|
|
@ -13,8 +13,12 @@
|
|
|
|
#:use-module (gnu system setuid)
|
|
|
|
#:use-module (gnu system setuid)
|
|
|
|
#:use-module (gnu system nss)
|
|
|
|
#:use-module (gnu system nss)
|
|
|
|
#:use-module (gnu system pam)
|
|
|
|
#:use-module (gnu system pam)
|
|
|
|
|
|
|
|
#:use-module (gnu services)
|
|
|
|
|
|
|
|
#:use-module (gnu services dbus)
|
|
|
|
#:use-module (gnu services pm)
|
|
|
|
#:use-module (gnu services pm)
|
|
|
|
|
|
|
|
#:use-module (gnu services shepherd)
|
|
|
|
#:use-module (gnu services authentication)
|
|
|
|
#:use-module (gnu services authentication)
|
|
|
|
|
|
|
|
#:use-module (gnu services configuration)
|
|
|
|
#:use-module (gnu services vpn)
|
|
|
|
#:use-module (gnu services vpn)
|
|
|
|
#:use-module (gnu services networking)
|
|
|
|
#:use-module (gnu services networking)
|
|
|
|
#:use-module (gnu services ssh)
|
|
|
|
#:use-module (gnu services ssh)
|
|
|
@ -24,6 +28,7 @@
|
|
|
|
#:use-module (gnu services base)
|
|
|
|
#:use-module (gnu services base)
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
#:use-module (gnu packages ssh)
|
|
|
|
#:use-module (gnu packages ssh)
|
|
|
|
|
|
|
|
#:use-module (gnu packages sssd)
|
|
|
|
#:use-module (gnu packages compression)
|
|
|
|
#:use-module (gnu packages compression)
|
|
|
|
#:use-module (gnu packages libedit)
|
|
|
|
#:use-module (gnu packages libedit)
|
|
|
|
#:use-module (gnu packages hurd)
|
|
|
|
#:use-module (gnu packages hurd)
|
|
|
@ -142,7 +147,7 @@
|
|
|
|
"RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\""))
|
|
|
|
"RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\""))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-name-service-switch
|
|
|
|
(define %metznet-name-service-switch
|
|
|
|
(let ((services (list (name-service (name "ldap"))
|
|
|
|
(let ((services (list (name-service (name "sss"))
|
|
|
|
(name-service (name "files")))))
|
|
|
|
(name-service (name "files")))))
|
|
|
|
(name-service-switch
|
|
|
|
(name-service-switch
|
|
|
|
(password services)
|
|
|
|
(password services)
|
|
|
@ -172,6 +177,23 @@
|
|
|
|
(define (metznet-pam-services config)
|
|
|
|
(define (metznet-pam-services config)
|
|
|
|
(list (metznet-pam-service config)))
|
|
|
|
(list (metznet-pam-service config)))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define default-sssd-conf-file (plain-file "sssd.conf" (string-join (list
|
|
|
|
|
|
|
|
"[sssd]"
|
|
|
|
|
|
|
|
"domains = metznet.ca"
|
|
|
|
|
|
|
|
"services = nss, sudo, pam, ssh, ifp"
|
|
|
|
|
|
|
|
""
|
|
|
|
|
|
|
|
"[domain/metznet.ca]"
|
|
|
|
|
|
|
|
"id_provider = ldap"
|
|
|
|
|
|
|
|
"auth_provider = ldap"
|
|
|
|
|
|
|
|
"cache_credentials = True"
|
|
|
|
|
|
|
|
"ldap_uri = ldaps://ldap.metznet.ca"
|
|
|
|
|
|
|
|
"ldap_tls_reqcert = never"
|
|
|
|
|
|
|
|
"ldap_tls_cacertdir = /etc/ssl/certs"
|
|
|
|
|
|
|
|
"ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca"
|
|
|
|
|
|
|
|
(string-append "ldap_default_bind_dn = " (getenv "LDAP_BINDDN"))
|
|
|
|
|
|
|
|
"ldap_default_authtok_type = password"
