Added slapd activation to write db backup, need to make conditional and set condition when written(date-of-backup-based)

2023-11-29 01:39:08 -07:00 · 2023-11-29 01:39:08 -07:00 · 5fcef6d78a
parent 27b48e2c45
commit 5fcef6d78a
3 changed files with 141 additions and 12 deletions
--- a/2
+++ b/2
@ -1,5 +1,5 @@
 NONGUIX_DIR ?= ~/Code/nonguix
-GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://bordeaux.guix.gnu.org https://substitutes.nonguix.org'
+GUIX_SUBSTITUTE_FLAG = --substitute-urls='https://ci.guix.gnu.org https://substitutes.nonguix.org'
 GUIX_LIB_FLAGS = -L ./ -L $(NONGUIX_DIR)
 GUIX_IMAGE_CMD ?= guix system image $(GUIX_SUBSTITUTE_FLAG) --image-type=qcow2 $(GUIX_LIB_FLAGS)
 LIBVIRT_GROUP ?= libvirt
--- a/machines/ldap.metznet.ca.scm
+++ b/machines/ldap.metznet.ca.scm
@ -1,19 +1,105 @@
 (define-module (machines base-desktop)
  #:use-module (system base-system)
  #:use-module (guix gexp)
+  #:use-module (guix build utils)
+  #:use-module (guix packages)
+  #:use-module (guix download)
+  #:use-module (guix build-system gnu)
+  #:use-module (guix build-system copy)
+  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (gnu)
  #:use-module (gnu services configuration)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu services certbot)
  #:use-module (gnu packages openldap)
+  #:use-module (gnu packages dbm)
+  #:use-module (gnu packages groff)
+  #:use-module (gnu packages autotools)
+  #:use-module (gnu packages cyrus-sasl)
+  #:use-module (gnu packages tls)
+  #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
+  #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages compression)
  #:use-module (gnu packages admin))

+(define-public openldap-slapd
+  (package
+    (name "openldap-slapd")
+    (version "2.6.4")
+    (source (origin
+              (method url-fetch)
+              ;; See <http://www.openldap.org/software/download/> for a list of
+              ;; mirrors.
+              (uri (list (string-append
+                          "http://repository.linagora.org/OpenLDAP"
+                          "/openldap-release/openldap-" version ".tgz")
+                         (string-append
+                          "https://www.openldap.org/software/download/OpenLDAP/"
+                          "openldap-release/openldap-" version ".tgz")
+                         (string-append
+                          "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
+                          "openldap-release/openldap-" version ".tgz")))
+              (sha256
+               (base32
+                "1489li52sjxm1f97v927jxaxzfk6v9sa32ixrw30qhvq07jh85ym"))))
+    (build-system gnu-build-system)
+    (inputs (list bdb-5.3 cyrus-sasl openssl gnutls libgcrypt zlib))
+    (native-inputs (list libltdl libtool groff bdb-5.3))
+    (arguments
+     (list
+      #:tests? #f
+      #:configure-flags
+      #~(list "--disable-static"
+              "--with-tls=openssl"
+              "--enable-slapd"
+              "--enable-crypt"
+              "--enable-modules"
+              "--enable-ldap"
+              "--enable-slapi"
+              "--enable-mdb"
+              "--enable-meta"
+              "--enable-passwd"
+              "--enable-overlays"
+              "--enable-shared"
+              "--with-cyrus-sasl"
+              #$@(if (%current-target-system)
+                     '("--with-yielding_select=yes"
+                       "ac_cv_func_memcmp_working=yes")
+                     '()))
+      ;; Disable install stripping as it breaks cross-compiling.
+      #:make-flags
+      #~(list "STRIP=")
+      #:phases
+      #~(modify-phases %standard-phases (add-after 'install 'build-slapd-totp-module
+                                                  (lambda* (#:key source #:allow-other-keys)
+                                                    (begin
+                                                      (chdir "./contrib/slapd-modules/passwd/totp")
+                                                      (mkdir-p (string-append #$output "/libexec/openldap"))
+                                                      (invoke "make" "slapd-totp.lo")
+                                                      (invoke "../../../../libtool" "--mode=link" "gcc" "-rpath" "/libexec/openldap" "-version-info" "0:0:0" "-module" "-o" "pw-totp.la" "slapd-totp.lo" "../../../../libraries/libldap/libldap.la" "../../../../libraries/liblber/liblber.la")
+                                                      (invoke "../../../../libtool" "--mode=install" "cp" "pw-totp.la" (string-append #$output "/libexec/openldap"))
+                                                      (chdir "../../../../")))))))
+    (synopsis "Implementation of the Lightweight Directory Access Protocol")
+    (description
+     "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.")
+    (license license:openldap2.8)
+    (home-page "https://www.openldap.org/")))
+
+
+(define list-of-file-like?
+  (list-of file-like?))
+
 (define-configuration/no-serialization slapd-configuration
-                                       (openldap (file-like openldap)
+                                       (openldap (file-like openldap-slapd)
                                                 "openldap package to use")
-                                       (slapd-uris (list-of-strings (list
-                                                                     "ldap://"
-                                                                     "ldapi://"))
+                                       (home (string "/var/lib/slapd") "slapd home directory")
+                                       (backups (list-of-file-like '()) "alist of databases and their backup ldif files")
+                                       (uris (string "ldap:// ldapi://")
                                        "slapd uris to accept connections to"))

