diff --git a/Makefile b/Makefile index a7f582c..610857a 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ NONGUIX_DIR ?= ~/Code/nonguix -GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://bordeaux.guix.gnu.org https://substitutes.nonguix.org' +GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://ci.guix.gnu.org https://substitutes.nonguix.org' GUIX_LIB_FLAGS = -L ./ -L $(NONGUIX_DIR) GUIX_IMAGE_CMD ?= guix system image $(GUIX_SUBSTITUTE_FLAG) --image-type=qcow2 $(GUIX_LIB_FLAGS) LIBVIRT_GROUP ?= libvirt diff --git a/machines/ldap.metznet.ca.scm b/machines/ldap.metznet.ca.scm index 613ac96..08d699c 100644 --- a/machines/ldap.metznet.ca.scm +++ b/machines/ldap.metznet.ca.scm @@ -1,19 +1,105 @@ (define-module (machines base-desktop) #:use-module (system base-system) #:use-module (guix gexp) + #:use-module (guix build utils) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix build-system gnu) + #:use-module (guix build-system copy) + #:use-module ((guix licenses) #:prefix license:) #:use-module (gnu) #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu services certbot) #:use-module (gnu packages openldap) + #:use-module (gnu packages dbm) + #:use-module (gnu packages groff) + #:use-module (gnu packages autotools) + #:use-module (gnu packages cyrus-sasl) + #:use-module (gnu packages tls) + #:use-module (gnu packages perl) + #:use-module (gnu packages python) + #:use-module (gnu packages gnupg) + #:use-module (gnu packages base) + #:use-module (gnu packages compression) #:use-module (gnu packages admin)) +(define-public openldap-slapd + (package + (name "openldap-slapd") + (version "2.6.4") + (source (origin + (method url-fetch) + ;; See for a list of + ;; mirrors. + (uri (list (string-append + "http://repository.linagora.org/OpenLDAP" + "/openldap-release/openldap-" version ".tgz") + (string-append + "https://www.openldap.org/software/download/OpenLDAP/" + "openldap-release/openldap-" version ".tgz") + (string-append + "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/" + "openldap-release/openldap-" version ".tgz"))) + (sha256 + (base32 + "1489li52sjxm1f97v927jxaxzfk6v9sa32ixrw30qhvq07jh85ym")))) + (build-system gnu-build-system) + (inputs (list bdb-5.3 cyrus-sasl openssl gnutls libgcrypt zlib)) + (native-inputs (list libltdl libtool groff bdb-5.3)) + (arguments + (list + #:tests? #f + #:configure-flags + #~(list "--disable-static" + "--with-tls=openssl" + "--enable-slapd" + "--enable-crypt" + "--enable-modules" + "--enable-ldap" + "--enable-slapi" + "--enable-mdb" + "--enable-meta" + "--enable-passwd" + "--enable-overlays" + "--enable-shared" + "--with-cyrus-sasl" + #$@(if (%current-target-system) + '("--with-yielding_select=yes" + "ac_cv_func_memcmp_working=yes") + '())) + ;; Disable install stripping as it breaks cross-compiling. + #:make-flags + #~(list "STRIP=") + #:phases + #~(modify-phases %standard-phases (add-after 'install 'build-slapd-totp-module + (lambda* (#:key source #:allow-other-keys) + (begin + (chdir "./contrib/slapd-modules/passwd/totp") + (mkdir-p (string-append #$output "/libexec/openldap")) + (invoke "make" "slapd-totp.lo") + (invoke "../../../../libtool" "--mode=link" "gcc" "-rpath" "/libexec/openldap" "-version-info" "0:0:0" "-module" "-o" "pw-totp.la" "slapd-totp.lo" "../../../../libraries/libldap/libldap.la" "../../../../libraries/liblber/liblber.la") + (invoke "../../../../libtool" "--mode=install" "cp" "pw-totp.la" (string-append #$output "/libexec/openldap")) + (chdir "../../../../"))))))) + (synopsis "Implementation of the Lightweight Directory Access Protocol") + (description + "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.") + (license license:openldap2.8) + (home-page "https://www.openldap.org/"))) + + +(define list-of-file-like? + (list-of file-like?)) + (define-configuration/no-serialization slapd-configuration - (openldap (file-like openldap) + (openldap (file-like openldap-slapd) "openldap package to use") - (slapd-uris (list-of-strings (list - "ldap://" - "ldapi://")) + (home (string "/var/lib/slapd") "slapd home directory") + (backups (list-of-file-like '()) "alist of databases and their backup ldif files") + (uris (string "ldap:// ldapi://") "slapd uris to accept connections to")) + (define (slapd-accounts config) (list (user-group (name "slapd") @@ -26,16 +112,59 @@ (home-directory "/var/lib/slapd") (shell #~(string-append #$shadow "/sbin/nologin"))))) +(define (slapd-activation config) + (let + ((homedir (slapd-configuration-home config)) + (backups (slapd-configuration-backups config)) + (ldapdir (slapd-configuration-openldap config))) + #~(begin + (define (range n m) + (if (>= n m) '() (cons n (range (+ n 1) m)))) + (let ((user (getpw "slapd"))) + (mkdir-p/perms "/var/run/slapd" user #o755) + (mkdir-p/perms #$homedir user #o755) + (mkdir-p/perms (string-append #$homedir "/slapd.d") user #o750) + (install-file (string-append #$ldapdir "/libexec/openldap/pw-totp.so") (string-append #$homedir "/modules")) + (mkdir-p/perms (string-append #$homedir "/modules") user #o750) + (mkdir-p/perms (string-append #$homedir "/data") user #o750)) + ; TODO: read the time of the last written backups to check if slapadd needs to happen, and after slapadd write the "time" from the config of the backups so that they don't get applied again to the same directory + (for-each (lambda (ldif dbno) (invoke (string-append #$sudo "/bin/sudo") "-u" "slapd" "-g" "slapd" (string-append #$ldapdir "/sbin/slapadd") "-F" (string-append #$homedir "/slapd.d") "-n" (number->string dbno) "-l" ldif)) '#+backups (range 0 (length `#+backups)))))) + +(define (slapd-shepherd-service config) + (list (shepherd-service + (documentation "") + (provision '(slapd)) + (requirement '(networking user-processes)) + (start #~(make-forkexec-constructor + (list (string-append #$(slapd-configuration-openldap config) "/libexec/slapd") "-d" "-1" "-F" "/var/lib/slapd/slapd.d" "-u" "slapd" "-g" "slapd") + #:environment-variables (list (string-append "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:" #$(slapd-configuration-openldap config) "/libexec/openldap")) + #:pidfile "/var/run/slapd/slapd.pid" + #:user "root" + #:group "root")) + (stop #~(make-kill-destructor))))) + (define slapd-service-type (service-type (name 'slapd) (description "openldap slapd service") - (extensions (list (service-extension account-service-type - slapd-accounts))) + (extensions (list + (service-extension account-service-type slapd-accounts) + (service-extension activation-service-type slapd-activation) + (service-extension shepherd-root-service-type slapd-shepherd-service))) (default-value (slapd-configuration)))) (operating-system (inherit %metznet-base-server-system) - (host-name "ldap.metznet.ca") + (host-name "ldap-guix.metznet.ca") (packages %metznet-server-packages) (services - (append (list (service slapd-service-type)) %metznet-server-services))) + (append (list + (service certbot-service-type + (certbot-configuration + (email "noah@metznet.ca") + (certificates + (list + (certificate-configuration + (domains '("ldap-guix.metznet.ca"))))))) + (service slapd-service-type + (slapd-configuration + (backups (list (local-file "0.ldif") (local-file "1.ldif")))))) %metznet-server-services))) diff --git a/system/base-system.scm b/system/base-system.scm index 73d942c..e198e82 100644 --- a/system/base-system.scm +++ b/system/base-system.scm @@ -54,7 +54,6 @@ #:use-module (gnu packages suckless) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages terminals) - #:use-module (gnu packages virtualization) #:use-module (gnu packages version-control) #:export (%domain-realm) #:export (%domain-name) @@ -185,7 +184,8 @@ "ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca" (string-append "ldap_default_bind_dn = " (or (getenv "LDAP_BINDDN") "")) "ldap_default_authtok_type = password" - (string-append "ldap_default_authtok = " (or (getenv "LDAP_BINDPW") ""))) "\n"))) + (string-append "ldap_default_authtok = " (or (getenv "LDAP_BINDPW") "")) + "") "\n"))) (define metznet-service-type (service-type @@ -226,7 +226,7 @@ (provision '(sssd)) (requirement '(networking user-processes)) (start #~(make-forkexec-constructor - (list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i" "-d" "0x77f0") + (list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i") #:user "root" #:group "root" #:environment-variables