|
|
@ -4,6 +4,7 @@
|
|
|
|
#:use-module (nongnu system linux-initrd)
|
|
|
|
#:use-module (nongnu system linux-initrd)
|
|
|
|
#:use-module (nongnu packages linux)
|
|
|
|
#:use-module (nongnu packages linux)
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
|
|
|
|
#:use-module (guix utils)
|
|
|
|
#:use-module (guix packages)
|
|
|
|
#:use-module (guix packages)
|
|
|
|
#:use-module (guix download)
|
|
|
|
#:use-module (guix download)
|
|
|
|
#:use-module (guix build-system gnu)
|
|
|
|
#:use-module (guix build-system gnu)
|
|
|
@ -22,6 +23,7 @@
|
|
|
|
#:use-module (gnu services xorg)
|
|
|
|
#:use-module (gnu services xorg)
|
|
|
|
#:use-module (gnu services base)
|
|
|
|
#:use-module (gnu services base)
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
|
|
|
|
#:use-module (gnu packages ssh)
|
|
|
|
#:use-module (gnu packages compression)
|
|
|
|
#:use-module (gnu packages compression)
|
|
|
|
#:use-module (gnu packages libedit)
|
|
|
|
#:use-module (gnu packages libedit)
|
|
|
|
#:use-module (gnu packages hurd)
|
|
|
|
#:use-module (gnu packages hurd)
|
|
|
@ -29,6 +31,8 @@
|
|
|
|
#:use-module (gnu packages xorg)
|
|
|
|
#:use-module (gnu packages xorg)
|
|
|
|
#:use-module (gnu packages pkg-config)
|
|
|
|
#:use-module (gnu packages pkg-config)
|
|
|
|
#:use-module (gnu packages groff)
|
|
|
|
#:use-module (gnu packages groff)
|
|
|
|
|
|
|
|
#:use-module (gnu packages gcc)
|
|
|
|
|
|
|
|
#:use-module (gnu packages commencement)
|
|
|
|
#:use-module (gnu packages security-token)
|
|
|
|
#:use-module (gnu packages security-token)
|
|
|
|
#:use-module (gnu packages vim)
|
|
|
|
#:use-module (gnu packages vim)
|
|
|
|
#:use-module (gnu packages certs)
|
|
|
|
#:use-module (gnu packages certs)
|
|
|
@ -66,130 +70,6 @@
|
|
|
|
#:export (%metznet-base-server-system)
|
|
|
|
#:export (%metznet-base-server-system)
|
|
|
|
#:export (%metznet-base-desktop-system))
|
|
|
|
#:export (%metznet-base-desktop-system))
|
|
|
|
|
|
|
|
|
|
|
|
(define openssh-ldap
|
|
|
|
|
|
|
|
(package
|
|
|
|
|
|
|
|
(name "openssh")
|
|
|
|
|
|
|
|
(version "9.3p1")
|
|
|
|
|
|
|
|
(source (origin
|
|
|
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
|
|
|
(uri (string-append "mirror://openbsd/OpenSSH/portable/"
|
|
|
|
|
|
|
|
"openssh-" version ".tar.gz"))
|
|
|
|
|
|
|
|
(patches (search-patches "openssh-hurd.patch"
|
|
|
|
|
|
|
|
"openssh-trust-guix-store-directory.patch"))
|
|
|
|
|
|
|
|
(sha256
|
|
|
|
|
|
|
|
(base32
|
|
|
|
|
|
|
|
"1a7qia3c255igny5kf00m5zxkp69lf1w6qjsv3rm2sm705vvmfp9"))))
|
|
|
|
|
|
|
|
(build-system gnu-build-system)
|
|
|
|
|
|
|
|
(native-inputs (list groff pkg-config))
|
|
|
|
|
|
|
|
(propagated-inputs (list nss-pam-ldapd))
|
|
|
|
|
|
|
|
(inputs `(("libedit" ,libedit)
|
|
|
|
|
|
|
|
("openssl" ,openssl)
|
|
|
|
|
|
|
|
,@(if (hurd-target?)
