MetzNet
/
metznet-channel
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Moved kdc service/package to separate files, and moved system configs completely to separate repo

master
noah metz 2023-12-04 00:52:32 -07:00
parent ab77e23be4
commit 425b1738c9
5 changed files with 329 additions and 422 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
gnu/packages/kdc.scm
Unescape Escape View File

@ -0,0 +1,85 @@
(define-module (gnu packages kdc)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (gnu packages tls)
#:use-module (gnu packages bison)
#:use-module (gnu packages readline)
#:use-module (gnu packages perl)
#:use-module (gnu packages tcl)
#:use-module (gnu packages slapd)
#:use-module (gnu packages)
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (guix gexp)
#:export (mit-krb5-ldap))
(define-public mit-krb5-ldap
(package
(name "mit-krb5-ldap")
(version "1.20")
(source (origin
(method url-fetch)
(uri (list (string-append
"https://web.mit.edu/kerberos/dist/krb5/"
(version-major+minor version) "/krb5-" version
".tar.gz")
(string-append "https://kerberos.org/dist/krb5/"
(version-major+minor version) "/krb5-"
version ".tar.gz")))
(patches (search-patches "mit-krb5-hurd.patch"))
(sha256
(base32
"0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
(build-system gnu-build-system)
(native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests, openldap is required to compile kldap.so
(inputs (list openssl readline))
(arguments
`( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call
;; while running the tests in 'src/tests'. Also disable tests when
;; cross-compiling.
#:tests? ,(and (not (%current-target-system))
(string=? (%current-system) "x86_64-linux"))
,@(if (%current-target-system)
'(#:configure-flags (list "--localstatedir=/var"
"--with-readline"
"--with-ldap"
"krb5_cv_attr_constructor_destructor=yes"
"ac_cv_func_regcomp=yes"
"ac_cv_printf_positional=yes"
"ac_cv_file__etc_environment=yes"
"ac_cv_file__etc_TIMEZONE=no")
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1"))
'(#:configure-flags (list "--with-tls-impl=openssl"
"--with-readline" "--with-ldap"
"--localstatedir=/var")))
#:phases (modify-phases %standard-phases
(add-after 'unpack 'enter-source-directory
(lambda _
(chdir "src")))
(add-before 'check 'pre-check
(lambda* (#:key inputs native-inputs #:allow-other-keys)
(let ((perl (search-input-file (or native-inputs inputs)
"bin/perl")))
(substitute* "plugins/kdb/db2/libdb2/test/run.test"
(("/bin/cat")
perl)
(("D/bin/sh")
(string-append "D"
(which "sh")))
(("bindir=/bin/.")
(string-append "bindir="
(dirname perl))))))))))
(synopsis "MIT Kerberos 5")
(description
"Massachusetts Institute of Technology implementation of Kerberos.
Kerberos is a network authentication protocol designed to provide strong
authentication for client/server applications by using secret-key
cryptography.")
(license (license:non-copyleft "file://NOTICE"
"See NOTICE in the distribution."))
(home-page "https://web.mit.edu/kerberos/")
(properties '((cpe-name . "kerberos")))))

