diff --git a/system/base-system.scm b/system/base-system.scm index 2dd6d2c..f540945 100644 --- a/system/base-system.scm +++ b/system/base-system.scm @@ -4,6 +4,7 @@ #:use-module (nongnu system linux-initrd) #:use-module (nongnu packages linux) #:use-module (guix gexp) + #:use-module (guix utils) #:use-module (guix packages) #:use-module (guix download) #:use-module (guix build-system gnu) @@ -22,6 +23,7 @@ #:use-module (gnu services xorg) #:use-module (gnu services base) #:use-module (gnu packages linux) + #:use-module (gnu packages ssh) #:use-module (gnu packages compression) #:use-module (gnu packages libedit) #:use-module (gnu packages hurd) @@ -29,6 +31,8 @@ #:use-module (gnu packages xorg) #:use-module (gnu packages pkg-config) #:use-module (gnu packages groff) + #:use-module (gnu packages gcc) + #:use-module (gnu packages commencement) #:use-module (gnu packages security-token) #:use-module (gnu packages vim) #:use-module (gnu packages certs) @@ -66,130 +70,6 @@ #:export (%metznet-base-server-system) #:export (%metznet-base-desktop-system)) -(define openssh-ldap - (package - (name "openssh") - (version "9.3p1") - (source (origin - (method url-fetch) - (uri (string-append "mirror://openbsd/OpenSSH/portable/" - "openssh-" version ".tar.gz")) - (patches (search-patches "openssh-hurd.patch" - "openssh-trust-guix-store-directory.patch")) - (sha256 - (base32 - "1a7qia3c255igny5kf00m5zxkp69lf1w6qjsv3rm2sm705vvmfp9")))) - (build-system gnu-build-system) - (native-inputs (list groff pkg-config)) - (propagated-inputs (list nss-pam-ldapd)) - (inputs `(("libedit" ,libedit) - ("openssl" ,openssl) - ,@(if (hurd-target?) - '() - `(("pam" ,linux-pam) - ("libfido2" ,libfido2))) ;fails to build on GNU/Hurd - ("mit-krb5" ,mit-krb5) - ("zlib" ,zlib) - ("xauth" ,xauth))) ; for 'ssh -X' and 'ssh -Y' - (arguments - `(#:test-target "tests" - ;; Otherwise, the test scripts try to use a nonexistent directory and - ;; fail. - #:make-flags '("REGRESSTMP=\"$${BUILDDIR}/regress\"") - #:configure-flags `("--sysconfdir=/etc/ssh" - - ;; Default value of 'PATH' used by sshd. - "--with-default-path=/run/current-system/profile/bin" - - ;; configure needs to find krb5-config. - ,(string-append "--with-kerberos5=" - (assoc-ref %build-inputs "mit-krb5") - "/bin") - - ;; libedit is needed for sftp completion. - "--with-libedit" - - ;; Enable PAM support in sshd. - ,,@(if (hurd-target?) - '() - '("--with-pam" - - ;; Support creation and use of ecdsa-sk, - ;; ed25519-sk keys. - "--with-security-key-builtin")) - - - - ;; "make install" runs "install -s" by default, - ;; which doesn't work for cross-compiled binaries - ;; because it invokes 'strip' instead of - ;; 'TRIPLET-strip'. Work around this. - ,,@(if (%current-target-system) - '("--disable-strip") - '())) - - #:phases - (modify-phases %standard-phases - (add-after 'configure 'reset-/var/empty - (lambda* (#:key outputs #:allow-other-keys) - (let ((out (assoc-ref outputs "out"))) - (substitute* "Makefile" - (("PRIVSEP_PATH=/var/empty") - (string-append "PRIVSEP_PATH=" out "/var/empty")))))) - (add-after 'configure 'set-store-location - (lambda* _ - (substitute* "misc.c" - (("@STORE_DIRECTORY@") - (string-append "\"" (%store-directory) "\""))))) - (add-before 'check 'patch-tests - (lambda _ - (substitute* "regress/test-exec.sh" - (("/bin/sh") (which "sh"))) - - ;; Remove 't-exec' regress target which requires user 'sshd'. - (substitute* (list "Makefile" - "regress/Makefile") - (("^(tests:.*) t-exec(.*)" all pre post) - (string-append pre post))))) - (replace 'install - (lambda* (#:key outputs (make-flags '()) #:allow-other-keys) - (let ((out (assoc-ref outputs "out"))) - ;; Install without host keys and system configuration files. - ;; This will install /var/empty to the store, which is needed - ;; by the system openssh-service-type. - (apply invoke "make" "install-nosysconf" make-flags) - (with-directory-excursion "contrib" - (chmod "ssh-copy-id" #o555) - (install-file "ssh-copy-id" - (string-append out "/bin/")) - (install-file "ssh-copy-id.1" - (string-append out "/share/man/man1/"))))))))) - (synopsis "Client and server for the secure shell (ssh) protocol") - (description - "The SSH2 protocol implemented in OpenSSH is standardised by the -IETF secsh working group and is specified in several RFCs and drafts. -It is composed