Moved system files to channel and added libutp
Noah Metz
parent
266367f809
commit
3714d26837
@ -0,0 +1,219 @@
|
||||
(define-module (base-system)
|
||||
#:use-module (homelab)
|
||||
#:use-module (gnu)
|
||||
#:use-module (guix gexp)
|
||||
#:use-module (nongnu packages linux)
|
||||
#:use-module (gnu packages vim)
|
||||
#:use-module (gnu system nss)
|
||||
#:use-module (gnu packages certs)
|
||||
#:use-module (gnu services pm)
|
||||
#:use-module (gnu services vpn)
|
||||
#:use-module (gnu packages vpn)
|
||||
#:use-module (gnu services networking)
|
||||
#:use-module (gnu packages networking)
|
||||
#:use-module (gnu services ssh)
|
||||
#:use-module (gnu packages dns)
|
||||
#:use-module (gnu packages openldap)
|
||||
#:use-module (gnu services kerberos)
|
||||
#:use-module (gnu packages kerberos)
|
||||
#:use-module (gnu packages admin)
|
||||
#:use-module (gnu packages shells)
|
||||
#:use-module (gnu services desktop)
|
||||
#:use-module (gnu packages gnome)
|
||||
#:use-module (gnu packages wm)
|
||||
#:use-module (gnu services xorg)
|
||||
#:use-module (gnu packages suckless)
|
||||
#:use-module (gnu packages gnuzilla)
|
||||
#:use-module (gnu packages terminals)
|
||||
#:use-module (gnu packages virtualization)
|
||||
#:use-module (gnu packages version-control)
|
||||
#:use-module (nongnu system linux-initrd)
|
||||
#:use-module (gnu system setuid)
|
||||
#:use-module (ice-9 exceptions))
|
||||
|
||||
(define-public get-env-default
|
||||
(lambda (env default)
|
||||
(or
|
||||
(getenv env)
|
||||
default)))
|
||||
|
||||
(define kadmin-prefix
|
||||
(get-env-default "KADMIN_PREFIX" "kadmin."))
|
||||
|
||||
(define kdc-prefix
|
||||
(get-env-default "KDC_PREFIX" "kadmin."))
|
||||
|
||||
(define-public %domain-caps
|
||||
(get-env-default "DOMAIN_CAPS" "METZNET.CA"))
|
||||
|
||||
(define-public %domain-name
|
||||
(get-env-default "DOMAIN_NAME" "metznet.ca"))
|
||||
|
||||
(define-public %domain-kadmin (string-append kadmin-prefix %domain-name))
|
||||
(define-public %domain-kdc (string-append kdc-prefix %domain-name))
|
||||
|
||||
(define-public %my-base-user-accounts (append (list
|
||||
(user-account
|
||||
(name "root")
|
||||
(group "root")
|
||||
(uid 0)
|
||||
(password (crypt "root" "$6$salt"))
|
||||
(shell (file-append zsh "/bin/zsh"))))
|
||||
%base-user-accounts))
|
||||
|
||||
(define-public %my-base-groups (append (list
|
||||
(user-group
|
||||
(system? #t)
|
||||
(name "realtime"))
|
||||
(user-group
|
||||
(system? #t)
|
||||
(name "usb")))
|
||||
%base-groups))
|
||||
|
||||
(define-public %my-base-packages (append (list metznet-system openldap git neovim zsh nss-certs mit-krb5 openvpn openresolv) %base-packages))
|
||||
|
||||
(define-public %my-desktop-packages (append (list i3-wm i3status dmenu alacritty icecat) %my-base-packages))
|
||||
|
||||
(define-public %my-server-packages (append (list isc-dhcp) %my-base-packages))
|
||||
|
||||
(define-public %desktop-setuid-programs (append
|
||||
(list (setuid-program
|
||||
(program #~(string-append #$openvpn "/sbin/openvpn")))
|
||||
(setuid-program
|
||||
(program #~(string-append #$openresolv "/sbin/resolvconf"))))
|
||||
%setuid-programs))
|
||||
|
||||
(define (krb5-config kdc-server kadmin) (krb5-configuration
|
||||
(default-realm %domain-caps)
|
||||
(allow-weak-crypto? #t)
|
||||
(rdns? #f)
|
||||
(realms (list (krb5-realm
|
||||
(name %domain-caps)
|
||||
(admin-server kadmin)
|
||||
(kdc kdc-server))))))
|
||||
|
||||
(define pam-krb5-config (pam-krb5-configuration
|
||||
(pam-krb5 pam-krb5)
|
||||
(minimum-uid 1000)))
|
||||
|
||||
(define-public %default-keyboard-layout (keyboard-layout "us"))
|
||||
|
||||
(define-public %kvm-udev-rule
|
||||
(udev-rule
|
||||
"65-kvm.rules"
|
||||
"KERNEL==\"KVM\", GROUP=\"libvirt\", MODE=\"0660\""))
|
||||
|
||||
(define-public %usb-udev-rule
|
||||
