From 5d42b8e47028e2ba59641d8dccf3596f6d997fb1 Mon Sep 17 00:00:00 2001 From: Noah Metz Date: Sun, 3 Dec 2023 01:00:53 -0700 Subject: [PATCH] Fixed makefile, and moved sssd configuration from a string variable to a guix configuration --- Makefile | 116 +++++---------------------------- gnu/services/sssd.scm | 115 ++++++++++++++++++++++---------- metznet/system/base-system.scm | 31 ++++++++- 3 files changed, 127 insertions(+), 135 deletions(-) diff --git a/Makefile b/Makefile index d5c32d6..6f8ff90 100644 --- a/Makefile +++ b/Makefile @@ -1,103 +1,21 @@ -GUIX_SUBSTITUTE_FLAG -= ---substitute-urls='https://ci.guix.gnu.org -https://substitutes.nonguix.org' -GUIX_LIB_FLAGS -?= --L -./ -LIBVIRT_GROUP -?= -libvirt -LIBVIRT_USER -?= -$ -(USER) -GUIX_IMAGE_CMD -?= -guix -system -image -$ -(GUIX_SUBSTITUTE_FLAG) ---image-type=qcow2 -$ -(GUIX_LIB_FLAGS) +GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://ci.guix.gnu.org https://substitutes.nonguix.org' +GUIX_LIB_FLAGS ?= -L ./ +LIBVIRT_GROUP ?= libvirt +LIBVIRT_USER ?= $(USER) +GUIX_IMAGE_CMD ?= guix system image $(GUIX_SUBSTITUTE_FLAG) --image-type=qcow2 $(GUIX_LIB_FLAGS) -VM_RAM -?= -4000 -VM_CPU -?= -4 +VM_RAM ?= 4000 +VM_CPU ?= 4 -%.qcow2: -%.scm -$ -(eval RO := $ - (shell $ - (GUIX_IMAGE_CMD) $<)) -install --C --m -666 --o -$ -(LIBVIRT_USER) --g -$ -(LIBVIRT_GROUP) -$ -(RO) -$@ +%.qcow2: %.scm + $(eval RO := $(shell $(GUIX_IMAGE_CMD) $<)) + install -C -m 666 -o $(LIBVIRT_USER) -g $(LIBVIRT_GROUP) $(RO) $@ -%: -%.qcow2 -$ -(eval OVMF := $ - (shell guix build $ - (GUIX_SUBSTITUTE_FLAG) ovmf)) -qemu-system-x86_64 --nic -user,model=virtio-net-pci --enable-kvm --hda -$< --m -$ -(VM_RAM) --smp -$ -(VM_CPU) --bios -$ -(OVMF) -/share/firmware/ovmf_x64.bin +%: %.qcow2 + $(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf)) + qemu-system-x86_64 -nic user,model=virtio-net-pci -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin -.PHONY: -% -%-ro: -%.scm -$ -(eval VM_SCRIPT := $ - (shell guix - system - $ - (GUIX_LIB_FLAGS) - $ - (GUIX_SUBSTITUTE_FLAG) - vm - $< - --expose=$ - (PWD) - /pki=/var/lib/openvpn)) -$ -(VM_SCRIPT) --m -$ -(VM_RAM) --smp -$ -(VM_CPU) --nic -user,model=virtio-net-pci +.PHONY: % +%-ro: %.scm + $(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $< --expose=$(PWD)/pki=/var/lib/openvpn)) + $(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic user,model=virtio-net-pci diff --git a/gnu/services/sssd.scm b/gnu/services/sssd.scm index 56d422d..1c3d079 100644 --- a/gnu/services/sssd.scm +++ b/gnu/services/sssd.scm @@ -7,40 +7,80 @@ #:use-module (gnu packages sssd) #:use-module (gnu services) #:use-module (gnu services configuration) - #:export (sssd-configuration sssd-service-type)) - -(define default-sssd-conf-file - (plain-file "sssd.conf" - (string-join (list "[sssd]" - "domains = metznet.ca" - "services = nss, sudo, pam, ssh, ifp" - "" - "[domain/metznet.ca]" - "id_provider = ldap" - "auth_provider = ldap" - "cache_credentials = True" - "ldap_uri = ldaps://ldap.metznet.ca" - "ldap_tls_reqcert = never" - "ldap_tls_cacertdir = /etc/ssl/certs" - "ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca" - (string-append "ldap_default_bind_dn = " - (or (getenv "LDAP_BINDDN") "")) - "ldap_default_authtok_type = password" - (string-append "ldap_default_authtok = " - (or (getenv "LDAP_BINDPW") "")) - "") "\n"))) - -(define-configuration/no-serialization sssd-configuration - (sssd (file-like sssd) - "SSSD Package to use") - (pam-services (list-of-strings (list "su" "gdm-password" - "login" "sshd" - "passwd")) - "List of pam services to use sssd for") - (config (file-like - default-sssd-conf-file) - "sssd.conf file")) + #:export (sssd-domain-configuration sssd-configuration sssd-service-type)) +(define-maybe string) + +(define (serialize-field conv) + (lambda (name value) + (string-append (symbol->string name) " = " + (conv value) "\n"))) + +(define serialize-string + (serialize-field (lambda (val) + val))) + +(define-maybe boolean) +(define serialize-boolean + (serialize-field (lambda (val) + (if val "True" "False")))) + +(define-configuration sssd-domain-configuration + (id_provider maybe-string "id provider") + (auth_provider maybe-string "auth provider") + (cache_credentials maybe-boolean "cache credentials") + (ldap_uri maybe-string "ldap server uri") + (ldap_tls_reqcert maybe-string "tls_reqcert") + (ldap_tls_cacertdir maybe-string + "ca certificate directory") + (ldap_search_base maybe-string "base dn for search") + (ldap_default_bind_dn maybe-string + "dn to bind for search") + (ldap_default_authtok_type maybe-string + "ldap auth token type") + (ldap_default_authtok maybe-string + "token to use for ldap bind")) + +(define (sssd-domain-configuration-with-name? val) + (if (pair? val) + (if (string? (car val)) + (if (sssd-domain-configuration? (cdr val)) #t) #t) #f)) + +(define list-of-sssd-domain-configurations? + (list-of sssd-domain-configuration-with-name?)) + +(define (serialize-sssd-domain-and-name value) + (let ((name (car value)) + (config (cdr value))) + #~(string-append "[domain/" + #$name "]\n" + #$(serialize-configuration config + sssd-domain-configuration-fields)))) + +(define (serialize-list-of-sssd-domain-configurations name value) + #~(string-append "domains = " + (string-join (list #$@(map (lambda (x) + (car x)) value)) ", ") "\n\n" + (string-join (list #$@(map serialize-sssd-domain-and-name + value)) "\n"))) + +(define serialize-list-of-strings + (serialize-field (lambda (value) + (string-join value ", ")))) + +(define-configuration sssd-configuration + (sssd (file-like sssd) "sssd package to use") + (pam-services (list-of-strings (list "su" "gdm-password" + "login" "sshd" + "passwd")) + "list of pam services to configure login for" + (lambda (a b) + "")) + (services (list-of-strings (list "nss" "sudo" "pam" + "ssh" "ifp")) + "list of services") + (domains (list-of-sssd-domain-configurations '()) + "sssd domains to configure")) (define (sssd-pam-service config) (define sssd-pam-module @@ -83,6 +123,12 @@ "/lib")))) (stop #~(make-kill-destructor))))) +(define (sssd-configuration-file config) + (mixed-text-file "sssd.conf" + #~(string-append "[sssd]\n" + #$(serialize-configuration config + sssd-configuration-fields)))) + (define (sssd-activation config) #~(begin (let ((dbdir "/var/lib/sss/db") @@ -90,8 +136,7 @@ (user (getpw "root"))) (mkdir-p/perms dbusdir user 493) (mkdir-p/perms dbdir user 493) - (copy-file #$(sssd-configuration-config config) - "/var/lib/sss/sssd.conf") + (copy-file #$(sssd-configuration-file config) "/var/lib/sss/sssd.conf") (chmod "/var/lib/sss/sssd.conf" #o600)))) (define-public sssd-service-type diff --git a/metznet/system/base-system.scm b/metznet/system/base-system.scm index f2bb13d..84d5ff6 100644 --- a/metznet/system/base-system.scm +++ b/metznet/system/base-system.scm @@ -220,6 +220,35 @@ pam-mkhomedir-services))) (default-value (metznet-system-configuration)))) +(define %metznet-sssd-configuration + (sssd-configuration (domains (list (cons "metznet.ca" + (sssd-domain-configuration (id_provider + "ldap") + (auth_provider + "ldap") + (cache_credentials + #t) + (ldap_uri + "ldaps://ldap.metznet.ca") + (ldap_tls_reqcert + "never") + (ldap_tls_cacertdir + "/etc/ssl/certs") + (ldap_search_base + "dc=metznet,dc=ca") + (ldap_default_bind_dn + (or (getenv + "LDAP_BIND_DN") + "uid=guix,ou=system,ou=accounts,dc=metznet,dc=ca")) + (ldap_default_authtok_type + (or (getenv + "LDAP_AUTHTOK_TYPE") + "password")) + (ldap_default_authtok + (or (getenv + "LDAP_AUTHTOK") + %unset-value)))))))) + (define %metznet-services (list (service openssh-service-type (openssh-configuration (extra-content @@ -228,7 +257,7 @@ (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) - (service sssd-service-type) + (service sssd-service-type %metznet-sssd-configuration) (service metznet-service-type))) (define %metznet-nscd-configuration