diff --git a/Makefile b/Makefile index 907ae1a..d5c32d6 100644 --- a/Makefile +++ b/Makefile @@ -1,21 +1,103 @@ -GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://ci.guix.gnu.org https://substitutes.nonguix.org' -GUIX_LIB_FLAGS ?= -L ./ -LIBVIRT_GROUP ?= libvirt -LIBVIRT_USER ?= $(USER) -GUIX_IMAGE_CMD ?= guix system image $(GUIX_SUBSTITUTE_FLAG) --image-type=qcow2 $(GUIX_LIB_FLAGS) +GUIX_SUBSTITUTE_FLAG += +--substitute-urls='https://ci.guix.gnu.org +https://substitutes.nonguix.org' +GUIX_LIB_FLAGS +?= +-L +./ +LIBVIRT_GROUP +?= +libvirt +LIBVIRT_USER +?= +$ +(USER) +GUIX_IMAGE_CMD +?= +guix +system +image +$ +(GUIX_SUBSTITUTE_FLAG) +--image-type=qcow2 +$ +(GUIX_LIB_FLAGS) -VM_RAM ?= 4000 -VM_CPU ?= 4 +VM_RAM +?= +4000 +VM_CPU +?= +4 -%.qcow2: %.scm - $(eval RO := $(shell $(GUIX_IMAGE_CMD) $<)) - install -C -m 666 -o $(LIBVIRT_USER) -g $(LIBVIRT_GROUP) $(RO) $@ +%.qcow2: +%.scm +$ +(eval RO := $ + (shell $ + (GUIX_IMAGE_CMD) $<)) +install +-C +-m +666 +-o +$ +(LIBVIRT_USER) +-g +$ +(LIBVIRT_GROUP) +$ +(RO) +$@ -%: %.qcow2 - $(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf)) - qemu-system-x86_64 -nic user,model=virtio-net-pci -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin +%: +%.qcow2 +$ +(eval OVMF := $ + (shell guix build $ + (GUIX_SUBSTITUTE_FLAG) ovmf)) +qemu-system-x86_64 +-nic +user,model=virtio-net-pci +-enable-kvm +-hda +$< +-m +$ +(VM_RAM) +-smp +$ +(VM_CPU) +-bios +$ +(OVMF) +/share/firmware/ovmf_x64.bin -.PHONY: % -%-ro: %.scm - $(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $<)) - $(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic user,model=virtio-net-pci +.PHONY: +% +%-ro: +%.scm +$ +(eval VM_SCRIPT := $ + (shell guix + system + $ + (GUIX_LIB_FLAGS) + $ + (GUIX_SUBSTITUTE_FLAG) + vm + $< + --expose=$ + (PWD) + /pki=/var/lib/openvpn)) +$ +(VM_SCRIPT) +-m +$ +(VM_RAM) +-smp +$ +(VM_CPU) +-nic +user,model=virtio-net-pci diff --git a/metznet/machines/vpn.scm b/metznet/machines/vpn.scm index 1f2e5e0..32e0488 100644 --- a/metznet/machines/vpn.scm +++ b/metznet/machines/vpn.scm @@ -10,27 +10,22 @@ #:export (vpn.metznet.ca vpn-services metznet-vpn-service-type)) -(define (metznet-vpn-etc dh-pem) - `(("openvpn/dh2048.pem" ,dh-pem))) - -(define new-dh-pem - (computed-file "dh2048.pem" (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (invoke #$(file-append openssl "/bin/openssl") "dhparam" "-out" #$output "2048"))))) - -(define-public metznet-vpn-service-type - (service-type (name 'metznet-vpn) - (description "") - (extensions (list (service-extension etc-service-type - metznet-vpn-etc))) - (default-value new-dh-pem))) - (define-public vpn-services (append (list (service openvpn-server-service-type - (openvpn-server-configuration (tls-auth - "/etc/openvpn/ta.key") + (openvpn-server-configuration (ca + "/var/lib/openvpn/ca.crt") + (cert + "/var/lib/openvpn/client.crt") + (key + "/var/lib/openvpn/client.key") + (tls-auth + "/var/lib/openvpn/ta.key") + (dh + "/var/lib/openvpn/dh2048.pem") + (ifconfig-pool-persist + "/var/lib/openvpn/ipp.txt") (server "10.0.80.0 255.255.255.0"))) - - (service metznet-vpn-service-type) (service certbot-service-type (certbot-configuration (email "admin@metznet.ca") (certificates (list (certificate-configuration diff --git a/metznet/system/base-system.scm b/metznet/system/base-system.scm index ea34604..f2bb13d 100644 --- a/metznet/system/base-system.scm +++ b/metznet/system/base-system.scm @@ -165,20 +165,6 @@ (define-configuration/no-serialization metznet-system-configuration (certs (file-like le-certs) "certificate package") - (vpn-ta-key (file-like (local-file (or (getenv "VPN_TA") "pki/ta.key"))) - "ta.key for openvpn") - (vpn-ca (file-like (local-file (or (getenv - "VPN_CA") - "pki/ca.crt"))) - "ca.crt for openvpn") - (vpn-cert (file-like (local-file (or (getenv - "VPN_CERT") - "pki/vpn.crt"))) - "certificate for openvpn") - (vpn-key (file-like (local-file (or (getenv - "VPN_KEY") - "pki/vpn.key"))) - "key for openvpn") (user-shells (alist-of-file-like (list (cons "/bin/zsh" zsh))) @@ -213,23 +199,14 @@ (metznet-system-configuration-user-shells configuration))) (define (metznet-activation configuration) - #~(for-each (lambda (path package) - (begin - (display path) - (display "\n") - (display package) - (display "\n") + #~(begin + (let ((root (getpw "root"))) + (mkdir-p/perms "/var/lib/openvpn" root 448)) + (for-each (lambda (path package) (unless (access? path F_OK) - (symlink (string-append package path) path)))) - (list #$@(shell-paths configuration)) - (list #$@(shell-packages configuration)))) - -(define (metznet-etc-service configuration) - `(("openvpn/ta.key" ,(metznet-system-configuration-vpn-ta-key configuration)) - ("openvpn/ca.crt" ,(metznet-system-configuration-vpn-ca configuration)) - ("openvpn/client.key" ,(metznet-system-configuration-vpn-key - configuration)) - ("openvpn/client.crt" ,(metznet-system-configuration-vpn-cert configuration)))) + (symlink (string-append package path) path))) + (list #$@(shell-paths configuration)) + (list #$@(shell-packages configuration))))) (define-public metznet-service-type (service-type (name 'metznet-service) @@ -239,8 +216,6 @@ (service-extension profile-service-type (compose list metznet-system-configuration-certs)) - (service-extension etc-service-type - metznet-etc-service) (service-extension pam-root-service-type pam-mkhomedir-services))) (default-value (metznet-system-configuration)))) @@ -298,15 +273,18 @@ (list (service dbus-root-service-type) (service dhcp-client-service-type) (service openvpn-client-service-type - (openvpn-client-configuration (openvpn openvpn) - (pid-file - "/var/run/openvpn/client.pid") + (openvpn-client-configuration (ca + "/var/lib/openvpn/ca.crt") + (cert + "/var/lib/openvpn/client.crt") + (key + "/var/lib/openvpn/client.key") + (tls-auth + "/var/lib/openvpn/ta.key") (persist-key? #f) (remote (list (openvpn-remote-configuration (name - "vpn.metznet.ca")))) - (tls-auth - "/etc/openvpn/ta.key")))))) + "vpn.metznet.ca"))))))))) (define %metznet-server-services (append %server-services %base-services-nscd))