(udev-rule
|
||||
"51-usb.rules"
|
||||
(string-append "SUBSYSTEM==\"usb\", GROUP=\"usb\"\n"
|
||||
"SUBSYSTEM==\"usbmisc\", GROUP=\"usb\"")))
|
||||
|
||||
(define %tun-udev-rule
|
||||
(udev-rule
|
||||
"90-tun.rules"
|
||||
"KERNEL==\"tun\", GROUP=\"netdev\", MODE=\"0660\", OPTIONS+=\"static_node=net/tun\""))
|
||||
|
||||
(define %backlight-udev-rule
|
||||
(udev-rule
|
||||
"55-backlight.rules"
|
||||
"RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\""))
|
||||
|
||||
(define-public %my-desktop-services
|
||||
(append (list (service openssh-service-type)
|
||||
(service krb5-service-type (krb5-config %domain-kdc %domain-kadmin))
|
||||
(service pam-krb5-service-type pam-krb5-config)
|
||||
;(set-xorg-configuration
|
||||
; (xorg-configuration
|
||||
; (keyboard-layout %default-keyboard-layout)))
|
||||
)
|
||||
(modify-services %desktop-services
|
||||
(guix-service-type config => (guix-configuration
|
||||
(inherit config)
|
||||
(substitute-urls
|
||||
(append (list "https://substitutes.nonguix.org")
|
||||
%default-substitute-urls))
|
||||
(authorized-keys
|
||||
(append (list (plain-file "nonguix.pub"
|
||||
"(public-key
|
||||
(ecc
|
||||
(curve Ed25519)
|
||||
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))"))
|
||||
%default-authorized-guix-keys))))
|
||||
(elogind-service-type config =>
|
||||
(elogind-configuration (inherit config)
|
||||
(handle-lid-switch-external-power 'suspend)))
|
||||
(udev-service-type config =>
|
||||
(udev-configuration (inherit config)
|
||||
(rules (append (list %tun-udev-rule
|
||||
%backlight-udev-rule)
|
||||
(udev-configuration-rules config)))))
|
||||
(network-manager-service-type config =>
|
||||
(network-manager-configuration (inherit config)
|
||||
(vpn-plugins (list network-manager-openvpn)))))))
|
||||
|
||||
(define-public %my-base-services (append (list
|
||||
(service openssh-service-type)
|
||||
(service krb5-service-type (krb5-config %domain-kdc %domain-kadmin))
|
||||
(service pam-krb5-service-type pam-krb5-config))
|
||||
%base-services))
|
||||
|
||||
(define-public %my-server-services (append (list
|
||||
(service dhcp-client-service-type)
|
||||
(openvpn-client-service
|
||||
#:config (openvpn-client-configuration
|
||||
(openvpn openvpn)
|
||||
(pid-file "/var/run/openvpn/client.pid")
|
||||
(persist-key? #f)
|
||||
(tls-auth "/etc/openvpn/ta.key"))))
|
||||
%my-base-services))
|
||||
|
||||
(define-public base-operating-system
|
||||
(operating-system
|
||||
;; Hostname and localization information
|
||||
(host-name "base")
|
||||
(timezone "America/Edmonton")
|
||||
(locale "en_CA.utf8")
|
||||
(keyboard-layout %default-keyboard-layout)
|
||||
;; Kernel and firmware definitions
|
||||
(kernel linux)
|
||||
(kernel-arguments (append '("console=ttyS0") %default-kernel-arguments))
|
||||
(firmware (list linux-firmware))
|
||||
(initrd microcode-initrd)
|
||||
;; Grub UEFI Bootloader installed to /boot/efi
|
||||
(bootloader
|
||||
(bootloader-configuration
|
||||
(bootloader grub-efi-bootloader)
|
||||
(targets '("/boot/efi"))
|
||||
(keyboard-layout keyboard-layout)))
|
||||
(file-systems (cons*
|
||||
(file-system
|
||||
(mount-point "/boot/efi")
|
||||
(device "/dev/vda1")
|
||||
(type "vfat")
|
||||
(check? #f))
|
||||
(file-system
|
||||
(mount-point "/")
|
||||
(device "/dev/vda3")
|
||||
(type "xfs")
|
||||
(check? #f))
|
||||
%base-file-systems))
|
||||
(users %my-base-user-accounts)
|
||||
(groups %my-base-groups)
|
||||
(packages %my-base-packages)
|
||||
(services %my-base-services)))
|
||||
|
||||
(define-public base-server-system
|
||||
(operating-system
|
||||
(inherit base-operating-system)
|
||||
(host-name "base-server")
|
||||
(packages %my-server-packages)
|
||||
(services %my-server-services)))
|
||||
|
||||
(define-public base-desktop-system
|
||||
(operating-system
|
||||