244
gnu/services/kdc.scm
Unescape Escape View File

@ -0,0 +1,244 @@
(define-module (gnu services kdc)
#:use-module (srfi srfi-26)
#:use-module (gnu services configuration)
#:use-module (guix gexp)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu system shadow)
#:use-module (gnu packages admin)
#:use-module (gnu packages kdc)
#:export (kdc-service-type kdc-realm-configuration
kdc-realm-configuration?
kldap-configuration
kldap-configuration?
kdc-configuration
kdc-configuration?))
(define (serialize-field conv pad)
(lambda (field-name value)
#~(string-append #$pad
#$(symbol->string field-name) " = "
#$(conv value) "\n")))
(define serialize-string
(serialize-field (lambda (val)
val) " "))
(define-maybe string)
(define list-of-ports?
(list-of integer?))
(define serialize-list-of-ports
(serialize-field (lambda (val)
(string-join (map number->string val) ",")) " "))
(define realm-serialize-list-of-ports
(serialize-field (lambda (val)
(string-join (map number->string val) ",")) " "))
(define-maybe list-of-ports)
(define-maybe file-like)
(define serialize-file-like
(serialize-field (lambda (val)
val) " "))
(define (serialize-none field-name value)
"")
(define-configuration kdc-realm-configuration
(name (string "EXAMPLE.COM") "realm name" serialize-none)
(database_module maybe-string "database module")
(acl_file maybe-file-like "acl file")
(key_stash_file (string "/var/lib/kerberos/stash")
"key stash file")
(kdc_ports (list-of-ports '(750 88))
"list of ports to listen on"
realm-serialize-list-of-ports)
(kadmind_ports (list-of-ports '(749))
"list of ports to listen on for kadmin connections"
realm-serialize-list-of-ports)
(max_life (string "10h 0m 0s")
"maximum life of granted tickets")
(max_renewable_type (string "7d 0h 0m 0s")
"maximum time to renew ticket")
(master_key_type (string "des3-hmac-sha1")
"master key type")
(supported_enctypes maybe-string
"supported encryption types")
(default_principal_flags maybe-string
"default flag for new principals"))
(define list-of-kdc-realm-configuration?
(list-of kdc-realm-configuration?))
(define (serialize-kdc-realm-configuration realm)
#~(string-append " "
#$(kdc-realm-configuration-name realm) " = {\n"
#$(serialize-configuration realm
kdc-realm-configuration-fields)
" }\n"))
(define serialize-boolean
(serialize-field (lambda (val)
(if val "true" "false")) " "))
(define serialize-number
(serialize-field number->string " "))
(define-configuration kldap-configuration
(db_library (string "kldap") "db library to use")
(disable_last_success (boolean #f)
"disable last success field")
(disable_lockout (boolean #f) "disable lockout field")
(ldap_kdc_dn (string "uid=kdc,dc=example,dc=com")
"dn to bind for kdc operations")
(ldap_kadmind_dn (string "uid=kadmind,dc=example,dc=com")
"dn to bind for kadmin operations")
(ldap_service_password_file maybe-string
"file that stores the passwords for the ldap bind dns")
(ldap_servers (string "ldap://example.com")
"ldap server url")
(ldap_conns_per_server (number 5)
"number of connections per ldap server"))
(define (serialize-list-of-kdc-realm-configuration field-name value)
#~(string-join (list "[realms]"
#$@(map (lambda (realm)
(serialize-kdc-realm-configuration realm))
value)) "\n"))
(define (dbmodule? val)
(if (list? val)
(let ((name (car val))
(config (cdr val)))
(if (string? name)
(or (kldap-configuration? config)) #f))))
(define list-of-dbmodules?
(list-of dbmodule?))
(define (serialize-dbmodule dbmodule)
(let ((name (car dbmodule))
(config (cdr dbmodule)))
#~(string-append " "
#$name " = {\n"
#$(or (if (kldap-configuration? config)
(serialize-configuration config
kldap-configuration-fields) #f) "") " }\n")))
(define (serialize-list-of-dbmodules field-name value)
#~(string-join (list "[dbmodules]"
#$@(map (lambda (dbmodule)
(serialize-dbmodule dbmodule)) value)) "\n"))
(define list-of-strings?
(list-of string?))
(define (serialize-list-of-strings field-name value)
#~(string-append "["
#$(symbol->string field-name) "]\n"
#$(string-join (map (cut string-append " " <>) value) "\n")
"\n"))
(define-maybe list-of-strings)
(define-configuration kdc-configuration
(krb5 (file-like mit-krb5-ldap) "krb5 package to use"
serialize-none)
(pkinit_anchors (string
"DIR:/run/current-system/profile/etc/ssl/certs/")
"CA certificate directory/file"
(serialize-field (lambda (x)
x) " "))
(kdc_ports (list-of-ports '(750 88))
"list of ports to listen on")
(realms (list-of-kdc-realm-configuration '())
"Realms to configure the KDC with")
(logging maybe-list-of-strings "extra logging lines")
(dbdefaults maybe-list-of-strings
"extra dbdefault lines")
(dbmodules (list-of-dbmodules '())
"dbmodules to configure"))
(define (serialize-kdc-configuration configuration)
(mixed-text-file "kdc.conf"
#~(string-append "[kdcdefaults]\n"
#$(serialize-configuration configuration
kdc-configuration-fields))))
(define (kdc-accounts configuration)
(list (user-group
(name "kerberos")
(system? #t))
(user-account
(name "kerberos")
(group "kerberos")
(system? #t)
(comment "kdc service account")
(home-directory "/var/lib/kerberos/")
(shell #~(string-append #$shadow "/sbin/nologin")))))
(define (kdc-activation configuration)
#~(begin
(let ((user (getpw "kerberos"))
(group (getgr "kerberos")))
(mkdir-p/perms "/var/lib/kerberos" user 488))))
(define (kdc-etc configuration)
`(("kdc.conf" ,(serialize-kdc-configuration configuration))))
; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
(define (kdc-shepherd configuration)
(list (shepherd-service (documentation "")
(provision '(kdc))
(requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5
configuration)
"/sbin/krb5kdc")
"-n" "-P"
"/run/krb5kdc.pid")
#:environment-variables
(list (string-append
"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:"
#$(kdc-configuration-krb5
configuration)
"/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root"
#:group "root"))
(stop #~(make-kill-destructor)))
(shepherd-service (documentation "")
(provision '(kadmind))
(requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5
configuration)
"/sbin/kadmind")
"-nofork" "-P"
"/run/kadmind.pid")
#:environment-variables
(list (string-append
"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:"
#$(kdc-configuration-krb5
configuration)
"/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root"
#:group "root"))
(stop #~(make-kill-destructor)))))
(define kdc-service-type
(service-type (name 'kdc-service)
(description "KDC service")
(extensions (list (service-extension activation-service-type
kdc-activation)
(service-extension
shepherd-root-service-type kdc-shepherd)
(service-extension account-service-type
kdc-accounts)
(service-extension etc-service-type kdc-etc)))
(default-value (kdc-configuration))))

