diff --git a/machines/kerberos.metznet.ca.scm b/machines/kerberos.metznet.ca.scm index 5f8f623..d36d3cf 100644 --- a/machines/kerberos.metznet.ca.scm +++ b/machines/kerberos.metznet.ca.scm @@ -21,7 +21,7 @@ #:use-module (gnu packages perl) #:use-module (gnu packages tcl) #:use-module (gnu packages readline) - #:use-module (gnu packages openldap) + #:use-module (gnu packages slapd) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu services configuration) @@ -45,7 +45,7 @@ (base32 "0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky")))) (build-system gnu-build-system) - (native-inputs (list bison perl tcl openldap)) ;required for some tests + (native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests (inputs (list openssl readline)) (arguments `( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call @@ -63,8 +63,8 @@ "ac_cv_printf_positional=yes" "ac_cv_file__etc_environment=yes" "ac_cv_file__etc_TIMEZONE=no") - #:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1")) - '(#:configure-flags (list "--with-readline" "--with-ldap" "--localstatedir=/var"))) + #:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1" )) + '(#:configure-flags (list "--with-tls-impl=openssl" "--with-readline" "--with-ldap" "--localstatedir=/var"))) #:phases (modify-phases %standard-phases (add-after 'unpack 'enter-source-directory (lambda _ @@ -129,7 +129,7 @@ cryptography.") (name (string "EXAMPLE.COM") "realm name" serialize-none) (database_module maybe-string "database module") (acl_file maybe-file-like "acl file") - (key_stash_file maybe-string "key stash file") + (key_stash_file (string "/var/lib/kerberos/stash") "key stash file") (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on" realm-serialize-list-of-ports) @@ -223,6 +223,10 @@ cryptography.") (define-configuration kdc-configuration (krb5 (file-like mit-krb5-ldap) "krb5 package to use" serialize-none) + (pkinit_anchors + (string "DIR:/run/current-system/profile/etc/ssl/certs/") + "CA certificate directory/file" + (serialize-field (lambda (x) x) " ")) (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on") (realms (list-of-kdc-realm-configuration '()) @@ -249,14 +253,14 @@ cryptography.") (group "kerberos") (system? #t) (comment "kdc service account") - (home-directory "/var/lib/krb5kdc/") + (home-directory "/var/lib/kerberos/") (shell #~(string-append #$shadow "/sbin/nologin"))))) (define (kdc-activation configuration) #~(begin (let ((user (getpw "kerberos")) (group (getgr "kerberos"))) - (mkdir-p/perms "/var/lib/krb5kdc" user 488)))) + (mkdir-p/perms "/var/lib/kerberos" user 488)))) (define (kdc-etc configuration) `(("kdc.conf" ,(serialize-kdc-configuration configuration)))) @@ -265,7 +269,7 @@ cryptography.") ; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot (define (kdc-shepherd configuration) (list (shepherd-service (documentation "") - (provision '(krb5kdc)) + (provision '(kdc)) (requirement '(networking user-processes)) (start #~(make-forkexec-constructor (list #$(file-append (kdc-configuration-krb5 @@ -279,6 +283,7 @@ cryptography.") #$(kdc-configuration-krb5 configuration) "/lib/krb5/plugins/kdb") + "SSL_CERT_DIR=/etc/ssl/certs" "KRB5_KDC_PROFILE=/etc/kdc.conf") #:user "root" #:group "root")) @@ -311,7 +316,7 @@ cryptography.") (kldap-configuration (ldap_kdc_dn %kerberos-dn) (ldap_kadmind_dn %kerberos-dn) - (ldap_servers "ldap://ldap.metznet.ca") + (ldap_servers "ldaps://ldap.metznet.ca") (ldap_service_password_file (plain-file "service.keyfile" @@ -320,8 +325,6 @@ cryptography.") (name "METZNET.CA") (database_module "openldap_ldapconf") - (key_stash_file - "/var/lib/krb5kdc/stash") (default_principal_flags "+preauth") (acl_file (plain-file diff --git a/system/base-system.scm b/system/base-system.scm index a763d40..3a1e826 100644 --- a/system/base-system.scm +++ b/system/base-system.scm @@ -9,6 +9,7 @@ #:use-module (gnu system accounts) #:use-module (gnu system shadow) #:use-module (gnu system setuid) + #:use-module (gnu services configuration) #:use-module (gnu system file-systems) #:use-module (gnu system) #:use-module (gnu system nss) @@ -24,6 +25,10 @@ #:use-module (gnu services dbus) #:use-module (gnu system keyboard) #:use-module (gnu packages admin) + + #:use-module (gnu packages slapd) + #:use-module (gnu packages linux) + #:use-module (gnu packages shells) #:use-module (gnu packages gnome) #:use-module (gnu packages ssh) @@ -71,7 +76,7 @@ (name "root") (group "root") (uid 0) - (password (crypt "root" "$6$salt")) + (password (crypt (or (getenv "GUIX_ROOT_PW")"root") "$6$salt")) (shell (file-append zsh "/bin/zsh")))) %base-user-accounts)) (define %metznet-base-groups @@ -84,6 +89,10 @@ (define %metznet-base-packages (append (list openssh + + openldap-slapd + strace + git neovim zsh @@ -136,35 +145,47 @@ (shadow services) (group services)))) -(define (pam-mkhomedir-service config) +(define list-of-strings? (list-of string?)) + +(define-configuration/no-serialization + metznet-system-configuration + (certs (file-like le-certs) "certificate package") + (pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "list of pam services to configure")) + +(define (pam-mkhomedir-service configuration) (lambda (pam) - (if (member (pam-service-name pam) config) + (if (member (pam-service-name pam) (metznet-system-configuration-pam-services configuration)) (let ((required (pam-entry (control "required") (module "pam_mkhomedir.so")))) (pam-service (inherit pam) (session (cons required (pam-service-account pam))))) pam))) -(define (pam-mkhomedir-services config) - (list (pam-mkhomedir-service config))) +(define (pam-mkhomedir-services configuration) + (list (pam-mkhomedir-service configuration))) -(define (metznet-activation config) +(define (metznet-activation configuration) #~(if (access? "/bin/zsh" F_OK) (display "zsh already linked") (begin (display "linking zsh") (symlink (string-append #$zsh "/bin/zsh") "/bin/zsh")))) + +(define (metznet-etc-service configuration) + '()) + (define metznet-service-type (service-type (name 'metznet-service) (description "MetzNet Services") (extensions (list (service-extension activation-service-type metznet-activation) + (service-extension profile-service-type + (compose list metznet-system-configuration-certs)) + (service-extension etc-service-type + metznet-etc-service) (service-extension pam-root-service-type pam-mkhomedir-services))) - (default-value '()))) - -(define pam-service-list - (list "su" "gdm-password" "login" "sshd" "passwd")) + (default-value (metznet-system-configuration)))) (define %metznet-services (list (service openssh-service-type @@ -175,8 +196,8 @@ (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) (service sssd-service-type - (sssd-configuration (pam-services pam-service-list))) - (service metznet-service-type pam-service-list))) + (sssd-configuration (pam-services (list "su" "gdm-password" "login" "sshd" "passwd")))) + (service metznet-service-type))) (define %metznet-nscd-configuration (nscd-configuration (caches (append (list (nscd-cache (database 'passwd)