diff --git a/machines/vpn.scm b/machines/vpn.scm index 1450fbf..e490d9c 100644 --- a/machines/vpn.scm +++ b/machines/vpn.scm @@ -1,5 +1,7 @@ (define-module (machines vpn) #:use-module (guix gexp) + #:use-module (guix modules) + #:use-module (gnu packages tls) #:use-module (gnu system) #:use-module (gnu services) #:use-module (gnu services certbot) @@ -8,6 +10,19 @@ #:export (vpn.metznet.ca vpn-services)) +(define (metznet-vpn-etc dh-pem) + `(("openvpn/dh2048.pem" ,dh-pem))) + +(define new-dh-pem + (computed-file "dh2048.pem" (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (invoke #$(file-append openssl "/bin/openssl") "dhparam" "-out" #$output "2048"))))) + +(define metznet-vpn-service-type + (service-type (name 'metznet-vpn) + (description "") + (extensions (list (service-extension etc-service-type + metznet-vpn-etc))) + (default-value new-dh-pem))) + (define-public vpn-services (append (list (service openvpn-server-service-type (openvpn-server-configuration (tls-auth @@ -15,13 +30,7 @@ (server "10.0.80.0 255.255.255.0"))) - (simple-service 'vpn-server-etc etc-service-type - (let ((pki-dir (getenv "VPN_PKI_DIR"))) - (if pki-dir - `(("openvpn/dh2048.pem" ,(local-file (string-append - pki-dir - "/dh2048.pem")))) - `()))) + (service metznet-vpn-service-type) (service certbot-service-type (certbot-configuration (email "admin@metznet.ca") (certificates (list (certificate-configuration diff --git a/system/base-system.scm b/system/base-system.scm index 3f8d965..1789da2 100644 --- a/system/base-system.scm +++ b/system/base-system.scm @@ -1,9 +1,6 @@ (define-module (system base-system) #:use-module (guix gexp) - #:use-module (nongnu system linux-initrd) - #:use-module (nongnu packages linux) - #:use-module (gnu bootloader) #:use-module (gnu bootloader grub) #:use-module (gnu system accounts) @@ -163,30 +160,25 @@ (define-configuration/no-serialization metznet-system-configuration (certs (file-like le-certs) "certificate package") - (vpn-pki-dir (maybe-string (let ((pki-dir - (getenv - "VPN_PKI_DIR"))) - (or - pki-dir - %unset-value))) - "openvpn pki directory") + (vpn-ta-key (file-like (computed-file "ta.key" (with-imported-modules '((guix build utils)) #~(begin + (use-modules (guix build utils)) + (invoke #$(file-append openvpn "/sbin/openvpn") "--genkey" "secret" #$output))))) + "ta.key for openvpn") + (vpn-ca (file-like (local-file (or (getenv "VPN_CA") "pki/ca.crt"))) "ca.crt for openvpn") + (vpn-cert (file-like (local-file (or (getenv "VPN_CERT") "pki/vpn.crt"))) "certificate for openvpn") + (vpn-key (file-like (local-file (or (getenv "VPN_KEY") "pki/vpn.key"))) "key for openvpn") (user-shells (alist-of-file-like (list (cons "/bin/zsh" zsh))) "user shells to link") (channels-file (file-like (scheme-file "channels.scm" - #~(append (list + #~(cons (channel (name 'metznet-channel) (url "https://git.metznet.ca/MetzNet/metznet-channel.git")) - (channel - (name 'nonguix) - - (url - "https://gitlab.com/nonguix/nonguix.git"))) %default-channels))) "channels.scm") (pam-services (list-of-strings (list @@ -231,18 +223,11 @@ (list #$@(shell-packages configuration)))) (define (metznet-etc-service configuration) - (let ((channels-file (metznet-system-configuration-channels-file - configuration)) - (pki-dir (metznet-system-configuration-vpn-pki-dir configuration))) - (if (maybe-value-set? pki-dir) - `(("guix/channels.scm" ,channels-file) - ("openvpn/ta.key" ,(local-file (string-append pki-dir "/ta.key"))) - ("openvpn/ca.crt" ,(local-file (string-append pki-dir "/ca.crt"))) - ("openvpn/client.key" ,(local-file (string-append pki-dir - "/client.key"))) - ("openvpn/client.crt" ,(local-file (string-append pki-dir - "/client.crt")))) - `(("guix/channels.scm" ,channels-file))))) + `(("guix/channels.scm" ,(metznet-system-configuration-channels-file configuration)) + ("openvpn/ta.key" ,(metznet-system-configuration-vpn-ta-key configuration)) + ("openvpn/ca.crt" ,(metznet-system-configuration-vpn-ca configuration)) + ("openvpn/client.key" ,(metznet-system-configuration-vpn-cert configuration)) + ("openvpn/client.crt" ,(metznet-system-configuration-vpn-key configuration)))) (define metznet-service-type (service-type (name 'metznet-service) @@ -291,16 +276,6 @@ (append %metznet-services (modify-services %desktop-services (nscd-service-type config => %metznet-nscd-configuration) - (guix-service-type config => - (guix-configuration (inherit config) - (substitute-urls (append (list - "https://substitutes.nonguix.org") - %default-substitute-urls)) - (authorized-keys (append (list - (plain-file - "nonguix.pub" - "(public-key\n (ecc\n (curve Ed25519)\n (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")) - %default-authorized-guix-keys)))) (udev-service-type config => (udev-configuration (inherit config) (rules (append (list @@ -317,9 +292,9 @@ (define %metznet-server-services (append %metznet-services - (list (dbus-service) + (list (service dbus-root-service-type) (service dhcp-client-service-type) - (openvpn-client-service #:config (openvpn-client-configuration + (service openvpn-client-service-type (openvpn-client-configuration (openvpn openvpn) (pid-file "/var/run/openvpn/client.pid") @@ -334,18 +309,12 @@ (define %metznet-base-operating-system (operating-system - ;; Hostname and localization information (host-name "base") (timezone "America/Edmonton") (locale "en_CA.utf8") (keyboard-layout %default-keyboard-layout) (name-service-switch %metznet-name-service-switch) - ;; Kernel and firmware definitions - (kernel linux) (kernel-arguments (append '("console=ttyS0") %default-kernel-arguments)) - (firmware (list linux-firmware)) - (initrd microcode-initrd) - ;; Grub UEFI Bootloader installed to /boot/efi (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets '("/boot/efi"))