|
|
|
@ -1,38 +1,52 @@
|
|
|
|
|
(define-module (system base-system)
|
|
|
|
|
#:use-module (metznet)
|
|
|
|
|
#:use-module (gnu)
|
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
|
#:use-module (ice-9 exceptions)
|
|
|
|
|
#:use-module (nongnu system linux-initrd)
|
|
|
|
|
#:use-module (nongnu packages linux)
|
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
|
#:use-module (gnu packages vim)
|
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
|
#:use-module (guix packages)
|
|
|
|
|
#:use-module (guix download)
|
|
|
|
|
#:use-module (guix build-system gnu)
|
|
|
|
|
#:use-module ((guix licenses) #:prefix license:)
|
|
|
|
|
#:use-module (gnu)
|
|
|
|
|
#:use-module (gnu system setuid)
|
|
|
|
|
#:use-module (gnu system nss)
|
|
|
|
|
#:use-module (gnu packages certs)
|
|
|
|
|
#:use-module (gnu system pam)
|
|
|
|
|
#:use-module (gnu services pm)
|
|
|
|
|
#:use-module (gnu services authentication)
|
|
|
|
|
#:use-module (gnu services vpn)
|
|
|
|
|
#:use-module (gnu packages vpn)
|
|
|
|
|
#:use-module (gnu services networking)
|
|
|
|
|
#:use-module (gnu packages networking)
|
|
|
|
|
#:use-module (gnu services ssh)
|
|
|
|
|
#:use-module (gnu services kerberos)
|
|
|
|
|
#:use-module (gnu services desktop)
|
|
|
|
|
#:use-module (gnu services xorg)
|
|
|
|
|
#:use-module (gnu services base)
|
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
|
#:use-module (gnu packages compression)
|
|
|
|
|
#:use-module (gnu packages libedit)
|
|
|
|
|
#:use-module (gnu packages hurd)
|
|
|
|
|
#:use-module (gnu packages tls)
|
|
|
|
|
#:use-module (gnu packages xorg)
|
|
|
|
|
#:use-module (gnu packages pkg-config)
|
|
|
|
|
#:use-module (gnu packages groff)
|
|
|
|
|
#:use-module (gnu packages security-token)
|
|
|
|
|
#:use-module (gnu packages vim)
|
|
|
|
|
#:use-module (gnu packages certs)
|
|
|
|
|
#:use-module (gnu packages vpn)
|
|
|
|
|
#:use-module (gnu packages networking)
|
|
|
|
|
#:use-module (gnu packages dns)
|
|
|
|
|
#:use-module (gnu packages base)
|
|
|
|
|
#:use-module (gnu packages openldap)
|
|
|
|
|
#:use-module (gnu services kerberos)
|
|
|
|
|
#:use-module (gnu packages kerberos)
|
|
|
|
|
#:use-module (gnu packages admin)
|
|
|
|
|
#:use-module (gnu packages shells)
|
|
|
|
|
#:use-module (gnu services desktop)
|
|
|
|
|
#:use-module (gnu packages gnome)
|
|
|
|
|
#:use-module (gnu packages wm)
|
|
|
|
|
#:use-module (gnu services xorg)
|
|
|
|
|
#:use-module (gnu packages suckless)
|
|
|
|
|
#:use-module (gnu packages gnuzilla)
|
|
|
|
|
#:use-module (gnu packages terminals)
|
|
|
|
|
#:use-module (gnu packages virtualization)
|
|
|
|
|
#:use-module (gnu packages version-control)
|
|
|
|
|
#:use-module (nongnu system linux-initrd)
|
|
|
|
|
#:use-module (gnu system setuid)
|
|
|
|
|
#:use-module (ice-9 exceptions)
|
|
|
|
|
#:export (%domain-realm)
|
|
|
|
|
#:export (%domain-name)
|
|
|
|
|
#:export (%domain-kadmin)
|
|
|
|
@ -52,6 +66,130 @@
|
|
|
|
|
#:export (%metznet-base-server-system)
|
|
|
|
|
#:export (%metznet-base-desktop-system))
|
|
|
|
|
|
|
|
|
|
(define openssh-ldap
|
|
|
|
|
(package
|
|
|
|
|
(name "openssh")
|
|
|
|
|
(version "9.3p1")
|
|
|
|
|
(source (origin
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri (string-append "mirror://openbsd/OpenSSH/portable/"
|
|
|
|
|
"openssh-" version ".tar.gz"))
|
|
|
|
|
(patches (search-patches "openssh-hurd.patch"
|
|
|
|
|
"openssh-trust-guix-store-directory.patch"))
|
|
|
|
|
(sha256
|
|
|
|
|
(base32
|
|
|
|
|
"1a7qia3c255igny5kf00m5zxkp69lf1w6qjsv3rm2sm705vvmfp9"))))
|
|
|
|
|
(build-system gnu-build-system)
|
|
|
|
|
(native-inputs (list groff pkg-config))
|
|
|
|
|
(propagated-inputs (list nss-pam-ldapd))
|
|
|
|
|
(inputs `(("libedit" ,libedit)
|
|
|
|
|
("openssl" ,openssl)
|
|
|
|
|
,@(if (hurd-target?)