|
|
|
|
|
|
|
|
(string-append "ldap_default_authtok = " (getenv "LDAP_BINDPW"))) "\n")))
|
|
|
|
|
|
|
|
|
|
|
|
(define metznet-service-type
|
|
|
|
(define metznet-service-type
|
|
|
|
(service-type
|
|
|
|
(service-type
|
|
|
|
(name 'metznet-service)
|
|
|
|
(name 'metznet-service)
|
|
|
@ -180,16 +202,73 @@
|
|
|
|
(list (service-extension pam-root-service-type metznet-pam-services)))
|
|
|
|
(list (service-extension pam-root-service-type metznet-pam-services)))
|
|
|
|
(default-value '())))
|
|
|
|
(default-value '())))
|
|
|
|
|
|
|
|
|
|
|
|
(define pam-service-list (list "su" "gdm-password" "login" "sshd" "passwd"))
|
|
|
|
(define-configuration sssd-configuration
|
|
|
|
|
|
|
|
(sssd (file-like sssd) "SSSD Package to use")
|
|
|
|
|
|
|
|
(config (file-like default-sssd-conf-file) "sssd.conf file"))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define (sssd-pam-service config)
|
|
|
|
|
|
|
|
(define sssd-pam-module
|
|
|
|
|
|
|
|
(file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so"))
|
|
|
|
|
|
|
|
(lambda (pam)
|
|
|
|
|
|
|
|
(if (member (pam-service-name pam) pam-service-list)
|
|
|
|
|
|
|
|
(let ((sufficient
|
|
|
|
|
|
|
|
(pam-entry
|
|
|
|
|
|
|
|
(control "sufficient")
|
|
|
|
|
|
|
|
(module sssd-pam-module))))
|
|
|
|
|
|
|
|
(pam-service
|
|
|
|
|
|
|
|
(inherit pam)
|
|
|
|
|
|
|
|
(auth (cons sufficient (pam-service-auth pam)))
|
|
|
|
|
|
|
|
(account (cons sufficient (pam-service-account pam)))
|
|
|
|
|
|
|
|
(password (cons sufficient (pam-service-password pam)))
|
|
|
|
|
|
|
|
(session (cons sufficient (pam-service-session pam)))))
|
|
|
|
|
|
|
|
pam)))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-nslcd-config (nslcd-configuration
|
|
|
|
|
|
|
|
(base "dc=metznet,dc=ca")
|
|
|
|
(define (sssd-pam-services config)
|
|
|
|
(log '("/var/log/nslcd" debug))
|
|
|
|
(list (sssd-pam-service config)))
|
|
|
|
(pam-services pam-service-list)
|
|
|
|
|
|
|
|
(filters (list '(group "(objectClass=posixGroupAux)")))
|
|
|
|
(define (sssd-shepherd-service config)
|
|
|
|
(binddn (or (getenv "LDAP_BINDDN") ""))
|
|
|
|
(list (shepherd-service
|
|
|
|
(bindpw (or (getenv "LDAP_BINDPW") ""))
|
|
|
|
(documentation "")
|
|
|
|
(uri (list "ldap://ldap.metznet.ca"))))
|
|
|
|
(provision '(sssd))
|
|
|
|
|
|
|
|
(requirement '(networking user-processes))
|
|
|
|
|
|
|
|
(start #~(make-forkexec-constructor
|
|
|
|
|
|
|
|
(list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i" "-d" "0x77f0")
|
|
|
|
|
|
|
|
#:user "root"
|
|
|
|
|
|
|
|
#:group "root"
|
|
|
|
|
|
|
|
#:environment-variables
|
|
|
|
|
|
|
|
(list (string-append "LD_LIBRARY_PATH=" #$(sssd-configuration-sssd config) "/lib"))))
|
|
|
|
|
|
|
|
(stop #~(make-kill-destructor)))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define %sssd-activation
|
|
|
|
|
|
|
|
#~(begin
|
|
|
|
|
|
|
|
(let ((dbdir "/var/lib/sss/db")
|
|
|
|
|
|
|
|
(dbusdir "/var/lib/sss/pipes/private")
|
|
|
|
|
|
|
|
(user (getpw "root")))
|
|
|
|
|
|
|
|