|
|
|
|
|
|
|
|
'()
|
|
|
|
|
|
|
|
`(("pam" ,linux-pam)
|
|
|
|
|
|
|
|
("libfido2" ,libfido2))) ;fails to build on GNU/Hurd
|
|
|
|
|
|
|
|
("mit-krb5" ,mit-krb5)
|
|
|
|
|
|
|
|
("zlib" ,zlib)
|
|
|
|
|
|
|
|
("xauth" ,xauth))) ; for 'ssh -X' and 'ssh -Y'
|
|
|
|
|
|
|
|
(arguments
|
|
|
|
|
|
|
|
`(#:test-target "tests"
|
|
|
|
|
|
|
|
;; Otherwise, the test scripts try to use a nonexistent directory and
|
|
|
|
|
|
|
|
;; fail.
|
|
|
|
|
|
|
|
#:make-flags '("REGRESSTMP=\"$${BUILDDIR}/regress\"")
|
|
|
|
|
|
|
|
#:configure-flags `("--sysconfdir=/etc/ssh"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; Default value of 'PATH' used by sshd.
|
|
|
|
|
|
|
|
"--with-default-path=/run/current-system/profile/bin"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; configure needs to find krb5-config.
|
|
|
|
|
|
|
|
,(string-append "--with-kerberos5="
|
|
|
|
|
|
|
|
(assoc-ref %build-inputs "mit-krb5")
|
|
|
|
|
|
|
|
"/bin")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; libedit is needed for sftp completion.
|
|
|
|
|
|
|
|
"--with-libedit"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; Enable PAM support in sshd.
|
|
|
|
|
|
|
|
,,@(if (hurd-target?)
|
|
|
|
|
|
|
|
'()
|
|
|
|
|
|
|
|
'("--with-pam"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; Support creation and use of ecdsa-sk,
|
|
|
|
|
|
|
|
;; ed25519-sk keys.
|
|
|
|
|
|
|
|
"--with-security-key-builtin"))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; "make install" runs "install -s" by default,
|
|
|
|
|
|
|
|
;; which doesn't work for cross-compiled binaries
|
|
|
|
|
|
|
|
;; because it invokes 'strip' instead of
|
|
|
|
|
|
|
|
;; 'TRIPLET-strip'. Work around this.
|
|
|
|
|
|
|
|
,,@(if (%current-target-system)
|
|
|
|
|
|
|
|
'("--disable-strip")
|
|
|
|
|
|
|
|
'()))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#:phases
|
|
|
|
|
|
|
|
(modify-phases %standard-phases
|
|
|
|
|
|
|
|
(add-after 'configure 'reset-/var/empty
|
|
|
|
|
|
|
|
(lambda* (#:key outputs #:allow-other-keys)
|
|
|
|
|
|
|
|
(let ((out (assoc-ref outputs "out")))
|
|
|
|
|
|
|
|
(substitute* "Makefile"
|
|
|
|
|
|
|
|
(("PRIVSEP_PATH=/var/empty")
|
|
|
|
|
|
|
|
(string-append "PRIVSEP_PATH=" out "/var/empty"))))))
|
|
|
|
|
|
|
|
(add-after 'configure 'set-store-location
|
|
|
|
|
|
|
|
(lambda* _
|
|
|
|
|
|
|
|
(substitute* "misc.c"
|
|
|
|
|
|
|
|
(("@STORE_DIRECTORY@")
|
|
|
|
|
|
|
|
(string-append "\"" (%store-directory) "\"")))))
|
|
|
|
|
|
|
|
(add-before 'check 'patch-tests
|
|
|
|
|
|
|
|
(lambda _
|
|
|
|
|
|
|
|
(substitute* "regress/test-exec.sh"
|
|
|
|
|
|
|
|
(("/bin/sh") (which "sh")))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; Remove 't-exec' regress target which requires user 'sshd'.
|
|
|
|
|
|
|
|
(substitute* (list "Makefile"
|
|
|
|
|
|
|
|
"regress/Makefile")
|
|
|
|
|
|
|
|
(("^(tests:.*) t-exec(.*)" all pre post)
|
|
|
|
|
|
|
|
(string-append pre post)))))
|
|
|
|
|
|
|
|
(replace 'install
|
|
|
|
|
|
|
|
(lambda* (#:key outputs (make-flags '()) #:allow-other-keys)
|
|
|
|
|
|
|
|
(let ((out (assoc-ref outputs "out")))
|
|
|
|
|
|
|
|
;; Install without host keys and system configuration files.
|
|
|
|
|
|
|
|
;; This will install /var/empty to the store, which is needed
|
|
|
|
|
|
|
|
;; by the system openssh-service-type.