(inherit base-operating-system)
|
||||
(host-name "base-desktop")
|
||||
(setuid-programs %desktop-setuid-programs)
|
||||
(packages %my-desktop-packages)
|
||||
(services %my-desktop-services)))
|
||||
@ -0,0 +1,106 @@
|
||||
(use-modules
|
||||
(gnu)
|
||||
(base-system)
|
||||
(gnu packages tex)
|
||||
(nongnu packages mozilla)
|
||||
(nongnu packages nvidia)
|
||||
(gnu packages networking)
|
||||
(gnu packages shells)
|
||||
(gnu packages pulseaudio)
|
||||
(gnu packages virtualization)
|
||||
(gnu packages spice)
|
||||
(gnu packages vulkan)
|
||||
(gnu packages pdf)
|
||||
(gnu packages commencement)
|
||||
(gnu packages base)
|
||||
(gnu packages embedded)
|
||||
(gnu packages linux)
|
||||
(gnu packages docker)
|
||||
(gnu services docker)
|
||||
(gnu packages audio)
|
||||
(gnu services cups)
|
||||
(gnu services virtualization)
|
||||
(gnu services networking)
|
||||
(gnu services xorg)
|
||||
(gnu services desktop)
|
||||
(gnu services dbus)
|
||||
(gnu services linux)
|
||||
(gnu packages cups)
|
||||
(gnu packages python)
|
||||
(gnu packages xorg)
|
||||
(gnu packages scanner)
|
||||
(gnu packages dns)
|
||||
(gnu services shepherd)
|
||||
(gnu services base))
|
||||
|
||||
; (define (nvidia-insmod-shepherd-service config)
|
||||
; (list (shepherd-service
|
||||
; (provision '(nvidia-insmod))
|
||||
; (requirement '())
|
||||
; (start #~(lambda _ (and
|
||||
; (zero? (system* (string-append #$nvidia-driver "/bin/nvidia-insmod"))))))
|
||||
; (one-shot? #t)
|
||||
; (auto-start? #t)
|
||||
; (respawn? #f))))
|
||||
;
|
||||
;(define nvidia-insmod-service-type
|
||||
; (service-type
|
||||
; (name 'nvidia-insmod-name)
|
||||
; (extensions
|
||||
; (list (service-extension shepherd-root-service-type nvidia-insmod-shepherd-service)))
|
||||
; (default-value '())))
|
||||
|
||||
(operating-system
|
||||
(inherit base-desktop-system)
|
||||
(host-name "otto")
|
||||
(hosts-file
|
||||
(plain-file "hosts"
|
||||
(string-append (local-host-aliases host-name)
|
||||
"# LAN geofff.homelab ip
|
||||
192.168.86.2 geofff.homelab\n")))
|
||||
(kernel-arguments '("modprobe.blacklist=nouveau"))
|
||||
(packages (append (list blueman bluez bluez-alsa pulseaudio docker python openvswitch
|
||||
qemu texlive firefox pavucontrol mupdf gcc-toolchain gnu-make
|
||||
gcc-arm-none-eabi-7-2018-q2-update sane-backends-minimal xsane
|
||||
cups xf86-video-nv xf86-input-libinput vulkan-loader vulkan-tools
|
||||
(list isc-bind "utils")) %my-desktop-packages))
|
||||
(services (append (list
|
||||
(simple-service 'blueman dbus-root-service-type (list blueman))
|
||||
(bluetooth-service #:auto-enable? #t)
|
||||
(service docker-service-type)
|
||||
(service openvswitch-service-type)
|
||||
(set-xorg-configuration
|
||||
(xorg-configuration
|
||||
(keyboard-layout %default-keyboard-layout)))
|
||||
(service sane-service-type)
|
||||
(service cups-service-type
|
||||
(cups-configuration
|
||||
(web-interface? #t))))
|
||||
(modify-services %my-desktop-services
|
||||
(udev-service-type config =>
|
||||
(udev-configuration (inherit config)
|
||||
(rules (append (list
|
||||
%usb-udev-rule)
|
||||
(udev-configuration-rules config))))))))
|
||||
(users (cons* (user-account
|
||||
(name "nmetz")
|
||||
(comment "Noah Metz")
|
||||
(group "users")
|
||||
(home-directory "/home/nmetz")
|
||||
(shell (file-append zsh "/bin/zsh"))
|
||||
(supplementary-groups
|
||||
`("wheel" "netdev" "audio" "video" "usb" "kvm" "lp" "docker")))
|
||||
%my-base-user-accounts))
|
||||
(file-systems
|
||||
(cons* (file-system
|
||||
(mount-point "/boot/efi")
|
||||
(device (uuid "6E88-FE62" 'fat32))
|
||||
(type "vfat"))
|
||||
(file-system
|
||||
(mount-point "/")
|
||||
(device
|
||||
(uuid "ba93a043-9e58-466f-b90f-bf2a6bbf91fe"
|
||||
'ext4))
|
||||
(type "ext4"))
|
||||
%base-file-systems)))
|
||||
|
||||
@ -0,0 +1,67 @@
|
