Removed copy of openvpn files to store, now expected to be at '/var/lib/openvpn'

master
noah metz 2023-12-02 21:02:28 -07:00
parent da404b26a6
commit 5c5704e988
3 changed files with 127 additions and 72 deletions

@ -1,21 +1,103 @@
GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://ci.guix.gnu.org https://substitutes.nonguix.org' GUIX_SUBSTITUTE_FLAG
GUIX_LIB_FLAGS ?= -L ./ =
LIBVIRT_GROUP ?= libvirt --substitute-urls='https://ci.guix.gnu.org
LIBVIRT_USER ?= $(USER) https://substitutes.nonguix.org'
GUIX_IMAGE_CMD ?= guix system image $(GUIX_SUBSTITUTE_FLAG) --image-type=qcow2 $(GUIX_LIB_FLAGS) GUIX_LIB_FLAGS
?=
-L
./
LIBVIRT_GROUP
?=
libvirt
LIBVIRT_USER
?=
$
(USER)
GUIX_IMAGE_CMD
?=
guix
system
image
$
(GUIX_SUBSTITUTE_FLAG)
--image-type=qcow2
$
(GUIX_LIB_FLAGS)
VM_RAM ?= 4000 VM_RAM
VM_CPU ?= 4 ?=
4000
VM_CPU
?=
4
%.qcow2: %.scm %.qcow2:
$(eval RO := $(shell $(GUIX_IMAGE_CMD) $<)) %.scm
install -C -m 666 -o $(LIBVIRT_USER) -g $(LIBVIRT_GROUP) $(RO) $@ $
(eval RO := $
(shell $
(GUIX_IMAGE_CMD) $<))
install
-C
-m
666
-o
$
(LIBVIRT_USER)
-g
$
(LIBVIRT_GROUP)
$
(RO)
$@
%: %.qcow2 %:
$(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf)) %.qcow2
qemu-system-x86_64 -nic user,model=virtio-net-pci -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin $
(eval OVMF := $
(shell guix build $
(GUIX_SUBSTITUTE_FLAG) ovmf))
qemu-system-x86_64
-nic
user,model=virtio-net-pci
-enable-kvm
-hda
$<
-m
$
(VM_RAM)
-smp
$
(VM_CPU)
-bios
$
(OVMF)
/share/firmware/ovmf_x64.bin
.PHONY: % .PHONY:
%-ro: %.scm %
$(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $<)) %-ro:
$(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic user,model=virtio-net-pci %.scm
$
(eval VM_SCRIPT := $
(shell guix
system
$
(GUIX_LIB_FLAGS)
$
(GUIX_SUBSTITUTE_FLAG)
vm
$<
--expose=$
(PWD)
/pki=/var/lib/openvpn))
$
(VM_SCRIPT)
-m
$
(VM_RAM)
-smp
$
(VM_CPU)
-nic
user,model=virtio-net-pci

@ -10,27 +10,22 @@
#:export (vpn.metznet.ca vpn-services metznet-vpn-service-type)) #:export (vpn.metznet.ca vpn-services metznet-vpn-service-type))
(define (metznet-vpn-etc dh-pem)
`(("openvpn/dh2048.pem" ,dh-pem)))
(define new-dh-pem
(computed-file "dh2048.pem" (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (invoke #$(file-append openssl "/bin/openssl") "dhparam" "-out" #$output "2048")))))
(define-public metznet-vpn-service-type
(service-type (name 'metznet-vpn)
(description "")
(extensions (list (service-extension etc-service-type
metznet-vpn-etc)))
(default-value new-dh-pem)))
(define-public vpn-services (define-public vpn-services
(append (list (service openvpn-server-service-type (append (list (service openvpn-server-service-type
(openvpn-server-configuration (tls-auth (openvpn-server-configuration (ca
"/etc/openvpn/ta.key") "/var/lib/openvpn/ca.crt")
(cert
"/var/lib/openvpn/client.crt")
(key
"/var/lib/openvpn/client.key")
(tls-auth
"/var/lib/openvpn/ta.key")
(dh
"/var/lib/openvpn/dh2048.pem")
(ifconfig-pool-persist
"/var/lib/openvpn/ipp.txt")
(server (server
"10.0.80.0 255.255.255.0"))) "10.0.80.0 255.255.255.0")))
(service metznet-vpn-service-type)
(service certbot-service-type (service certbot-service-type
(certbot-configuration (email "admin@metznet.ca") (certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration (certificates (list (certificate-configuration

