battering/services/opensnitch.scm


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

(define-module (battering services opensnitch)
  #:use-module (guix gexp)
  #:use-module (guix records)
  #:use-module (gnu services)
  #:use-module (gnu services shepherd)
  #:use-module (gnu services configuration)
  #:use-module (battering packages opensnitch)

  #:export (opensnitchd-configuration
            opensnitchd-service-type))

(define list-of-file-likes?
  (list-of file-like?))

(define-configuration/no-serialization opensnitchd-configuration
  (opensnitchd
   (file-like opensnitchd)
   "Opensnitchd package to use.")
  (config-file
   (string "/etc/opensnitchd/default-config.json")
   "Daemon configuration file.")
  (process-monitor-method
   (symbol 'proc)
   "Process monitor method to use."))

(define (opensnitchd-activation config)
  "Create the opensnitchd rules and configuration according to CONFIG."
  (match-record config <opensnitchd-configuration>
                (opensnitchd config-file)
    (with-imported-modules '((guix build utils))
      #~(begin
          (use-modules (guix build utils))
          (when (not (file-exists? "/etc/opensnitchd"))
            (mkdir-p "/etc/opensnitchd/rules/")
            (copy-file #$(file-append opensnitchd "/etc/default-config.json")
                       #$config-file)
            (copy-file #$(file-append opensnitchd "/etc/system-fw.json")
                       "/etc/opensnitchd/system-fw.json"))))))

(define (opensnitchd-shepherd-service config)
  "Return a <shepherd-service> for opensnitchd with CONFIG."
  (let ((config-file (opensnitchd-configuration-config-file config))
        (process-monitor-method
         (symbol->string
          (opensnitchd-configuration-process-monitor-method config))))
    (list (shepherd-service
           (documentation "Opensnitchd daemon.")
           (requirement '(syslogd loopback))
           (provision '(opensnitchd))

           (start
            #~(make-forkexec-constructor
               (list #$(file-append opensnitchd "/bin/opensnitchd")
                     "-process-monitor-method" #$process-monitor-method
                     "-config-file" #$config-file)))
           (stop #~(make-kill-destructor))))))

(define opensnitchd-service-type
  (service-type
   (name 'opensnitchd)
   (description "Run the Opensnitch application firewall daemon.")
   (extensions
    (list
     (service-extension shepherd-root-service-type
                        opensnitchd-shepherd-service)
     (service-extension activation-service-type
                        opensnitchd-activation)
     (service-extension profile-service-type
                        (lambda (config)
                          `(,(opensnitchd-configuration-opensnitchd config))))))
   (compose identity)
   (default-value (opensnitchd-configuration))))