||||
(use-modules
|
||||
(gnu)
|
||||
(base-system)
|
||||
(gnu packages tex)
|
||||
(nongnu packages mozilla)
|
||||
(gnu packages networking)
|
||||
(gnu packages shells)
|
||||
(gnu packages pulseaudio)
|
||||
(gnu packages virtualization)
|
||||
(gnu packages spice)
|
||||
(gnu packages vulkan)
|
||||
(gnu packages pdf)
|
||||
(gnu packages commencement)
|
||||
(gnu packages base)
|
||||
(gnu packages embedded)
|
||||
(gnu services cups)
|
||||
(gnu services virtualization)
|
||||
(gnu services xorg)
|
||||
(gnu services desktop)
|
||||
(gnu services linux)
|
||||
(gnu packages cups)
|
||||
(gnu packages xorg)
|
||||
(gnu packages scanner)
|
||||
(gnu packages dns)
|
||||
(gnu services shepherd)
|
||||
(gnu services base))
|
||||
|
||||
(operating-system
|
||||
(inherit base-desktop-system)
|
||||
(host-name "patrache")
|
||||
(packages (append (list autoconf automake qemu texlive firefox pavucontrol mupdf gcc-toolchain gnu-make gcc-arm-none-eabi-7-2018-q2-update sane-backends-minimal xsane cups (list isc-bind "utils")) %my-desktop-packages))
|
||||
(services (append (list
|
||||
(set-xorg-configuration
|
||||
(xorg-configuration
|
||||
(keyboard-layout %default-keyboard-layout)))
|
||||
(service sane-service-type)
|
||||
(service cups-service-type
|
||||
(cups-configuration
|
||||
(web-interface? #t))))
|
||||
(modify-services %my-desktop-services
|
||||
(udev-service-type config =>
|
||||
(udev-configuration (inherit config)
|
||||
(rules (append (list
|
||||
%usb-udev-rule)
|
||||
(udev-configuration-rules config))))))))
|
||||
(users (cons* (user-account
|
||||
(name "nmetz")
|
||||
(comment "Noah Metz")
|
||||
(group "users")
|
||||
(home-directory "/home/nmetz")
|
||||
(shell (file-append zsh "/bin/zsh"))
|
||||
(supplementary-groups
|
||||
`("wheel" "netdev" "audio" "video" "usb" "kvm")))
|
||||
%my-base-user-accounts))
|
||||
(file-systems
|
||||
(cons* (file-system
|
||||
(mount-point "/boot/efi")
|
||||
(device (uuid "50C2-89C6" 'fat32))
|
||||
(type "vfat"))
|
||||
(file-system
|
||||
(mount-point "/")
|
||||
(device
|
||||
(uuid "817a54a1-a8a9-49b5-883d-33fdfd06404d"
|
||||
'ext4))
|
||||
(type "ext4"))
|
||||
%base-file-systems)))
|
||||
|
||||
@ -0,0 +1,23 @@
|
||||
dn: cn=nmetz,ou=user,dc=metznet,dc=ca
|
||||
objectClass: top
|
||||
objectClass: person
|
||||
objectClass: organizationalPerson
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
uid: nmetz
|
||||
cn: Noah Metz
|
||||
sn: Metz
|
||||
givenName: Noah
|
||||
userPassword: {SSHA}yUiQKwuRpADPzuT8W9M6gCbnw914VIOD
|
||||
loginShell: /bin/bash
|
||||
uidNumber: 1001
|
||||
gidNumber: 1001
|
||||
homeDirectory: /home/nmetz/
|
||||
|
||||
|
||||
dn: cn=nmetz,ou=group,dc=metznet,dc=ca
|
||||
objectClass: top
|
||||
objectClass: posixGroup
|
||||
cn: nmetz
|
||||
gidNumber: 1001
|
||||
@ -0,0 +1,5 @@
|
||||
(use-modules (gnu) (base-system))
|
||||
|
||||
(operating-system
|
||||
(inherit base-server-system)
|
||||
(host-name "server"))
|
||||
@ -0,0 +1,12 @@
|
||||
(use-modules (base-system)
|
||||
(guix gexp)
|
||||
(guix records)
|
||||
(gnu packages virtualization)
|
||||
(gnu services shepherd)
|
||||
(ice-9 match))
|
||||
|
||||
(operating-system
|
||||
(inherit base-server-system)
|
||||
(host-name (string-append "qemu." %domain-name))
|
||||
(packages (append (list qemu) %my-server-packages))
|
||||
(services (append (list (service )) %my-server-services)))
|
||||
@ -0,0 +1,126 @@
|
||||
(use-modules (base-system)
|
||||
(guix records)
|
||||
(guix gexp)
|
||||
(gnu packages admin)
|
||||
(gnu packages kerberos)
|
||||
(gnu packages linux)
|
||||
(gnu services kerberos)
|
||||
(gnu services configuration)
|
||||
(gnu services shepherd)
|
||||
(ice-9 match))
|
||||
|
||||
(define-record-type* <kadmin-configuration>
|
||||
kadmin-configuration make-kadmin-configuration
|
||||
kadmin-configuration?