(mkdir-p/perms dbusdir user #o755)
|
|
|
|
|
|
|
|
(mkdir-p/perms dbdir user #o755)
|
|
|
|
|
|
|
|
(chmod "/etc/sssd/sssd.conf" #o600))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define (sssd-etc-service config)
|
|
|
|
|
|
|
|
`(("sssd/sssd.conf" ,(sssd-configuration-config config))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define sssd-service-type
|
|
|
|
|
|
|
|
(service-type
|
|
|
|
|
|
|
|
(name 'sssd)
|
|
|
|
|
|
|
|
(description "MetzNet SSSD Service")
|
|
|
|
|
|
|
|
(extensions
|
|
|
|
|
|
|
|
(list (service-extension pam-root-service-type sssd-pam-services)
|
|
|
|
|
|
|
|
(service-extension dbus-root-service-type
|
|
|
|
|
|
|
|
(compose
|
|
|
|
|
|
|
|
list
|
|
|
|
|
|
|
|
sssd-configuration-sssd))
|
|
|
|
|
|
|
|
(service-extension etc-service-type sssd-etc-service)
|
|
|
|
|
|
|
|
(service-extension activation-service-type (const %sssd-activation))
|
|
|
|
|
|
|
|
(service-extension nscd-service-type (const (list sssd)))
|
|
|
|
|
|
|
|
(service-extension shepherd-root-service-type sssd-shepherd-service)))
|
|
|
|
|
|
|
|
(default-value (sssd-configuration))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define pam-service-list (list "su" "gdm-password" "login" "sshd" "passwd"))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-services
|
|
|
|
(define %metznet-services
|
|
|
|
(list
|
|
|
|
(list
|
|
|
@ -198,7 +277,7 @@
|
|
|
|
(extra-content "KerberosAuthentication yes")))
|
|
|
|
(extra-content "KerberosAuthentication yes")))
|
|
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
|
|
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
|
|
|
|
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
|
|
|
|
(service nslcd-service-type %metznet-nslcd-config)
|
|
|
|
(service sssd-service-type)
|
|
|
|
(service metznet-service-type pam-service-list)))
|
|
|
|
(service metznet-service-type pam-service-list)))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-nscd-configuration (nscd-configuration
|
|
|
|
(define %metznet-nscd-configuration (nscd-configuration
|
|
|
@ -212,8 +291,7 @@
|
|
|
|
(database 'group)
|
|
|
|
(database 'group)
|
|
|
|
(positive-time-to-live (* 3600 12))
|
|
|
|
(positive-time-to-live (* 3600 12))
|
|
|
|
(negative-time-to-live 20)
|
|
|
|
(negative-time-to-live 20)
|
|
|
|
(persistent? #t))
|
|
|
|
(persistent? #t)))
|
|
|
|
)
|
|
|
|
|
|
|
|
%nscd-default-caches))))
|
|
|
|
%nscd-default-caches))))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-desktop-services
|
|
|
|
(define %metznet-desktop-services
|
|
|
@ -248,6 +326,7 @@
|
|
|
|
(define %metznet-server-services
|
|
|
|
(define %metznet-server-services
|
|
|
|
(append %metznet-services
|
|
|
|
(append %metznet-services
|
|
|
|
(list
|
|
|
|
(list
|
|
|
|
|
|
|
|
(dbus-service)
|
|
|
|
(service dhcp-client-service-type)
|
|
|
|
(service dhcp-client-service-type)
|
|
|
|
(openvpn-client-service
|
|
|
|
(openvpn-client-service
|
|
|
|
#:config (openvpn-client-configuration
|
|
|
|
#:config (openvpn-client-configuration
|
|
|
|