+
 (define (slapd-accounts config)
  (list (user-group
          (name "slapd")
@ -26,16 +112,59 @@
          (home-directory "/var/lib/slapd")
          (shell #~(string-append #$shadow "/sbin/nologin")))))

+(define (slapd-activation config)
+  (let
+    ((homedir (slapd-configuration-home config))
+     (backups (slapd-configuration-backups config))
+     (ldapdir (slapd-configuration-openldap config)))
+    #~(begin
+        (define (range n m)
+          (if (>= n m) '() (cons n (range (+ n 1) m))))
+        (let ((user (getpw "slapd")))
+          (mkdir-p/perms "/var/run/slapd" user #o755)
+          (mkdir-p/perms #$homedir user #o755)
+          (mkdir-p/perms (string-append #$homedir "/slapd.d") user #o750)
+          (install-file (string-append #$ldapdir "/libexec/openldap/pw-totp.so") (string-append #$homedir "/modules"))
+          (mkdir-p/perms (string-append #$homedir "/modules") user #o750)
+          (mkdir-p/perms (string-append #$homedir "/data") user #o750))
+        ; TODO: read the time of the last written backups to check if slapadd needs to happen, and after slapadd write the "time" from the config of the backups so that they don't get applied again to the same directory
+        (for-each (lambda (ldif dbno)  (invoke (string-append #$sudo "/bin/sudo") "-u" "slapd" "-g" "slapd" (string-append #$ldapdir "/sbin/slapadd") "-F" (string-append #$homedir "/slapd.d") "-n" (number->string dbno) "-l" ldif)) '#+backups (range 0 (length `#+backups))))))
+
+(define (slapd-shepherd-service config)
+  (list (shepherd-service
+          (documentation "")
+          (provision '(slapd))
+          (requirement '(networking user-processes))
+          (start #~(make-forkexec-constructor
+                     (list (string-append #$(slapd-configuration-openldap config) "/libexec/slapd") "-d" "-1" "-F" "/var/lib/slapd/slapd.d" "-u" "slapd" "-g" "slapd")
+                     #:environment-variables (list (string-append "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:" #$(slapd-configuration-openldap config) "/libexec/openldap"))
+                     #:pidfile "/var/run/slapd/slapd.pid"
+                     #:user "root"
+                     #:group "root"))
+          (stop #~(make-kill-destructor)))))
+
 (define slapd-service-type
  (service-type (name 'slapd)
                (description "openldap slapd service")
-                (extensions (list (service-extension account-service-type
-                                                     slapd-accounts)))
+                (extensions (list
+                              (service-extension account-service-type slapd-accounts)
+                              (service-extension activation-service-type slapd-activation)
+                              (service-extension shepherd-root-service-type slapd-shepherd-service)))
                (default-value (slapd-configuration))))

 (operating-system
  (inherit %metznet-base-server-system)
-  (host-name "ldap.metznet.ca")
+  (host-name "ldap-guix.metznet.ca")
  (packages %metznet-server-packages)
  (services
-   (append (list (service slapd-service-type)) %metznet-server-services)))
+   (append (list
+             (service certbot-service-type
+                      (certbot-configuration
+                        (email "noah@metznet.ca")
+                        (certificates
+                          (list
+                            (certificate-configuration
+                              (domains '("ldap-guix.metznet.ca")))))))
+             (service slapd-service-type
+                      (slapd-configuration
+                        (backups (list (local-file "0.ldif") (local-file "1.ldif")))))) %metznet-server-services)))
--- a/system/base-system.scm
+++ b/system/base-system.scm
@ -54,7 +54,6 @@
  #:use-module (gnu packages suckless)
  #:use-module (gnu packages gnuzilla)
  #:use-module (gnu packages terminals)
-  #:use-module (gnu packages virtualization)
  #:use-module (gnu packages version-control)
  #:export (%domain-realm)
  #:export (%domain-name)
@ -185,7 +184,8 @@
                                      "ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca"
                                      (string-append "ldap_default_bind_dn = " (or (getenv "LDAP_BINDDN") ""))
                                      "ldap_default_authtok_type = password"
-                                      (string-append "ldap_default_authtok = " (or (getenv "LDAP_BINDPW") ""))) "\n")))
+                                      (string-append "ldap_default_authtok = " (or (getenv "LDAP_BINDPW") ""))
+                                      "") "\n")))

 (define metznet-service-type
  (service-type
@ -226,7 +226,7 @@
          (provision '(sssd))
          (requirement '(networking user-processes))
          (start #~(make-forkexec-constructor
-                     (list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i" "-d" "0x77f0")
+                     (list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i")
                     #:user "root"
                     #:group "root"
                     #:environment-variables