|
||||
(pidfile kadmin-configuration-pidfile
|
||||
(default "/var/run/krb5kdc"))
|
||||
(package kadmin-configuration-package
|
||||
(default mit-krb5))
|
||||
(directory kadmin-configuration-directory
|
||||
(default "/var/krb5kdc"))
|
||||
(kdb-password kadmin-configuration-kdb-password
|
||||
(default "password"))
|
||||
(realm kadmin-configuration-realm
|
||||
(default %domain-caps))
|
||||
(root-princ kadmin-configuration-root-princ
|
||||
(default "root/admin"))
|
||||
(root-princ-pw kadmin-configuration-root-princ-pw
|
||||
(default "password")))
|
||||
|
||||
(define-gexp-compiler (kadmin-configuration-compiler
|
||||
(file <kadmin-configuration>) system target)
|
||||
|
||||
(match file
|
||||
(($ <kadmin-configuration> pidfile package directory kdb-password realm root-princ root-princ-pw)
|
||||
(gexp->derivation
|
||||
"kdc.conf"
|
||||
#~(call-with-output-file (ungexp output "out")
|
||||
(lambda (port)
|
||||
(display (string-append
|
||||
(ungexp-splicing `(
|
||||
,@`("[kdcdefaults]\n")
|
||||
,@`(" kdc_ports = 750,88\n")
|
||||
,@`("[realms]\n")
|
||||
,@`(" " ,realm " = {\n")
|
||||
,@`(" database_name = " ,directory "/principal\n")
|
||||
,@`(" acl_file = " ,directory "/kadm5.acl\n")
|
||||
,@`(" key_stash_file = " ,directory "/.k5." ,realm "\n")
|
||||
,@`(" kdc_ports = 750,88\n")
|
||||
,@`(" max_life = 10h 0m 0s\n")
|
||||
,@`(" max_renewable_life = 7d 0h 0m 0s\n")
|
||||
,@`("}\n"))))
|
||||
port)))
|
||||
#:local-build? #t))))
|
||||
|
||||
(define %kadmin-accounts
|
||||
(list (user-group (name "krb5") (system? #t))
|
||||
(user-account (name "krb5")
|
||||
(group "krb5")
|
||||
(system? #t)
|
||||
(comment "kadmin/kdc user account")
|
||||
(home-directory "/var/krb5kdc")
|
||||
(shell (file-append shadow "/sbin/nologin")))))
|
||||
|
||||
(define kadmin-activation-service
|
||||
(lambda (arg) (match arg
|
||||
(($ <kadmin-configuration> pidfile package directory kdb-password realm root-princ root-princ-pw)
|
||||
#~(begin
|
||||
(use-modules (guix build utils))
|
||||
(let* ((user (getpw "krb5")))
|
||||
(mkdir-p/perms #$directory user #o700)
|
||||
(symlink #$arg #$(string-append directory "/kdc.conf"))))))))
|
||||
|
||||
(define kadmin-shepherd-services
|
||||
(match-lambda
|
||||
(($ <kadmin-configuration> pidfile package directory kdb-password realm root-princ root-princ-pw)
|
||||
(list (shepherd-service
|
||||
(documentation "Runs the kdc service")
|
||||
(provision '(kdc))
|
||||
(requirement '(user-processes syslogd))
|
||||
(start #~(lambda ()
|
||||
(if (system (string-append #$package "/sbin/kdb5_util -r " #$realm " list_mkeys &> /dev/null"))
|
||||
(begin
|
||||
(system (string-join (list
|
||||
#$(file-append package "/sbin/kdb5_util")
|
||||
"-r" #$realm
|
||||
"create" "-s"
|
||||
"-P" #$kdb-password)))
|
||||
(system (string-join (list
|
||||
#$(file-append package "/sbin/kadmin.local")
|
||||
"-r" #$realm
|
||||
"add_principal"
|
||||
"-pw" #$root-princ-pw
|
||||
#$(string-append root-princ "@" %domain-caps))))
|
||||
(system (string-join (list
|
||||
"echo" (string-append "\"" #$root-princ "@" #$realm " *\n\"")
|
||||
">" (string-append #$directory "/kadm5.acl"))))
|
||||
(display "Kdc already initialized, skipping...")))
