Fixed makefile, and moved sssd configuration from a string variable to a guix configuration

master
noah metz 2023-12-03 01:00:53 -07:00
parent 5c5704e988
commit 5d42b8e470
3 changed files with 127 additions and 135 deletions

@ -1,103 +1,21 @@
GUIX_SUBSTITUTE_FLAG GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://ci.guix.gnu.org https://substitutes.nonguix.org'
= GUIX_LIB_FLAGS ?= -L ./
--substitute-urls='https://ci.guix.gnu.org LIBVIRT_GROUP ?= libvirt
https://substitutes.nonguix.org' LIBVIRT_USER ?= $(USER)
GUIX_LIB_FLAGS GUIX_IMAGE_CMD ?= guix system image $(GUIX_SUBSTITUTE_FLAG) --image-type=qcow2 $(GUIX_LIB_FLAGS)
?=
-L
./
LIBVIRT_GROUP
?=
libvirt
LIBVIRT_USER
?=
$
(USER)
GUIX_IMAGE_CMD
?=
guix
system
image
$
(GUIX_SUBSTITUTE_FLAG)
--image-type=qcow2
$
(GUIX_LIB_FLAGS)
VM_RAM VM_RAM ?= 4000
?= VM_CPU ?= 4
4000
VM_CPU
?=
4
%.qcow2: %.qcow2: %.scm
%.scm $(eval RO := $(shell $(GUIX_IMAGE_CMD) $<))
$ install -C -m 666 -o $(LIBVIRT_USER) -g $(LIBVIRT_GROUP) $(RO) $@
(eval RO := $
(shell $
(GUIX_IMAGE_CMD) $<))
install
-C
-m
666
-o
$
(LIBVIRT_USER)
-g
$
(LIBVIRT_GROUP)
$
(RO)
$@
%: %: %.qcow2
%.qcow2 $(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf))
$ qemu-system-x86_64 -nic user,model=virtio-net-pci -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin
(eval OVMF := $
(shell guix build $
(GUIX_SUBSTITUTE_FLAG) ovmf))
qemu-system-x86_64
-nic
user,model=virtio-net-pci
-enable-kvm
-hda
$<
-m
$
(VM_RAM)
-smp
$
(VM_CPU)
-bios
$
(OVMF)
/share/firmware/ovmf_x64.bin
.PHONY: .PHONY: %
% %-ro: %.scm
%-ro: $(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $< --expose=$(PWD)/pki=/var/lib/openvpn))
%.scm $(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic user,model=virtio-net-pci
$
(eval VM_SCRIPT := $
(shell guix
system
$
(GUIX_LIB_FLAGS)
$
(GUIX_SUBSTITUTE_FLAG)
vm
$<
--expose=$
(PWD)
/pki=/var/lib/openvpn))
$
(VM_SCRIPT)
-m
$
(VM_RAM)
-smp
$
(VM_CPU)
-nic
user,model=virtio-net-pci