@ -165,20 +165,6 @@
(define-configuration/no-serialization metznet-system-configuration (define-configuration/no-serialization metznet-system-configuration
(certs (file-like le-certs) (certs (file-like le-certs)
"certificate package") "certificate package")
(vpn-ta-key (file-like (local-file (or (getenv "VPN_TA") "pki/ta.key")))
"ta.key for openvpn")
(vpn-ca (file-like (local-file (or (getenv
"VPN_CA")
"pki/ca.crt")))
"ca.crt for openvpn")
(vpn-cert (file-like (local-file (or (getenv
"VPN_CERT")
"pki/vpn.crt")))
"certificate for openvpn")
(vpn-key (file-like (local-file (or (getenv
"VPN_KEY")
"pki/vpn.key")))
"key for openvpn")
(user-shells (alist-of-file-like (list (cons (user-shells (alist-of-file-like (list (cons
"/bin/zsh" "/bin/zsh"
zsh))) zsh)))
@ -213,23 +199,14 @@
(metznet-system-configuration-user-shells configuration))) (metznet-system-configuration-user-shells configuration)))
(define (metznet-activation configuration) (define (metznet-activation configuration)
#~(for-each (lambda (path package) #~(begin
(begin (let ((root (getpw "root")))
(display path) (mkdir-p/perms "/var/lib/openvpn" root 448))
(display "\n") (for-each (lambda (path package)
(display package)
(display "\n")
(unless (access? path F_OK) (unless (access? path F_OK)
(symlink (string-append package path) path)))) (symlink (string-append package path) path)))
(list #$@(shell-paths configuration)) (list #$@(shell-paths configuration))
(list #$@(shell-packages configuration)))) (list #$@(shell-packages configuration)))))
(define (metznet-etc-service configuration)
`(("openvpn/ta.key" ,(metznet-system-configuration-vpn-ta-key configuration))
("openvpn/ca.crt" ,(metznet-system-configuration-vpn-ca configuration))
("openvpn/client.key" ,(metznet-system-configuration-vpn-key
configuration))
("openvpn/client.crt" ,(metznet-system-configuration-vpn-cert configuration))))
(define-public metznet-service-type (define-public metznet-service-type
(service-type (name 'metznet-service) (service-type (name 'metznet-service)
@ -239,8 +216,6 @@
(service-extension profile-service-type (service-extension profile-service-type
(compose list (compose list
metznet-system-configuration-certs)) metznet-system-configuration-certs))
(service-extension etc-service-type
metznet-etc-service)
(service-extension pam-root-service-type (service-extension pam-root-service-type
pam-mkhomedir-services))) pam-mkhomedir-services)))
(default-value (metznet-system-configuration)))) (default-value (metznet-system-configuration))))
@ -298,15 +273,18 @@
(list (service dbus-root-service-type) (list (service dbus-root-service-type)
(service dhcp-client-service-type) (service dhcp-client-service-type)
(service openvpn-client-service-type (service openvpn-client-service-type
(openvpn-client-configuration (openvpn openvpn) (openvpn-client-configuration (ca
(pid-file "/var/lib/openvpn/ca.crt")
"/var/run/openvpn/client.pid") (cert
"/var/lib/openvpn/client.crt")
(key
"/var/lib/openvpn/client.key")
(tls-auth
"/var/lib/openvpn/ta.key")
(persist-key? #f) (persist-key? #f)
(remote (list (openvpn-remote-configuration (remote (list (openvpn-remote-configuration
(name (name
"vpn.metznet.ca")))) "vpn.metznet.ca")))))))))
(tls-auth
"/etc/openvpn/ta.key"))))))
(define %metznet-server-services (define %metznet-server-services
(append %server-services %base-services-nscd)) (append %server-services %base-services-nscd))