|
||||
(fork+exec-command (list
|
||||
#$(file-append package "/sbin/krb5kdc")
|
||||
"-n"
|
||||
"-P" #$pidfile))))
|
||||
(stop #~(make-kill-destructor)))
|
||||
(shepherd-service
|
||||
(documentation "Runs the kadmin service")
|
||||
(provision '(kadmin))
|
||||
(requirement '(kdc user-processes syslogd))
|
||||
(start #~(make-forkexec-constructor (list
|
||||
#$(file-append package "/sbin/kadmind")
|
||||
"-nofork")))
|
||||
(stop #~(make-kill-destructor)))))))
|
||||
|
||||
(define kadmin-service-type
|
||||
(service-type (name 'kadmin)
|
||||
(description
|
||||
"Runs the @command{kadmin} server")
|
||||
(extensions
|
||||
(list (service-extension shepherd-root-service-type kadmin-shepherd-services)
|
||||
(service-extension activation-service-type kadmin-activation-service)
|
||||
(service-extension account-service-type (const %kadmin-accounts))))
|
||||
(default-value (kadmin-configuration))))
|
||||
|
||||
(operating-system
|
||||
(inherit base-server-system)
|
||||
(host-name (string-append "kadmin." %domain-name))
|
||||
(packages (append (list strace) %my-server-packages))
|
||||
(services (append (list (service kadmin-service-type)) %my-server-services)))
|
||||
@ -0,0 +1,290 @@
|
||||
(use-modules (base-system)
|
||||
(gnu build activation)
|
||||
(gnu services authentication)
|
||||
(gnu packages openldap)
|
||||
(gnu system shadow)
|
||||
(gnu system pam)
|
||||
(gnu services)
|
||||
(gnu services shepherd)
|
||||
(gnu packages admin)
|
||||
(gnu packages autotools)
|
||||
(gnu packages databases)
|
||||
(gnu packages linux)
|
||||
(gnu packages pkg-config)
|
||||
(gnu packages compression)
|
||||
(gnu packages perl)
|
||||
(guix packages)
|
||||
(guix gexp)
|
||||
(guix utils)
|
||||
(guix records)
|
||||
(ice-9 match)
|
||||
(ice-9 format)
|
||||
(ice-9 popen)
|
||||
(ice-9 textual-ports)
|
||||
(srfi srfi-1))
|
||||
|
||||
(define domain-to-dc
|
||||
(lambda (domain)
|
||||
(string-drop-right (apply string-append (map (lambda (component) (string-append "dc=" component ",")) (string-split domain #\.))) 1)))
|
||||
|
||||
(define %domain-dc (domain-to-dc %domain-name))
|
||||
|
||||
(define slapd-rootpw
|
||||
(get-env-default "SLAPD_ROOTPW" "root"))
|
||||
|
||||
(define %slapd-accounts
|
||||
(list (user-group (name "slapd") (system? #t))
|
||||
(user-account (name "slapd")
|
||||
(group "slapd")
|
||||
(system? #t)
|
||||
(comment "OpenLDAP server user")
|
||||
(home-directory "/var/lib/slapd")
|
||||
(shell (file-append shadow "/sbin/nologin")))))
|
||||
|
||||
(define openldap-2.6-slapd
|
||||
(package
|
||||
(inherit openldap-2.6)
|
||||
(name "openldap-2.6-slapd")
|
||||
(native-inputs (modify-inputs (package-native-inputs openldap-2.6)
|
||||
(append libltdl unixodbc pkg-config wiredtiger perl lz4 snappy)))
|
||||
(arguments
|
||||
(substitute-keyword-arguments (package-arguments openldap-2.6)
|
||||
((#:configure-flags flags)
|
||||
`(append '("--enable-modules" "--enable-backends" "--sharedstatedir=/var/lib/slapd" "--localstatedir=/var/lib/slapd" "--runstatedir=/var/run/slapd") ,flags ))))))
|
||||
|
||||
(define %slapd-package openldap-2.6-slapd)
|
||||
(define %ldap-prefix #~(file-append #$%slapd-package "/etc/openldap/schema/"))
|
||||
|
||||
(define-record-type* <slapd-config-ldif>
|
||||
slapd-config-ldif make-slapd-config-ldif
|
||||
slapd-config-ldif?
