}.
@end table

@xref{Configuration file,,, inetutils, GNU Inetutils} for a more
detailed discussion of each configuration field.
@end deftp

@cindex Tor
@defvr {Scheme Variable} tor-service-type
This is the type for a service that runs the @uref{https://torproject.org,
Tor} anonymous networking daemon.  The service is configured using a
@code{<tor-configuration>} record.  By default, the Tor daemon runs as the
@code{tor} unprivileged user, which is a member of the @code{tor} group.

@end defvr

@deftp {Data Type} tor-configuration
@table @asis
@item @code{tor} (default: @code{tor})
The package that provides the Tor daemon.  This package is expected to provide
the daemon at @file{bin/tor} relative to its output directory.  The default
package is the @uref{https://www.torproject.org, Tor Project's}
implementation.

@item @code{config-file} (default: @code{(plain-file "empty" "")})
The configuration file to use.  It will be appended to a default configuration
file, and the final configuration file will be passed to @code{tor} via its
@code{-f} option.  This may be any ``file-like'' object (@pxref{G-Expressions,
file-like objects}).  See @code{man tor} for details on the configuration file
syntax.

@item @code{hidden-services} (default: @code{'()})
The list of @code{<hidden-service>} records to use.  For any hidden service
you include in this list, appropriate configuration to enable the hidden
service will be automatically added to the default configuration file.  You
may conveniently create @code{<hidden-service>} records using the
@code{tor-hidden-service} procedure described below.

@item @code{socks-socket-type} (default: @code{'tcp})
The default socket type that Tor should use for its SOCKS socket.  This must
be either @code{'tcp} or @code{'unix}.  If it is @code{'tcp}, then by default
Tor will listen on TCP port 9050 on the loopback interface (i.e., localhost).
If it is @code{'unix}, then Tor will listen on the UNIX domain socket
@file{/var/run/tor/socks-sock}, which will be made writable by members of the
@code{tor} group.

If you want to customize the SOCKS socket in more detail, leave
@code{socks-socket-type} at its default value of @code{'tcp} and use
@code{config-file} to override the default by providing your own
@code{SocksPort} option.
@end table
@end deftp

@cindex hidden service
@deffn {Scheme Procedure} tor-hidden-service @var{name} @var{mapping}
Define a new Tor @dfn{hidden service} called @var{name} and implementing
@var{mapping}.  @var{mapping} is a list of port/host tuples, such as:

@example
 '((22 "127.0.0.1:22")
   (80 "127.0.0.1:8080"))
@end example

In this example, port 22 of the hidden service is mapped to local port 22, and
port 80 is mapped to local port 8080.

This creates a @file{/var/lib/tor/hidden-services/@var{name}} directory, where
the @file{hostname} file contains the @code{.onion} host name for the hidden
service.

See @uref{https://www.torproject.org/docs/tor-hidden-service.html.en, the Tor
project's documentation} for more information.
@end deffn

The @code{(gnu services rsync)} module provides the following services:

You might want an rsync daemon if you have files that you want available
so anyone (or just yourself) can download existing files or upload new
files.

@deffn {Scheme Variable} rsync-service-type
This is the type for the @uref{https://rsync.samba.org, rsync} rsync daemon,
@command{rsync-configuration} record as in this example:

@example
(service rsync-service-type)
@end example

See below for details about @code{rsync-configuration}.
@end deffn

@deftp {Data Type} rsync-configuration
Data type representing the configuration for @code{rsync-service}.

@table @asis
@item @code{package} (default: @var{rsync})
@code{rsync} package to use.

@item @code{port-number} (default: @code{873})
TCP port on which @command{rsync} listens for incoming connections.  If port
is less than @code{1024} @command{rsync} needs to be started as the
@code{root} user and group.

@item @code{pid-file} (default: @code{"/var/run/rsyncd/rsyncd.pid"})
Name of the file where @command{rsync} writes its PID.

@item @code{lock-file} (default: @code{"/var/run/rsyncd/rsyncd.lock"})
Name of the file where @command{rsync} writes its lock file.