351
metznet/machines/kerberos.scm
Unescape Escape View File

@ -1,351 +0,0 @@
(define-module (metznet machines kerberos)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-1)
#:use-module (gnu system)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module ((guix licenses)
#:prefix license:)
#:use-module (metznet system base-system)
#:use-module (gnu system shadow)
#:use-module (gnu packages)
#:use-module (gnu packages kerberos)
#:use-module (gnu packages base)
#:use-module (gnu packages admin)
#:use-module (gnu packages tls)
#:use-module (gnu packages bison)
#:use-module (gnu packages perl)
#:use-module (gnu packages tcl)
#:use-module (gnu packages readline)
#:use-module (gnu packages slapd)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu services configuration)
#:use-module (gnu services certbot)
#:export (kerberos.metznet.ca kerberos-services))
(define-public mit-krb5-ldap
(package
(name "mit-krb5-ldap")
(version "1.20")
(source
(origin
(method url-fetch)
(uri (list (string-append "https://web.mit.edu/kerberos/dist/krb5/"
(version-major+minor version) "/krb5-"
version ".tar.gz")
(string-append "https://kerberos.org/dist/krb5/"
(version-major+minor version) "/krb5-"
version ".tar.gz")))
(patches (search-patches "mit-krb5-hurd.patch"))
(sha256
(base32 "0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
(build-system gnu-build-system)
(native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests
(inputs (list openssl readline))
(arguments
`( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call
;; while running the tests in 'src/tests'. Also disable tests when
;; cross-compiling.
#:tests? ,(and (not (%current-target-system))
(string=? (%current-system) "x86_64-linux"))
,@(if (%current-target-system)
'(#:configure-flags (list "--localstatedir=/var"
"--with-readline"
"--with-ldap"
"krb5_cv_attr_constructor_destructor=yes"
"ac_cv_func_regcomp=yes"
"ac_cv_printf_positional=yes"
"ac_cv_file__etc_environment=yes"
"ac_cv_file__etc_TIMEZONE=no")
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1"))
'(#:configure-flags (list "--with-tls-impl=openssl"
"--with-readline" "--with-ldap"
"--localstatedir=/var")))
#:phases (modify-phases %standard-phases
(add-after 'unpack 'enter-source-directory
(lambda _
(chdir "src")))
(add-before 'check 'pre-check
(lambda* (#:key inputs native-inputs #:allow-other-keys)
(let ((perl (search-input-file (or native-inputs inputs)
"bin/perl")))
(substitute* "plugins/kdb/db2/libdb2/test/run.test"
(("/bin/cat")
perl)
(("D/bin/sh")
(string-append "D"
(which "sh")))
(("bindir=/bin/.")
(string-append "bindir="
(dirname perl))))))))))
(synopsis "MIT Kerberos 5")
(description
"Massachusetts Institute of Technology implementation of Kerberos.
Kerberos is a network authentication protocol designed to provide strong
authentication for client/server applications by using secret-key
cryptography.")
(license (license:non-copyleft "file://NOTICE"
"See NOTICE in the distribution."))
(home-page "https://web.mit.edu/kerberos/")
(properties '((cpe-name . "kerberos")))))
(define (serialize-field conv pad)
(lambda (field-name value)
#~(string-append #$pad
#$(symbol->string field-name) " = "
#$(conv value) "\n")))
(define serialize-string
(serialize-field (lambda (val)
val) " "))
(define-maybe string)
(define list-of-ports?
(list-of integer?))
(define serialize-list-of-ports
(serialize-field (lambda (val)
(string-join (map number->string val) ",")) " "))
(define realm-serialize-list-of-ports
(serialize-field (lambda (val)
(string-join (map number->string val) ",")) " "))
(define-maybe list-of-ports)
(define-maybe file-like)
(define serialize-file-like
(serialize-field (lambda (val)
val) " "))
(define (serialize-none field-name value)
"")
(define-configuration kdc-realm-configuration
(name (string "EXAMPLE.COM") "realm name" serialize-none)
(database_module maybe-string "database module")
(acl_file maybe-file-like "acl file")
(key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
(kdc_ports (list-of-ports '(750 88)) "list of ports to listen on"
realm-serialize-list-of-ports)
(kadmind_ports (list-of-ports '(749))
"list of ports to listen on for kadmin connections"
realm-serialize-list-of-ports)
(max_life (string "10h 0m 0s") "maximum life of granted tickets")
(max_renewable_type (string "7d 0h 0m 0s") "maximum time to renew ticket")
(master_key_type (string "des3-hmac-sha1") "master key type")
(supported_enctypes maybe-string "supported encryption types")
(default_principal_flags maybe-string "default flag for new principals"))
(define list-of-kdc-realm-configuration?
(list-of kdc-realm-configuration?))
(define (serialize-kdc-realm-configuration realm)
#~(string-append " "
#$(kdc-realm-configuration-name realm) " = {\n"
#$(serialize-configuration realm
kdc-realm-configuration-fields)
" }\n"))
(define serialize-boolean
(serialize-field (lambda (val)
(if val "true" "false")) " "))
(define serialize-number
(serialize-field number->string " "))
(define-configuration kldap-configuration
(db_library (string "kldap") "db library to use")
(disable_last_success (boolean #f) "disable last success field")