|
|
|
|
|
|
|
|
(apply invoke "make" "install-nosysconf" make-flags)
|
|
|
|
|
|
|
|
(with-directory-excursion "contrib"
|
|
|
|
|
|
|
|
(chmod "ssh-copy-id" #o555)
|
|
|
|
|
|
|
|
(install-file "ssh-copy-id"
|
|
|
|
|
|
|
|
(string-append out "/bin/"))
|
|
|
|
|
|
|
|
(install-file "ssh-copy-id.1"
|
|
|
|
|
|
|
|
(string-append out "/share/man/man1/")))))))))
|
|
|
|
|
|
|
|
(synopsis "Client and server for the secure shell (ssh) protocol")
|
|
|
|
|
|
|
|
(description
|
|
|
|
|
|
|
|
"The SSH2 protocol implemented in OpenSSH is standardised by the
|
|
|
|
|
|
|
|
IETF secsh working group and is specified in several RFCs and drafts.
|
|
|
|
|
|
|
|
It is composed of three layered components:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The transport layer provides algorithm negotiation and a key exchange.
|
|
|
|
|
|
|
|
The key exchange includes server authentication and results in a
|
|
|
|
|
|
|
|
cryptographically secured connection: it provides integrity, confidentiality
|
|
|
|
|
|
|
|
and optional compression.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The user authentication layer uses the established connection and relies on
|
|
|
|
|
|
|
|
the services provided by the transport layer. It provides several mechanisms
|
|
|
|
|
|
|
|
for user authentication. These include traditional password authentication
|
|
|
|
|
|
|
|
as well as public-key or host-based authentication mechanisms.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The connection layer multiplexes many different concurrent channels over the
|
|
|
|
|
|
|
|
authenticated connection and allows tunneling of login sessions and
|
|
|
|
|
|
|
|
TCP-forwarding. It provides a flow control service for these channels.
|
|
|
|
|
|
|
|
Additionally, various channel-specific options can be negotiated.")
|
|
|
|
|
|
|
|
(license (license:non-copyleft "file://LICENSE"
|
|
|
|
|
|
|
|
"See LICENSE in the distribution."))
|
|
|
|
|
|
|
|
(properties
|
|
|
|
|
|
|
|
'((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/")))
|
|
|
|
|
|
|
|
(home-page "https://www.openssh.com/")))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define %domain-realm "METZNET.CA")
|
|
|
|
(define %domain-realm "METZNET.CA")
|
|
|
|
|
|
|
|
|
|
|
|
(define %domain-name "metznet.ca")
|
|
|
|
(define %domain-name "metznet.ca")
|
|
|
@ -216,7 +96,7 @@ Additionally, various channel-specific options can be negotiated.")
|
|
|
|
(name "usb")))
|
|
|
|
(name "usb")))
|
|
|
|
%base-groups))
|
|
|
|
%base-groups))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-base-packages (append (list openssh-ldap nss-pam-ldapd glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
|
|
|
|
(define %metznet-base-packages (append (list binutils openssh nss-pam-ldapd strace openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages))
|
|
|
|
(define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages))
|
|
|
|
|
|
|
|
|
|
|
@ -269,8 +149,6 @@ Additionally, various channel-specific options can be negotiated.")
|
|
|
|
(shadow services)
|
|
|
|
(shadow services)
|
|
|
|
(group services))))
|
|
|
|
(group services))))
|
|
|
|
|
|
|
|
|
|
|
|
; 1) need to create user directory on login
|
|
|
|
|
|
|
|
; 2) need to have /bin/zsh available to use as shell
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so"))
|
|
|
|
(define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so"))
|
|
|
|
|
|
|
|
|
|
|
@ -280,9 +158,14 @@ Additionally, various channel-specific options can be negotiated.")
|
|
|
|
(let ((sufficient
|
|
|
|
(let ((sufficient
|
|
|
|
(pam-entry
|
|
|
|
(pam-entry
|
|
|
|
(control "sufficient")
|
|
|
|
(control "sufficient")
|
|
|
|
(module pam-ldap-module))))
|
|
|
|
(module pam-ldap-module)))
|
|
|
|
|
|
|
|
(required
|
|
|
|
|
|
|
|
(pam-entry
|
|
|
|
|
|
|
|
(control "required")
|
|
|
|
|
|
|
|
(module "pam_mkhomedir.so"))))
|
|
|
|
(pam-service
|
|
|
|
(pam-service
|
|
|
|
(inherit pam)
|
|
|
|
(inherit pam)
|
|
|
|
|
|
|
|
(session (cons required (pam-service-account pam)))
|
|
|
|
(password (cons sufficient (pam-service-account pam)))))
|
|
|
|
(password (cons sufficient (pam-service-account pam)))))
|
|
|
|
pam)))
|
|
|
|
pam)))
|
|
|
|
|
|
|
|
|
|
|
@ -310,17 +193,31 @@ Additionally, various channel-specific options can be negotiated.")