@item @code{log-file} (default: @code{"/var/log/rsyncd.log"})
Name of the file where @command{rsync} writes its log file.

@item @code{use-chroot?} (default: @var{#t})
Whether to use chroot for @command{rsync} shared directory.

@item @code{share-path} (default: @file{/srv/rsync})
Location of the @command{rsync} shared directory.

@item @code{share-comment} (default: @code{"Rsync share"})
Comment of the @command{rsync} shared directory.

@item @code{read-only?} (default: @var{#f})
Read-write permissions to shared directory.

@item @code{timeout} (default: @code{300})
I/O timeout in seconds.

@item @code{user} (default: @var{"root"})
Owner of the @code{rsync} process.

@item @code{group} (default: @var{"root"})
Group of the @code{rsync} process.

@item @code{uid} (default: @var{"rsyncd"})
User name or user ID that file transfers to and from that module should take
place as when the daemon was run as @code{root}.

@item @code{gid} (default: @var{"rsyncd"})
Group name or group ID that will be used when accessing the module.

@end table
@end deftp

Furthermore, @code{(gnu services ssh)} provides the following services.
@cindex SSH
@cindex SSH server

@deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
       [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
       [#:allow-empty-passwords? #f] [#:root-login? #f] @
       [#:syslog-output? #t] [#:x11-forwarding? #t] @
       [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] @
       [#:public-key-authentication? #t] [#:initialize? #t]
Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}.
@var{host-key} must designate a file containing the host key, and readable
only by root.

When @var{daemonic?} is true, @command{lshd} will detach from the
controlling terminal and log its output to syslogd, unless one sets
@var{syslog-output?} to false.  Obviously, it also makes lsh-service
depend on existence of syslogd service.  When @var{pid-file?} is true,
@command{lshd} writes its PID to the file called @var{pid-file}.

When @var{initialize?} is true, automatically create the seed and host key
upon service activation if they do not exist yet.  This may take long and
require interaction.

When @var{initialize?} is false, it is up to the user to initialize the
randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create
a key pair with the private key stored in file @var{host-key} (@pxref{lshd
basics,,, lsh, LSH Manual}).

When @var{interfaces} is empty, lshd listens for connections on all the
network interfaces; otherwise, @var{interfaces} must be a list of host names
or addresses.

@var{allow-empty-passwords?} specifies whether to accept log-ins with empty
passwords, and @var{root-login?} specifies whether to accept log-ins as
root.

The other options should be self-descriptive.
@end deffn

@cindex SSH
@cindex SSH server
@deffn {Scheme Variable} openssh-service-type
This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
shell daemon, @command{sshd}.  Its value must be an
@code{openssh-configuration} record as in this example:

@example
(service openssh-service-type
         (openssh-configuration
           (x11-forwarding? #t)
           (permit-root-login 'without-password)
           (authorized-keys
             `(("alice" ,(local-file "alice.pub"))
               ("bob" ,(local-file "bob.pub"))))))
@end example

See below for details about @code{openssh-configuration}.

This service can be extended with extra authorized keys, as in this
example:

@example
(service-extension openssh-service-type
                   (const `(("charlie"
                             ,(local-file "charlie.pub")))))
@end example
@end deffn

@deftp {Data Type} openssh-configuration
This is the configuration record for OpenSSH's @command{sshd}.

@table @asis
@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
Name of the file where @command{sshd} writes its PID.

@item @code{port-number} (default: @code{22})
TCP port on which @command{sshd} listens for incoming connections.

@item @code{permit-root-login} (default: @code{#f})
This field determines whether and when to allow logins as root.  If
@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
If it's the symbol @code{'without-password}, then root logins are
permitted but not with password-based authentication.

@item @code{allow-empty-passwords?} (default: @code{#f})
When true, users with empty passwords may log in.  When false, they may
not.

@item @code{password-authentication?} (default: @code{#t})
When true, users may log in with their password.  When false, they have
other authentication methods.

@item @code{public-key-authentication?} (default: @code{#t})
When true, users may log in using public key authentication.  When
false, users have to use other authentication method.

Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
This is used only by protocol version 2.