(disable_lockout (boolean #f) "disable lockout field")
(ldap_kdc_dn (string "uid=kdc,dc=example,dc=com")
"dn to bind for kdc operations")
(ldap_kadmind_dn (string "uid=kadmind,dc=example,dc=com")
"dn to bind for kadmin operations")
(ldap_service_password_file maybe-string
"file that stores the passwords for the ldap bind dns")
(ldap_servers (string "ldap://example.com") "ldap server url")
(ldap_conns_per_server (number 5) "number of connections per ldap server"))
(define (serialize-list-of-kdc-realm-configuration field-name value)
#~(string-join (list "[realms]"
#$@(map (lambda (realm)
(serialize-kdc-realm-configuration realm))
value)) "\n"))
(define (dbmodule? val)
(if (list? val)
(let ((name (car val))
(config (cdr val)))
(if (string? name)
(or (kldap-configuration? config)) #f))))
(define list-of-dbmodules?
(list-of dbmodule?))
(define (serialize-dbmodule dbmodule)
(let ((name (car dbmodule))
(config (cdr dbmodule)))
#~(string-append " "
#$name " = {\n"
#$(or (if (kldap-configuration? config)
(serialize-configuration config
kldap-configuration-fields) #f) "") " }\n")))
(define (serialize-list-of-dbmodules field-name value)
#~(string-join (list "[dbmodules]"
#$@(map (lambda (dbmodule)
(serialize-dbmodule dbmodule)) value)) "\n"))
(define list-of-strings?
(list-of string?))
(define (serialize-list-of-strings field-name value)
#~(string-append "["
#$(symbol->string field-name) "]\n"
#$(string-join (map (cut string-append " " <>) value) "\n")
"\n"))
(define-maybe list-of-strings)
(define-configuration kdc-configuration
(krb5 (file-like mit-krb5-ldap) "krb5 package to use" serialize-none)
(pkinit_anchors (string "DIR:/run/current-system/profile/etc/ssl/certs/")
"CA certificate directory/file"
(serialize-field (lambda (x)
x) " "))
(kdc_ports (list-of-ports '(750 88)) "list of ports to listen on")
(realms (list-of-kdc-realm-configuration '())
"Realms to configure the KDC with")
(logging maybe-list-of-strings "extra logging lines")
(dbdefaults maybe-list-of-strings "extra dbdefault lines")
(dbmodules (list-of-dbmodules '()) "dbmodules to configure"))
(define (serialize-kdc-configuration configuration)
(mixed-text-file "kdc.conf"
#~(string-append "[kdcdefaults]\n"
#$(serialize-configuration configuration
kdc-configuration-fields))))
(define (kdc-accounts configuration)
(list (user-group
(name "kerberos")
(system? #t))
(user-account
(name "kerberos")
(group "kerberos")
(system? #t)
(comment "kdc service account")
(home-directory "/var/lib/kerberos/")
(shell #~(string-append #$shadow "/sbin/nologin")))))
(define (kdc-activation configuration)
#~(begin
(let ((user (getpw "kerberos"))
(group (getgr "kerberos")))
(mkdir-p/perms "/var/lib/kerberos" user 488))))
(define (kdc-etc configuration)
`(("kdc.conf" ,(serialize-kdc-configuration configuration))))
; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
(define (kdc-shepherd configuration)
(list (shepherd-service (documentation "")
(provision '(kdc))
(requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5
configuration)
"/sbin/krb5kdc")
"-n" "-P"
"/run/krb5kdc.pid")
#:environment-variables
(list (string-append
"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:"
#$(kdc-configuration-krb5
configuration)
"/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root"
#:group "root"))
(stop #~(make-kill-destructor)))
(shepherd-service (documentation "")
(provision '(kadmind))
(requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5
configuration)
"/sbin/kadmind")
"-nofork" "-P"
"/run/kadmind.pid")
#:environment-variables
(list (string-append
"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:"
#$(kdc-configuration-krb5
configuration)
"/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root"
#:group "root"))
(stop #~(make-kill-destructor)))))
(define kdc-service-type
(service-type (name 'kdc-service)
(description "KDC service")
(extensions (list (service-extension activation-service-type
kdc-activation)
(service-extension
shepherd-root-service-type kdc-shepherd)
(service-extension account-service-type
kdc-accounts)
(service-extension etc-service-type kdc-etc)))
(default-value (kdc-configuration))))
(define %kerberos-dn
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
(define-public kerberos-services
(append (list (service kdc-service-type
(kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
(logging '("kdc = SYSLOG:DEBUG:DAEMON"))
(dbmodules (list (cons
"openldap_ldapconf"
(kldap-configuration
(ldap_kdc_dn
%kerberos-dn)
(ldap_kadmind_dn
%kerberos-dn)
(ldap_servers
"ldaps://ldap.metznet.ca")
(ldap_service_password_file
"/var/lib/kerberos/service.keyfile")))))
(realms (list (kdc-realm-configuration
(name "METZNET.CA")
(database_module
"openldap_ldapconf")
(default_principal_flags
"+preauth")
(acl_file (plain-file
"kadm5.acl"
"*/admin@METZNET.CA *\n")))))))
(service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("kerberos.metznet.ca"))))))))
%metznet-server-services))
(define-public kerberos.metznet.ca
(operating-system
(inherit %metznet-base-server-system)
(host-name "kerberos.metznet.ca")
(services
kerberos-services)))

