diff --git a/machines/kerberos.metznet.ca.scm b/machines/kerberos.metznet.ca.scm index 5b70637..f0294b9 100644 --- a/machines/kerberos.metznet.ca.scm +++ b/machines/kerberos.metznet.ca.scm @@ -1,15 +1,100 @@ (define-module (machines kerberos.metznet.ca) + #:use-module (srfi srfi-9) + #:use-module (srfi srfi-1) #:use-module (gnu system) #:use-module (guix gexp) #:use-module (system base-system) + #:use-module (gnu packages kerberos) + #:use-module (gnu packages base) #:use-module (gnu services) + #:use-module (gnu services configuration) #:use-module (gnu services certbot)) +(define (realm-name? val) + (string? val)) + +(define (serialize-string field-name val) + (string-append " " (symbol->string field-name) " = " val "\n")) +(define-maybe string) + +(define list-of-ports? + (list-of integer?)) + +(define (serialize-list-of-ports field-name value) + (string-append " " (symbol->string field-name) " = " (string-join (map number->string value) ", ") "\n")) + +(define (realm-serialize-list-of-ports field-name value) + (string-append " " (symbol->string field-name) " = " (string-join (map number->string value) ", ") "\n")) + +(define-maybe list-of-ports) +(define-maybe file-like) + +(define (serialize-file-like field-name value) + #~(string-append " " #$(symbol->string field-name) " = " #$value "\n")) + +(define (serialize-none field-name value) "") + +(define-configuration kdc-realm-configuration + (name (string "EXAMPLE.COM") "realm name" serialize-none) + (database_module maybe-string "database module") + (acl_file maybe-file-like "acl file") + (key_stash_file maybe-file-like "key stash file") + (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on" realm-serialize-list-of-ports) + (kadmind_ports (list-of-ports '(749)) "list of ports to listen on for kadmin connections" realm-serialize-list-of-ports) + (max_life (string "10h 0m 0s") "maximum life of granted tickets") + (max_renewable_type (string "7d 0h 0m 0s") "maximum time to renew ticket") + (master_key_type (string "des3-hmac-sha1") "master key type") + (default_principal_flags (string "+preauth") "default flag for new principals")) + +(define list-of-kdc-realm-configuration? + (list-of kdc-realm-configuration?)) + +(define (serialize-kdc-realm-configuration realm) + #~(string-append " " #$(kdc-realm-configuration-name realm) " = {\n" + #$(serialize-configuration realm kdc-realm-configuration-fields) + " }\n")) + +(define (serialize-list-of-strings field-name value) + (string-join (append (list (string-append "[" (symbol->string field-name) "]" )) value) "\n")) + +(define (serialize-list-of-kdc-realm-configuration field-name value) + #~(string-join (list "[realms]" + #$@(map (lambda (realm) (serialize-kdc-realm-configuration realm)) value)) + "\n")) + +(define-configuration kdc-configuration + (krb5 (file-like mit-krb5) "krb5 package to use" serialize-none) + (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on") + (realms (list-of-kdc-realm-configuration '()) "Realms to configure the KDC with") + (extra (list-of-strings '()) "extra lines")) + +(define (serialize-kdc-configuration configuration) + (mixed-text-file + "kdc.conf" + #~(string-append "[kdcdefaults]\n" + #$(serialize-configuration configuration kdc-configuration-fields)))) + +(define (kdc-activation configuration) + #~(symlink #$(serialize-kdc-configuration configuration) "/etc/kdc.conf")) + +(define kdc-service-type + (service-type (name 'kdc-service) + (description "KDC service") + (extensions (list (service-extension activation-service-type kdc-activation))) + (default-value (kdc-configuration)))) + (operating-system (inherit %metznet-base-server-system) (host-name "kerberos-guix.metznet.ca") (services - (append (list (service certbot-service-type + (append (list (service kdc-service-type + (kdc-configuration + (realms (list + (kdc-realm-configuration + (name "METZNET.CA") + (database_module "openldap_ldapconf") + (acl_file (plain-file "kadm5.acl" "*/admin@METZNET.CA *\n"))))))) + (service certbot-service-type (certbot-configuration (email "admin@metznet.ca") (certificates (list (certificate-configuration (domains '