@item @code{x11-forwarding?} (default: @code{#f})
When true, forwarding of X11 graphical client connections is
enabled---in other words, @command{ssh} options @option{-X} and
@option{-Y} will work.

@item @code{allow-agent-forwarding?} (default: @code{#t})
Whether to allow agent forwarding.

@item @code{allow-tcp-forwarding?} (default: @code{#t})
Whether to allow TCP forwarding.

@item @code{gateway-ports?} (default: @code{#f})
Whether to allow gateway ports.

@item @code{challenge-response-authentication?} (default: @code{#f})
Specifies whether challenge response authentication is allowed (e.g.@: via
PAM).

@item @code{use-pam?} (default: @code{#t})
Enables the Pluggable Authentication Module interface.  If set to
@code{#t}, this will enable PAM authentication using
@code{challenge-response-authentication?} and
@code{password-authentication?}, in addition to PAM account and session
module processing for all authentication types.

Because PAM challenge response authentication usually serves an
equivalent role to password authentication, you should disable either
@code{challenge-response-authentication?} or
@code{password-authentication?}.

@item @code{print-last-log?} (default: @code{#t})
Specifies whether @command{sshd} should print the date and time of the
last user login when a user logs in interactively.

@item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
Configures external subsystems (e.g.@: file transfer daemon).

This is a list of two-element lists, each of which containing the
subsystem name and a command (with optional arguments) to execute upon
subsystem request.

The command @command{internal-sftp} implements an in-process SFTP
server.  Alternately, one can specify the @command{sftp-server} command:
@example
(service openssh-service-type
         (openssh-configuration
          (subsystems
           `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
@end example

@item @code{accepted-environment} (default: @code{'()})
List of strings describing which environment variables may be exported.

Each string gets on its own line.  See the @code{AcceptEnv} option in
@code{man sshd_config}.

This example allows ssh-clients to export the @code{COLORTERM} variable.
It is set by terminal emulators, which support colors.  You can use it in
your shell's ressource file to enable colors for the prompt and commands
if this variable is set.

@example
(service openssh-service-type
         (openssh-configuration
           (accepted-environment '("COLORTERM"))))
@end example

@item @code{authorized-keys} (default: @code{'()})
@cindex authorized keys, SSH
@cindex SSH authorized keys
This is the list of authorized keys.  Each element of the list is a user
name followed by one or more file-like objects that represent SSH public
keys.  For example:

@example
(openssh-configuration
  (authorized-keys
    `(("rekado" ,(local-file "rekado.pub"))
      ("chris" ,(local-file "chris.pub"))
      ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))
@end example

@noindent
registers the specified public keys for user accounts @code{rekado},
@code{chris}, and @code{root}.

Additional authorized keys can be specified @i{via}
@code{service-extension}.

Note that this does @emph{not} interfere with the use of
@file{~/.ssh/authorized_keys}.

@item @code{log-level} (default: @code{'info})
This is a symbol specifying the logging level: @code{quiet}, @code{fatal},
@code{error}, @code{info}, @code{verbose}, @code{debug}, etc.  See the man
page for @file{sshd_config} for the full list of level names.

@item @code{extra-content} (default: @code{""})
This field can be used to append arbitrary text to the configuration file.  It
is especially useful for elaborate configurations that cannot be expressed
otherwise.  This configuration, for example, would generally disable root
logins, but permit them from one specific IP address:

@example
(openssh-configuration
  (extra-content "\
Match Address 192.168.0.1
  PermitRootLogin yes"))
@end example

@end table
@end deftp

@deffn {Scheme Procedure} dropbear-service [@var{config}]
Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
daemon} with the given @var{config}, a @code{<dropbear-configuration>}
object.

For example, to specify a Dropbear service listening on port 1234, add
this call to the operating system's @code{services} field:

@example
(dropbear-service (dropbear-configuration
                    (port-number 1234)))
@end example
@end deffn

@deftp {Data Type} dropbear-configuration
This data type represents the configuration of a Dropbear SSH daemon.

@table @asis
@item @code{dropbear} (default: @var{dropbear})
The Dropbear package to use.