@ -7,40 +7,80 @@
#:use-module (gnu packages sssd) #:use-module (gnu packages sssd)
#:use-module (gnu services) #:use-module (gnu services)
#:use-module (gnu services configuration) #:use-module (gnu services configuration)
#:export (sssd-configuration sssd-service-type)) #:export (sssd-domain-configuration sssd-configuration sssd-service-type))
(define default-sssd-conf-file (define-maybe string)
(plain-file "sssd.conf"
(string-join (list "[sssd]" (define (serialize-field conv)
"domains = metznet.ca" (lambda (name value)
"services = nss, sudo, pam, ssh, ifp" (string-append (symbol->string name) " = "
"" (conv value) "\n")))
"[domain/metznet.ca]"
"id_provider = ldap" (define serialize-string
"auth_provider = ldap" (serialize-field (lambda (val)
"cache_credentials = True" val)))
"ldap_uri = ldaps://ldap.metznet.ca"
"ldap_tls_reqcert = never" (define-maybe boolean)
"ldap_tls_cacertdir = /etc/ssl/certs" (define serialize-boolean
"ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca" (serialize-field (lambda (val)
(string-append "ldap_default_bind_dn = " (if val "True" "False"))))
(or (getenv "LDAP_BINDDN") ""))
"ldap_default_authtok_type = password" (define-configuration sssd-domain-configuration
(string-append "ldap_default_authtok = " (id_provider maybe-string "id provider")
(or (getenv "LDAP_BINDPW") "")) (auth_provider maybe-string "auth provider")
"") "\n"))) (cache_credentials maybe-boolean "cache credentials")
(ldap_uri maybe-string "ldap server uri")
(define-configuration/no-serialization sssd-configuration (ldap_tls_reqcert maybe-string "tls_reqcert")
(sssd (file-like sssd) (ldap_tls_cacertdir maybe-string
"SSSD Package to use") "ca certificate directory")
(ldap_search_base maybe-string "base dn for search")
(ldap_default_bind_dn maybe-string
"dn to bind for search")
(ldap_default_authtok_type maybe-string
"ldap auth token type")
(ldap_default_authtok maybe-string
"token to use for ldap bind"))
(define (sssd-domain-configuration-with-name? val)
(if (pair? val)
(if (string? (car val))
(if (sssd-domain-configuration? (cdr val)) #t) #t) #f))
(define list-of-sssd-domain-configurations?
(list-of sssd-domain-configuration-with-name?))
(define (serialize-sssd-domain-and-name value)
(let ((name (car value))
(config (cdr value)))
#~(string-append "[domain/"
#$name "]\n"
#$(serialize-configuration config
sssd-domain-configuration-fields))))
(define (serialize-list-of-sssd-domain-configurations name value)
#~(string-append "domains = "
(string-join (list #$@(map (lambda (x)
(car x)) value)) ", ") "\n\n"
(string-join (list #$@(map serialize-sssd-domain-and-name
value)) "\n")))
(define serialize-list-of-strings
(serialize-field (lambda (value)
(string-join value ", "))))
(define-configuration sssd-configuration
(sssd (file-like sssd) "sssd package to use")
(pam-services (list-of-strings (list "su" "gdm-password" (pam-services (list-of-strings (list "su" "gdm-password"
"login" "sshd" "login" "sshd"
"passwd")) "passwd"))
"List of pam services to use sssd for") "list of pam services to configure login for"
(config (file-like (lambda (a b)
default-sssd-conf-file) ""))
"sssd.conf file")) (services (list-of-strings (list "nss" "sudo" "pam"
"ssh" "ifp"))
"list of services")
(domains (list-of-sssd-domain-configurations '())
"sssd domains to configure"))
(define (sssd-pam-service config) (define (sssd-pam-service config)
(define sssd-pam-module (define sssd-pam-module
@ -83,6 +123,12 @@
"/lib")))) "/lib"))))
(stop #~(make-kill-destructor))))) (stop #~(make-kill-destructor)))))
(define (sssd-configuration-file config)
(mixed-text-file "sssd.conf"
#~(string-append "[sssd]\n"
#$(serialize-configuration config
sssd-configuration-fields))))
(define (sssd-activation config) (define (sssd-activation config)
#~(begin #~(begin
(let ((dbdir "/var/lib/sss/db") (let ((dbdir "/var/lib/sss/db")
@ -90,8 +136,7 @@
(user (getpw "root"))) (user (getpw "root")))
(mkdir-p/perms dbusdir user 493) (mkdir-p/perms dbusdir user 493)
(mkdir-p/perms dbdir user 493) (mkdir-p/perms dbdir user 493)
(copy-file #$(sssd-configuration-config config) (copy-file #$(sssd-configuration-file config) "/var/lib/sss/sssd.conf")
"/var/lib/sss/sssd.conf")
(chmod "/var/lib/sss/sssd.conf" #o600)))) (chmod "/var/lib/sss/sssd.conf" #o600))))
(define-public sssd-service-type (define-public sssd-service-type

@ -220,6 +220,35 @@
pam-mkhomedir-services))) pam-mkhomedir-services)))
(default-value (metznet-system-configuration)))) (default-value (metznet-system-configuration))))
(define %metznet-sssd-configuration
(sssd-configuration (domains (list (cons "metznet.ca"
(sssd-domain-configuration (id_provider
"ldap")
(auth_provider
"ldap")
(cache_credentials
#t)
(ldap_uri
"ldaps://ldap.metznet.ca")
(ldap_tls_reqcert
"never")
(ldap_tls_cacertdir
"/etc/ssl/certs")
(ldap_search_base
"dc=metznet,dc=ca")
(ldap_default_bind_dn
(or (getenv
"LDAP_BIND_DN")
"uid=guix,ou=system,ou=accounts,dc=metznet,dc=ca"))
(ldap_default_authtok_type
(or (getenv
"LDAP_AUTHTOK_TYPE")
"password"))
(ldap_default_authtok
(or (getenv
"LDAP_AUTHTOK")
%unset-value))))))))
(define %metznet-services (define %metznet-services
(list (service openssh-service-type (list (service openssh-service-type
(openssh-configuration (extra-content (openssh-configuration (extra-content
@ -228,7 +257,7 @@
(service pam-krb5-service-type (service pam-krb5-service-type
(pam-krb5-configuration (pam-krb5 pam-krb5) (pam-krb5-configuration (pam-krb5 pam-krb5)
(minimum-uid 1000))) (minimum-uid 1000)))
(service sssd-service-type) (service sssd-service-type %metznet-sssd-configuration)
(service metznet-service-type))) (service metznet-service-type)))
(define %metznet-nscd-configuration (define %metznet-nscd-configuration