of three layered components: - -The transport layer provides algorithm negotiation and a key exchange. -The key exchange includes server authentication and results in a -cryptographically secured connection: it provides integrity, confidentiality -and optional compression. - -The user authentication layer uses the established connection and relies on -the services provided by the transport layer. It provides several mechanisms -for user authentication. These include traditional password authentication -as well as public-key or host-based authentication mechanisms. - -The connection layer multiplexes many different concurrent channels over the -authenticated connection and allows tunneling of login sessions and -TCP-forwarding. It provides a flow control service for these channels. -Additionally, various channel-specific options can be negotiated.") - (license (license:non-copyleft "file://LICENSE" - "See LICENSE in the distribution.")) - (properties - '((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/"))) - (home-page "https://www.openssh.com/"))) - (define %domain-realm "METZNET.CA") (define %domain-name "metznet.ca") @@ -216,7 +96,7 @@ Additionally, various channel-specific options can be negotiated.") (name "usb"))) %base-groups)) -(define %metznet-base-packages (append (list openssh-ldap nss-pam-ldapd glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages)) +(define %metznet-base-packages (append (list binutils openssh nss-pam-ldapd strace openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages)) (define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages)) @@ -269,8 +149,6 @@ Additionally, various channel-specific options can be negotiated.") (shadow services) (group services)))) -; 1) need to create user directory on login -; 2) need to have /bin/zsh available to use as shell (define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so")) @@ -280,9 +158,14 @@ Additionally, various channel-specific options can be negotiated.") (let ((sufficient (pam-entry (control "sufficient") - (module pam-ldap-module)))) + (module pam-ldap-module))) + (required + (pam-entry + (control "required") + (module "pam_mkhomedir.so")))) (pam-service (inherit pam) + (session (cons required (pam-service-account pam))) (password (cons sufficient (pam-service-account pam))))) pam))) @@ -310,17 +193,31 @@ Additionally, various channel-specific options can be negotiated.") (list (simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh")) (service openssh-service-type (openssh-configuration - (openssh openssh-ldap) - (log-level 'debug3) (extra-content "KerberosAuthentication yes"))) (service krb5-service-type %metznet-krb5-config) (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) - (service metznet-service-type (list "su" "login" "sshd" "passwd")) - (service nslcd-service-type %metznet-nslcd-config))) + (service nslcd-service-type %metznet-nslcd-config) + (service metznet-service-type (list "su" "login" "sshd" "passwd")))) + +(define %metznet-nscd-configuration (nscd-configuration + (caches (append (list + (nscd-cache + (database 'passwd) + (positive-time-to-live (* 3600 12)) + (negative-time-to-live 20) + (persistent? #t)) + (nscd-cache + (database 'group) + (positive-time-to-live (* 3600 12)) + (negative-time-to-live 20) + (persistent? #t)) +) + %nscd-default-caches)))) (define %metznet-desktop-services (append %metznet-services (modify-services %desktop-services + (nscd-service-type config => %metznet-nscd-configuration) (guix-service-type config => (guix-configuration (inherit config) (substitute-urls @@ -345,7 +242,7 @@ Additionally, various channel-specific options can be negotiated.") (network-manager-configuration (inherit config) (vpn-plugins (list network-manager-openvpn))))))) -(define %metznet-server-services (append (append %metznet-services +(define %metznet-server-services (append (append %metznet-services (list (service dhcp-client-service-type) (openvpn-client-service @@ -354,7 +251,8 @@ Additionally, various channel-specific options can be negotiated.") (pid-file "/var/run/openvpn/client.pid") (persist-key? #f) (tls-auth "/etc/openvpn/ta.key")))) - %base-services))) + (modify-services %base-services + (nscd-service-type config => %metznet-nscd-configuration))))) (define %metznet-base-operating-system (operating-system