|
||||
(package slapd-config-ldif-package
|
||||
(default %slapd-package))
|
||||
(argsfile slapd-config-ldif-argsfile
|
||||
(default "/var/run/slapd/args"))
|
||||
(pidfile slapd-config-ldif-pidfile
|
||||
(default "/var/run/slapd/pid"))
|
||||
(schema-prefix slapd-config-ldif-schema-prefix
|
||||
(default "/var/lib/slapd/schema"))
|
||||
(schemas slapd-config-ldif-schemas
|
||||
(default '("core.ldif")))
|
||||
(basedn slapd-config-ldif-basedn
|
||||
(default %domain-dc))
|
||||
(rootdn slapd-config-ldif-rootdn
|
||||
(default "admin"))
|
||||
(rootpw slapd-config-ldif-rootpw
|
||||
(default "password"))
|
||||
(rootpwhash slapd-config-ldif-rootpwhash
|
||||
(default "secret"))
|
||||
(data-directory slapd-config-ldif-data-directory
|
||||
(default "/var/lib/slapd/data"))
|
||||
(conf-directory slapd-config-ldif-conf-directory
|
||||
(default "/var/lib/slapd/config"))
|
||||
(indices slapd-config-ldif-indices
|
||||
(default '("objectClass eq")))
|
||||
(extra-config slapd-config-ldif-extra-config
|
||||
(default '())))
|
||||
|
||||
(define-gexp-compiler (slapd-config-ldif-compiler
|
||||
(file <slapd-config-ldif>) system target)
|
||||
|
||||
(match file
|
||||
(($ <slapd-config-ldif> package argsfile pidfile schema-prefix schemas basedn rootdn rootpw rootpwhash data-directory conf-directory indices extra-config)
|
||||
(gexp->derivation
|
||||
"cn=config.ldif"
|
||||
#~(call-with-output-file (ungexp output "out")
|
||||
(lambda (port)
|
||||
(display (string-append
|
||||
(ungexp-splicing `(
|
||||
,@`("dn: cn=config\n")
|
||||
,@`("objectClass: olcGlobal\n")
|
||||
,@`("cn: config\n")
|
||||
,@`("olcArgsFile: " ,argsfile "\n")
|
||||
,@`("olcPidFile: " ,pidfile "\n\n")
|
||||
,@`("dn: cn=schema,cn=config\n")
|
||||
,@`("objectClass: olcSchemaConfig\n")
|
||||
,@`("cn: schema\n\n")
|
||||
,@(append-map
|
||||
(lambda (schema)
|
||||
`("include: file://" ,schema-prefix ,schema "\n"))
|
||||
schemas)
|
||||
,@`("\ndn: olcDatabase=config,cn=config\n")
|
||||
,@`("objectClass: olcDatabaseConfig\n")
|
||||
,@`("olcDatabase: config\n")
|
||||
,@`("olcRootDN: cn=" ,rootdn "," ,basedn "\n\n")
|
||||
,@`("dn: olcDatabase=mdb,cn=config\n")
|
||||
,@`("objectClass: olcDatabaseConfig\n")
|
||||
,@`("objectClass: olcMdbConfig\n")
|
||||
,@`("olcDatabase: mdb\n")
|
||||
,@`("olcSuffix: " ,basedn "\n")
|
||||
,@`("olcRootDN: cn=" ,rootdn "," ,basedn "\n")
|
||||
,@`("olcRootPW: " ,rootpwhash "\n")
|
||||
,@`("olcDbDirectory: " ,data-directory "\n")
|
||||
,@(append-map
|
||||
(lambda (index)
|
||||
`("olcDbIndex: " ,index "\n"))
|
||||
indices)
|
||||
,@`("\n")
|
||||
,@extra-config)))
|
||||
|
||||
port)))
|
||||
#:local-build? #t))))
|
||||
|
||||
(define-record-type* <slapd-configuration>
|
||||
slapd-configuration make-slapd-configuration
|
||||
slapd-configuration?
|
||||
(pidfile slapd-configuration-pidfile
|
||||
(default "/var/run/slapd.pid"))
|
||||
(urls slapd-configuration-urls
|
||||
(default "ldap:/// ldapi:///"))
|
||||
(config slapd-configuration-config
|
||||
(default (slapd-config-ldif)))
|
||||
(extra-slapadd slapd-configuration-extra-slapadd
|
||||
(default ""))
|
||||
(extra-ldapadd slapd-configuration-extra-ldapadd
|
||||
(default "")))
|
||||
|
||||
(define slapd-shepherd-service
|
||||
(match-lambda
|
||||
(($ <slapd-configuration> pidfile urls config extra-slapadd extra-ldapadd)
|
||||
(match-record
|
||||
config
|
||||
<slapd-config-ldif>
|
||||
(package conf-directory rootdn rootpw basedn)
|
||||
(list (shepherd-service
|
||||
(documentation "Run the slapd daemon")
|
||||
(provision '(slapd))
|
||||
(requirement '(networking user-processes syslogd))
|
||||
(start #~(lambda ()
|
||||
(if (directory-exists? (string-append #$conf-directory "/cn=config"))
|
||||
(display "slapd already configured, skipping...")
|
||||
(begin
|
||||
(system (string-join (list
|
||||
#$(file-append sudo "/bin/sudo")
|
||||
"--user=slapd"
|
||||
#$(file-append package "/sbin/slapadd")
|
||||
"-n" "0"
|
||||
"-F" #$conf-directory
|
||||
"-l" #$config)))
|
||||
(system (string-join (list
|
||||
#$(file-append sudo "/bin/sudo")
|
||||
"--user=slapd"
|
||||
#$(file-append package "/sbin/slapadd")
|
||||
"-n" "1"
|
||||
"-F" #$conf-directory
|
||||
"-l" #$(plain-file "base-slap.ldif" extra-slapadd))))))
|
||||
(fork+exec-command (list #$(file-append package "/libexec/slapd")
|
||||
"-d" "-1"
|
||||
"-F" #$conf-directory
|
||||
"-u" "slapd"
|
||||
"-g" "slapd"))
|
||||
; TODO figure out how to make it wait for slapd to be ready
|
||||
(if (file-exists? (string-append #$conf-directory "/.initialized"))
|
||||
(display "slapd already initialzed, skipping...")