|
|
|
|
|
'()
|
|
|
|
|
`(("pam" ,linux-pam)
|
|
|
|
|
("libfido2" ,libfido2))) ;fails to build on GNU/Hurd
|
|
|
|
|
("mit-krb5" ,mit-krb5)
|
|
|
|
|
("zlib" ,zlib)
|
|
|
|
|
("xauth" ,xauth))) ; for 'ssh -X' and 'ssh -Y'
|
|
|
|
|
(arguments
|
|
|
|
|
`(#:test-target "tests"
|
|
|
|
|
;; Otherwise, the test scripts try to use a nonexistent directory and
|
|
|
|
|
;; fail.
|
|
|
|
|
#:make-flags '("REGRESSTMP=\"$${BUILDDIR}/regress\"")
|
|
|
|
|
#:configure-flags `("--sysconfdir=/etc/ssh"
|
|
|
|
|
|
|
|
|
|
;; Default value of 'PATH' used by sshd.
|
|
|
|
|
"--with-default-path=/run/current-system/profile/bin"
|
|
|
|
|
|
|
|
|
|
;; configure needs to find krb5-config.
|
|
|
|
|
,(string-append "--with-kerberos5="
|
|
|
|
|
(assoc-ref %build-inputs "mit-krb5")
|
|
|
|
|
"/bin")
|
|
|
|
|
|
|
|
|
|
;; libedit is needed for sftp completion.
|
|
|
|
|
"--with-libedit"
|
|
|
|
|
|
|
|
|
|
;; Enable PAM support in sshd.
|
|
|
|
|
,,@(if (hurd-target?)
|
|
|
|
|
'()
|
|
|
|
|
'("--with-pam"
|
|
|
|
|
|
|
|
|
|
;; Support creation and use of ecdsa-sk,
|
|
|
|
|
;; ed25519-sk keys.
|
|
|
|
|
"--with-security-key-builtin"))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;; "make install" runs "install -s" by default,
|
|
|
|
|
;; which doesn't work for cross-compiled binaries
|
|
|
|
|
;; because it invokes 'strip' instead of
|
|
|
|
|
;; 'TRIPLET-strip'. Work around this.
|
|
|
|
|
,,@(if (%current-target-system)
|
|
|
|
|
'("--disable-strip")
|
|
|
|
|
'()))
|
|
|
|
|
|
|
|
|
|
#:phases
|
|
|
|
|
(modify-phases %standard-phases
|
|
|
|
|
(add-after 'configure 'reset-/var/empty
|
|
|
|
|
(lambda* (#:key outputs #:allow-other-keys)
|
|
|
|
|
(let ((out (assoc-ref outputs "out")))
|
|
|
|
|
(substitute* "Makefile"
|
|
|
|
|
(("PRIVSEP_PATH=/var/empty")
|
|
|
|
|
(string-append "PRIVSEP_PATH=" out "/var/empty"))))))
|
|
|
|
|
(add-after 'configure 'set-store-location
|
|
|
|
|
(lambda* _
|
|
|
|
|
(substitute* "misc.c"
|
|
|
|
|
(("@STORE_DIRECTORY@")
|
|
|
|
|
(string-append "\"" (%store-directory) "\"")))))
|
|
|
|
|
(add-before 'check 'patch-tests
|
|
|
|
|
(lambda _
|
|
|
|
|
(substitute* "regress/test-exec.sh"
|
|
|
|
|
(("/bin/sh") (which "sh")))
|
|
|
|
|
|
|
|
|
|
;; Remove 't-exec' regress target which requires user 'sshd'.
|
|
|
|
|
(substitute* (list "Makefile"
|
|
|
|
|
"regress/Makefile")
|
|
|
|
|
(("^(tests:.*) t-exec(.*)" all pre post)
|
|
|
|
|
(string-append pre post)))))
|
|
|
|
|
(replace 'install
|
|
|
|
|
(lambda* (#:key outputs (make-flags '()) #:allow-other-keys)
|
|
|
|
|
(let ((out (assoc-ref outputs "out")))
|
|
|
|
|
;; Install without host keys and system configuration files.
|
|
|
|
|
;; This will install /var/empty to the store, which is needed
|
|
|
|
|
;; by the system openssh-service-type.
|
|
|
|
|
(apply invoke "make" "install-nosysconf" make-flags)
|
|
|
|
|
(with-directory-excursion "contrib"
|
|
|
|
|
(chmod "ssh-copy-id" #o555)
|
|
|
|
|
(install-file "ssh-copy-id"
|
|
|
|
|
(string-append out "/bin/"))
|
|
|
|
|
(install-file "ssh-copy-id.1"
|
|
|
|
|
(string-append out "/share/man/man1/")))))))))
|
|
|
|
|
(synopsis "Client and server for the secure shell (ssh) protocol")
|
|
|
|
|
(description
|
|
|
|
|
"The SSH2 protocol implemented in OpenSSH is standardised by the
|
|
|
|
|
IETF secsh working group and is specified in several RFCs and drafts.
