|
|
|
|
@ -1,15 +1,100 @@
|
|
|
|
|
(define-module (machines kerberos.metznet.ca)
|
|
|
|
|
#:use-module (srfi srfi-9)
|
|
|
|
|
#:use-module (srfi srfi-1)
|
|
|
|
|
#:use-module (gnu system)
|
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
|
#:use-module (system base-system)
|
|
|
|
|
#:use-module (gnu packages kerberos)
|
|
|
|
|
#:use-module (gnu packages base)
|
|
|
|
|
#:use-module (gnu services)
|
|
|
|
|
#:use-module (gnu services configuration)
|
|
|
|
|
#:use-module (gnu services certbot))
|
|
|
|
|
|
|
|
|
|
(define (realm-name? val)
|
|
|
|
|
(string? val))
|
|
|
|
|
|
|
|
|
|
(define (serialize-string field-name val)
|
|
|
|
|
(string-append " " (symbol->string field-name) " = " val "\n"))
|
|
|
|
|
(define-maybe string)
|
|
|
|
|
|
|
|
|
|
(define list-of-ports?
|
|
|
|
|
(list-of integer?))
|
|
|
|
|
|
|
|
|
|
(define (serialize-list-of-ports field-name value)
|
|
|
|
|
(string-append " " (symbol->string field-name) " = " (string-join (map number->string value) ", ") "\n"))
|
|
|
|
|
|
|
|
|
|
(define (realm-serialize-list-of-ports field-name value)
|
|
|
|
|
(string-append " " (symbol->string field-name) " = " (string-join (map number->string value) ", ") "\n"))
|
|
|
|
|
|
|
|
|
|
(define-maybe list-of-ports)
|
|
|
|
|
(define-maybe file-like)
|
|
|
|
|
|
|
|
|
|
(define (serialize-file-like field-name value)
|
|
|
|
|
#~(string-append " " #$(symbol->string field-name) " = " #$value "\n"))
|
|
|
|
|
|
|
|
|
|
(define (serialize-none field-name value) "")
|
|
|
|
|
|
|
|
|
|
(define-configuration kdc-realm-configuration
|
|
|
|
|
(name (string "EXAMPLE.COM") "realm name" serialize-none)
|
|
|
|
|
(database_module maybe-string "database module")
|
|
|
|
|
(acl_file maybe-file-like "acl file")
|
|
|
|
|
(key_stash_file maybe-file-like "key stash file")
|
|
|
|
|
(kdc_ports (list-of-ports '(750 88)) "list of ports to listen on" realm-serialize-list-of-ports)
|
|
|
|
|
(kadmind_ports (list-of-ports '(749)) "list of ports to listen on for kadmin connections" realm-serialize-list-of-ports)
|
|
|
|
|
(max_life (string "10h 0m 0s") "maximum life of granted tickets")
|
|
|
|
|
(max_renewable_type (string "7d 0h 0m 0s") "maximum time to renew ticket")
|
|
|
|
|
(master_key_type (string "des3-hmac-sha1") "master key type")
|
|
|
|
|
(default_principal_flags (string "+preauth") "default flag for new principals"))
|
|
|
|
|
|
|
|
|
|
(define list-of-kdc-realm-configuration?
|
|
|
|
|
(list-of kdc-realm-configuration?))
|
|
|
|
|
|
|
|
|
|
(define (serialize-kdc-realm-configuration realm)
|
|
|
|
|
#~(string-append " " #$(kdc-realm-configuration-name realm) " = {\n"
|
|
|
|
|
#$(serialize-configuration realm kdc-realm-configuration-fields)
|
|
|
|
|
" }\n"))
|
|
|
|
|
|
|
|
|
|
(define (serialize-list-of-strings field-name value)
|
|
|
|
|
(string-join (append (list (string-append "[" (symbol->string field-name) "]" )) value) "\n"))
|
|
|
|
|
|
|
|
|
|
(define (serialize-list-of-kdc-realm-configuration field-name value)
|
|
|
|
|
#~(string-join (list "[realms]"
|
|
|
|
|
#$@(map (lambda (realm) (serialize-kdc-realm-configuration realm)) value))
|
|
|
|
|
"\n"))
|
|
|
|
|
|
|
|
|
|
(define-configuration kdc-configuration
|
|
|
|
|
(krb5 (file-like mit-krb5) "krb5 package to use" serialize-none)
|
|
|
|
|
(kdc_ports (list-of-ports '(750 88)) "list of ports to listen on")
|
|
|
|
|
(realms (list-of-kdc-realm-configuration '()) "Realms to configure the KDC with")
|
|
|
|
|
(extra (list-of-strings '()) "extra lines"))
|
|
|
|
|
|
|
|
|
|
(define (serialize-kdc-configuration configuration)
|
|
|
|
|
(mixed-text-file
|
|
|
|
|
"kdc.conf"
|
|
|
|
|
#~(string-append "[kdcdefaults]\n"
|
|
|
|
|
#$(serialize-configuration configuration kdc-configuration-fields))))
|
|
|
|
|
|
|
|
|
|
(define (kdc-activation configuration)
|
|
|
|
|
#~(symlink #$(serialize-kdc-configuration configuration) "/etc/kdc.conf"))
|
|
|
|
|
|
|
|
|
|
(define kdc-service-type
|
|
|
|
|
(service-type (name 'kdc-service)
|
|
|
|
|
(description "KDC service")
|
|
|
|
|
(extensions (list (service-extension activation-service-type kdc-activation)))
|
|
|
|
|
(default-value (kdc-configuration))))
|
|
|
|
|
|
|
|
|
|
(operating-system
|
|
|
|
|
(inherit %metznet-base-server-system)
|
|
|
|
|
(host-name "kerberos-guix.metznet.ca")
|
|
|
|
|
(services
|
|
|
|
|
(append (list (service certbot-service-type
|
|
|
|
|
(append (list (service kdc-service-type
|
|
|
|
|
(kdc-configuration
|
|
|
|
|
(realms (list
|
|
|
|
|
(kdc-realm-configuration
|
|
|
|
|
(name "METZNET.CA")
|
|
|
|
|
(database_module "openldap_ldapconf")
|
|
|
|
|
(acl_file (plain-file "kadm5.acl" "*/admin@METZNET.CA *\n")))))))
|
|
|
|
|
(service certbot-service-type
|
|
|
|
|
(certbot-configuration (email "admin@metznet.ca")
|
|
|
|
|
(certificates (list (certificate-configuration
|
|
|
|
|
(domains '
|
|
|
|
|
|