|
||||
(begin
|
||||
(system (string-join (list
|
||||
#$(file-append sudo "/bin/sudo")
|
||||
"--user=slapd"
|
||||
#$(file-append package "/bin/ldapadd")
|
||||
"-D" (string-append "cn=" #$rootdn "," #$basedn)
|
||||
"-w" #$rootpw
|
||||
"-f" #$(plain-file "base-ldap.ldif" extra-ldapadd))))
|
||||
(mknod (string-append #$conf-directory "/.initialized") 'regular #o400 0)))))
|
||||
(stop #~(make-kill-destructor))))))))
|
||||
|
||||
(define slapd-activation
|
||||
(match-lambda
|
||||
(($ <slapd-configuration> pidfile urls config extra-slapadd)
|
||||
(match-record
|
||||
config
|
||||
<slapd-config-ldif>
|
||||
(package conf-directory data-directory)
|
||||
#~(begin
|
||||
(use-modules (guix build utils))
|
||||
(let* ((user (getpw "slapd")))
|
||||
(mkdir-p/perms "/var/run/slapd" user #o700)
|
||||
(mkdir-p/perms #$data-directory user #o700)
|
||||
(mkdir-p/perms #$conf-directory user #o700)))))))
|
||||
|
||||
|
||||
(define slapd-service-type
|
||||
(service-type
|
||||
(name 'slapd)
|
||||
(description "OpenLDAP server daemon")
|
||||
(extensions
|
||||
(list (service-extension shepherd-root-service-type slapd-shepherd-service)
|
||||
(service-extension activation-service-type slapd-activation)
|
||||
(service-extension account-service-type (const %slapd-accounts))))
|
||||
(default-value
|
||||
(slapd-configuration))))
|
||||
|
||||
(define (shell% proc fmt . args)
|
||||
(let* ((port (open-input-pipe (format #f "~?" fmt args)))
|
||||
(output (proc port)))
|
||||
(close-pipe port)
|
||||
output))
|
||||
|
||||
(define-public (shell . args)
|
||||
(apply shell% (cons get-string-all args)))
|
||||
|
||||
(define-public (shell$ . args)
|
||||
(apply shell% (cons get-line args)))
|
||||
|
||||
(define %slapd-conf
|
||||
(slapd-configuration
|
||||
(extra-ldapadd
|
||||
(string-join (list
|
||||
"dn: olcDatabase={1}mdb,cn=config"
|
||||
"changetype: modify"
|
||||
"replace: olcAccess"
|
||||
(string-append "olcAccess: {0}to attrs=cn,givenName,sn,userPassword,shadowLastChange,mail,loginShell,photo"
|
||||
"by self write by anonymous auth by dn.base=\"cn=admin,"
|
||||
%domain-dc
|
||||
"\" write by * none")
|
||||
(string-append "olcAccess: {1}to * by self read by dn.base=\"cn=admin,"
|
||||
%domain-dc
|
||||
"\" write by * read")
|
||||
"")))
|
||||
(extra-slapadd
|
||||
(string-join (list
|
||||
"dn: dc=metznet,dc=ca"
|
||||
"dc: metznet"
|
||||
"o: Organization"
|
||||
"objectClass: dcObject"
|
||||
"objectClass: organization"
|
||||
""
|
||||
"dn: cn=admin,dc=metznet,dc=ca"
|
||||
"cn: admin"
|
||||
"description: LDAP Administrator"
|
||||
"objectClass: organizationalRole"
|
||||
"objectClass: top"
|
||||
"roleOccupant: dc=metznet,dc=ca"
|
||||
""
|
||||
"dn: ou=user,dc=metznet,dc=ca"
|
||||
"ou: user"
|
||||
"description: LDAP User"
|
||||
"objectClass: top"
|
||||
"objectClass: organizationalUnit"
|
||||
""
|
||||
"dn: ou=group,dc=metznet,dc=ca"
|
||||
"ou: group"
|
||||
"description: LDAP Group"
|
||||
"objectClass: top"
|
||||
"objectClass: organizationalUnit"
|
||||
"") "\n"))
|
||||
(config
|
||||
(slapd-config-ldif
|
||||
(rootpw "password")
|
||||
(rootpwhash "{SSHA}620erGNXKg4D67G1xS0hNhr7h75VaIJl")
|
||||
(indices '("objectClass eq" "uid pres,eq" "mail pres,sub,eq" "cn,sn pres,sub,eq" "dc eq"))
|
||||
(schemas '("core.ldif" "cosine.ldif" "inetorgperson.ldif" "nis.ldif"))
|
||||
(schema-prefix #~(string-append #$%slapd-package "/etc/openldap/schema/"))))))
|
||||
|
||||
|
||||
(operating-system
|
||||
(inherit base-server-system)
|
||||
(host-name (string-append "ldap." %domain-name))
|
||||
(packages (append (list strace %slapd-package) %my-server-packages))
|
||||
(services (append (list
|
||||
(service slapd-service-type %slapd-conf))
|
||||
%my-server-services)))
|
||||
Loading…
Reference in New Issue