diff --git a/system/base-system.scm b/system/base-system.scm index 3ac65ff..aac5aa9 100644 --- a/system/base-system.scm +++ b/system/base-system.scm @@ -13,8 +13,12 @@ #:use-module (gnu system setuid) #:use-module (gnu system nss) #:use-module (gnu system pam) + #:use-module (gnu services) + #:use-module (gnu services dbus) #:use-module (gnu services pm) + #:use-module (gnu services shepherd) #:use-module (gnu services authentication) + #:use-module (gnu services configuration) #:use-module (gnu services vpn) #:use-module (gnu services networking) #:use-module (gnu services ssh) @@ -24,6 +28,7 @@ #:use-module (gnu services base) #:use-module (gnu packages linux) #:use-module (gnu packages ssh) + #:use-module (gnu packages sssd) #:use-module (gnu packages compression) #:use-module (gnu packages libedit) #:use-module (gnu packages hurd) @@ -142,7 +147,7 @@ "RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\"")) (define %metznet-name-service-switch - (let ((services (list (name-service (name "ldap")) + (let ((services (list (name-service (name "sss")) (name-service (name "files"))))) (name-service-switch (password services) @@ -172,6 +177,23 @@ (define (metznet-pam-services config) (list (metznet-pam-service config))) +(define default-sssd-conf-file (plain-file "sssd.conf" (string-join (list + "[sssd]" + "domains = metznet.ca" + "services = nss, sudo, pam, ssh, ifp" + "" + "[domain/metznet.ca]" + "id_provider = ldap" + "auth_provider = ldap" + "cache_credentials = True" + "ldap_uri = ldaps://ldap.metznet.ca" + "ldap_tls_reqcert = never" + "ldap_tls_cacertdir = /etc/ssl/certs" + "ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca" + (string-append "ldap_default_bind_dn = " (getenv "LDAP_BINDDN")) + "ldap_default_authtok_type = password" + (string-append "ldap_default_authtok = " (getenv "LDAP_BINDPW"))) "\n"))) + (define metznet-service-type (service-type (name 'metznet-service) @@ -180,16 +202,73 @@ (list (service-extension pam-root-service-type metznet-pam-services))) (default-value '()))) -(define pam-service-list (list "su" "gdm-password" "login" "sshd" "passwd")) +(define-configuration sssd-configuration + (sssd (file-like sssd) "SSSD Package to use") + (config (file-like default-sssd-conf-file) "sssd.conf file")) + +(define (sssd-pam-service config) + (define sssd-pam-module + (file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so")) + (lambda (pam) + (if (member (pam-service-name pam) pam-service-list) + (let ((sufficient + (pam-entry + (control "sufficient") + (module sssd-pam-module)))) + (pam-service + (inherit pam) + (auth (cons sufficient (pam-service-auth pam))) + (account (cons sufficient (pam-service-account pam))) + (password (cons sufficient (pam-service-password pam))) + (session (cons sufficient (pam-service-session pam))))) + pam))) -(define %metznet-nslcd-config (nslcd-configuration - (base "dc=metznet,dc=ca") - (log '("/var/log/nslcd" debug)) - (pam-services pam-service-list) - (filters (list '(group "(objectClass=posixGroupAux)"))) - (binddn (or (getenv "LDAP_BINDDN") "")) - (bindpw (or (getenv "LDAP_BINDPW") "")) - (uri (list "ldap://ldap.metznet.ca")))) + +(define (sssd-pam-services config) + (list (sssd-pam-service config))) + +(define (sssd-shepherd-service config) + (list (shepherd-service + (documentation "") + (provision '(sssd)) + (requirement '(networking user-processes)) + (start #~(make-forkexec-constructor + (list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i" "-d" "0x77f0") + #:user "root" + #:group "root" + #:environment-variables + (list (string-append "LD_LIBRARY_PATH=" #$(sssd-configuration-sssd config) "/lib")))) + (stop #~(make-kill-destructor))))) + +(define %sssd-activation + #~(begin + (let ((dbdir "/var/lib/sss/db") + (dbusdir "/var/lib/sss/pipes/private") + (user (getpw "root"))) + (mkdir-p/perms dbusdir user #o755) + (mkdir-p/perms dbdir user #o755) + (chmod "/etc/sssd/sssd.conf" #o600)))) + +(define (sssd-etc-service config) + `(("sssd/sssd.conf" ,(sssd-configuration-config config)))) + +(define sssd-service-type + (service-type + (name 'sssd) + (description "MetzNet SSSD Service") + (extensions + (list (service-extension pam-root-service-type sssd-pam-services) + (service-extension dbus-root-service-type + (compose + list + sssd-configuration-sssd)) + (service-extension etc-service-type sssd-etc-service) + (service-extension activation-service-type (const %sssd-activation)) + (service-extension nscd-service-type (const (list sssd))) + (service-extension shepherd-root-service-type sssd-shepherd-service))) + (default-value (sssd-configuration)))) + +(define pam-service-list (list "su" "gdm-password" "login" "sshd" "passwd")) (define %metznet-services (list @@ -198,7 +277,7 @@ (extra-content "KerberosAuthentication yes"))) (service krb5-service-type %metznet-krb5-config) (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) - (service nslcd-service-type %metznet-nslcd-config) + (service sssd-service-type) (service metznet-service-type pam-service-list))) (define %metznet-nscd-configuration (nscd-configuration @@ -212,8 +291,7 @@ (database 'group) (positive-time-to-live (* 3600 12)) (negative-time-to-live 20) - (persistent? #t)) -) + (persistent? #t))) %nscd-default-caches)))) (define %metznet-desktop-services @@ -248,6 +326,7 @@ (define %metznet-server-services (append %metznet-services (list + (dbus-service) (service dhcp-client-service-type) (openvpn-client-service #:config (openvpn-client-configuration