|
|
|
|
(list
|
|
|
|
(list
|
|
|
|
(simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh"))
|
|
|
|
(simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh"))
|
|
|
|
(service openssh-service-type (openssh-configuration
|
|
|
|
(service openssh-service-type (openssh-configuration
|
|
|
|
(openssh openssh-ldap)
|
|
|
|
|
|
|
|
(log-level 'debug3)
|
|
|
|
|
|
|
|
(extra-content "KerberosAuthentication yes")))
|
|
|
|
(extra-content "KerberosAuthentication yes")))
|
|
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
|
|
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
|
|
|
|
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
|
|
|
|
(service metznet-service-type (list "su" "login" "sshd" "passwd"))
|
|
|
|
(service nslcd-service-type %metznet-nslcd-config)
|
|
|
|
(service nslcd-service-type %metznet-nslcd-config)))
|
|
|
|
(service metznet-service-type (list "su" "login" "sshd" "passwd"))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-nscd-configuration (nscd-configuration
|
|
|
|
|
|
|
|
(caches (append (list
|
|
|
|
|
|
|
|
(nscd-cache
|
|
|
|
|
|
|
|
(database 'passwd)
|
|
|
|
|
|
|
|
(positive-time-to-live (* 3600 12))
|
|
|
|
|
|
|
|
(negative-time-to-live 20)
|
|
|
|
|
|
|
|
(persistent? #t))
|
|
|
|
|
|
|
|
(nscd-cache
|
|
|
|
|
|
|
|
(database 'group)
|
|
|
|
|
|
|
|
(positive-time-to-live (* 3600 12))
|
|
|
|
|
|
|
|
(negative-time-to-live 20)
|
|
|
|
|
|
|
|
(persistent? #t))
|
|
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
%nscd-default-caches))))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-desktop-services
|
|
|
|
(define %metznet-desktop-services
|
|
|
|
(append %metznet-services
|
|
|
|
(append %metznet-services
|
|
|
|
(modify-services %desktop-services
|
|
|
|
(modify-services %desktop-services
|
|
|
|
|
|
|
|
(nscd-service-type config => %metznet-nscd-configuration)
|
|
|
|
(guix-service-type config => (guix-configuration
|
|
|
|
(guix-service-type config => (guix-configuration
|
|
|
|
(inherit config)
|
|
|
|
(inherit config)
|
|
|
|
(substitute-urls
|
|
|
|
(substitute-urls
|
|
|
@ -345,7 +242,7 @@ Additionally, various channel-specific options can be negotiated.")
|
|
|
|
(network-manager-configuration (inherit config)
|
|
|
|
(network-manager-configuration (inherit config)
|
|
|
|
(vpn-plugins (list network-manager-openvpn)))))))
|
|
|
|
(vpn-plugins (list network-manager-openvpn)))))))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-server-services (append (append %metznet-services
|
|
|
|
(define %metznet-server-services (append (append %metznet-services
|
|
|
|
(list
|
|
|
|
(list
|
|
|
|
(service dhcp-client-service-type)
|
|
|
|
(service dhcp-client-service-type)
|
|
|
|
(openvpn-client-service
|
|
|
|
(openvpn-client-service
|
|
|
@ -354,7 +251,8 @@ Additionally, various channel-specific options can be negotiated.")
|
|
|
|
(pid-file "/var/run/openvpn/client.pid")
|
|
|
|
(pid-file "/var/run/openvpn/client.pid")
|
|
|
|
(persist-key? #f)
|
|
|
|
(persist-key? #f)
|
|
|
|
(tls-auth "/etc/openvpn/ta.key"))))
|
|
|
|
(tls-auth "/etc/openvpn/ta.key"))))
|
|
|
|
%base-services)))
|
|
|
|
(modify-services %base-services
|
|
|
|
|
|
|
|
(nscd-service-type config => %metznet-nscd-configuration)))))
|
|
|
|
|
|
|
|
|
|
|
|
(define %metznet-base-operating-system
|
|
|
|
(define %metznet-base-operating-system
|
|
|
|
(operating-system
|
|
|
|
(operating-system
|
|
|
|