28
metznet/machines/ldap.scm
Unescape Escape View File

@ -1,28 +0,0 @@
(define-module (metznet machines ldap)
#:use-module (gnu system)
#:use-module (guix gexp)
#:use-module (metznet system base-system)
#:use-module (gnu packages slapd)
#:use-module (gnu services)
#:use-module (gnu services certbot)
#:use-module (gnu services slapd)
#:export (ldap.metznet.ca ldap-services))
(define-public ldap-services
(append (list (service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("ldap.metznet.ca")))))))
(service slapd-service-type
(slapd-configuration (uris
"ldap:// ldaps://"))))
%metznet-server-services))
(define-public ldap.metznet.ca
(operating-system
(inherit %metznet-base-server-system)
(host-name "ldap.metznet.ca")
(services
ldap-services)))

43
metznet/machines/vpn.scm
Unescape Escape View File

@ -1,43 +0,0 @@
(define-module (metznet machines vpn)
#:use-module (guix gexp)
#:use-module (guix modules)
#:use-module (gnu packages tls)
#:use-module (gnu system)
#:use-module (gnu services)
#:use-module (gnu services certbot)
#:use-module (gnu services vpn)
#:use-module (metznet system base-system)
#:export (vpn.metznet.ca vpn-services metznet-vpn-service-type))
(define-public vpn-services
(append (list (service openvpn-server-service-type
(openvpn-server-configuration (ca
"/var/lib/openvpn/ca.crt")
(cert
"/var/lib/openvpn/client.crt")
(key
"/var/lib/openvpn/client.key")
(tls-auth
"/var/lib/openvpn/ta.key")
(dh
"/var/lib/openvpn/dh2048.pem")
(ifconfig-pool-persist
"/var/lib/openvpn/ipp.txt")
(server
"10.0.80.0 255.255.255.0")))
(service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("vpn.metznet.ca"))))))))
(modify-services %metznet-server-services
(delete openvpn-client-service-type))))
(define-public vpn.metznet.ca
(operating-system
(inherit %metznet-base-server-system)
(host-name "vpn.metznet.ca")
(services
vpn-services)))