|
|
|
|
|
It is composed of three layered components:
|
|
|
|
|
|
|
|
|
|
The transport layer provides algorithm negotiation and a key exchange.
|
|
|
|
|
The key exchange includes server authentication and results in a
|
|
|
|
|
cryptographically secured connection: it provides integrity, confidentiality
|
|
|
|
|
and optional compression.
|
|
|
|
|
|
|
|
|
|
The user authentication layer uses the established connection and relies on
|
|
|
|
|
the services provided by the transport layer. It provides several mechanisms
|
|
|
|
|
for user authentication. These include traditional password authentication
|
|
|
|
|
as well as public-key or host-based authentication mechanisms.
|
|
|
|
|
|
|
|
|
|
The connection layer multiplexes many different concurrent channels over the
|
|
|
|
|
authenticated connection and allows tunneling of login sessions and
|
|
|
|
|
TCP-forwarding. It provides a flow control service for these channels.
|
|
|
|
|
Additionally, various channel-specific options can be negotiated.")
|
|
|
|
|
(license (license:non-copyleft "file://LICENSE"
|
|
|
|
|
"See LICENSE in the distribution."))
|
|
|
|
|
(properties
|
|
|
|
|
'((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/")))
|
|
|
|
|
(home-page "https://www.openssh.com/")))
|
|
|
|
|
|
|
|
|
|
(define %domain-realm "METZNET.CA")
|
|
|
|
|
|
|
|
|
|
(define %domain-name "metznet.ca")
|
|
|
|
@ -78,7 +216,7 @@
|
|
|
|
|
(name "usb")))
|
|
|
|
|
%base-groups))
|
|
|
|
|
|
|
|
|
|
(define %metznet-base-packages (append (list glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
|
|
|
|
|
(define %metznet-base-packages (append (list openssh-ldap nss-pam-ldapd glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
|
|
|
|
|
|
|
|
|
|
(define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages))
|
|
|
|
|
|
|
|
|
@ -124,8 +262,8 @@
|
|
|
|
|
"RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\""))
|
|
|
|
|
|
|
|
|
|
(define %metznet-name-service-switch
|
|
|
|
|
(let ((services (list (name-service (name "files"))
|
|
|
|
|
(name-service (name "ldap")))))
|
|
|
|
|
(let ((services (list (name-service (name "ldap"))
|
|
|
|
|
(name-service (name "files")))))
|
|
|
|
|
(name-service-switch
|
|
|
|
|
(password services)
|
|
|
|
|
(shadow services)
|
|
|
|
@ -134,18 +272,54 @@
|
|
|
|
|
; 1) need to create user directory on login
|
|
|
|
|
; 2) need to have /bin/zsh available to use as shell
|
|
|
|
|
|
|
|
|
|
(define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so"))
|
|
|
|
|
|
|
|
|
|
(define (metznet-pam-service config)
|
|
|
|
|
(lambda (pam)
|
|
|
|
|
(if (member (pam-service-name pam) config)
|
|
|
|
|
(let ((sufficient
|
|
|
|
|
(pam-entry
|
|
|
|
|
(control "sufficient")
|
|
|
|
|
(module pam-ldap-module))))
|
|
|
|
|
(pam-service
|
|
|
|
|
(inherit pam)
|
|
|
|
|
(password (cons sufficient (pam-service-account pam)))))
|
|
|
|
|
pam)))
|
|
|
|
|
|
|
|
|
|
(define (metznet-pam-services config)
|
|
|
|
|
(list (metznet-pam-service config)))
|
|
|
|
|
|
|
|
|
|
(define metznet-service-type
|
|
|
|
|
(service-type
|
|
|
|
|
(name 'metznet-service)
|
|
|
|
|
(description "MetzNet Services")
|
|
|
|
|
(extensions
|
|
|
|
|
(list (service-extension pam-root-service-type metznet-pam-services)))
|
|
|
|
|
(default-value '())))
|
|
|
|
|
|
|
|
|
|
(define %metznet-nslcd-config (nslcd-configuration
|
|
|
|
|
(base "dc=metznet,dc=ca")
|
|
|
|
|
(log '("/var/log/nslcd" debug))
|
|
|
|
|
(pam-services (list "su" "login" "password" "ssh" "passwd"))
|
|
|
|
|
(pam-services (list "su" "login" "sshd" "passwd"))
|
|
|
|
|
(filters (list '(group "(objectClass=posixGroupAux)")))
|
|
|
|
|
(binddn (or (getenv "LDAP_BINDDN") ""))
|
|
|
|
|
(bindpw (or (getenv "LDAP_BINDPW") ""))
|
|
|
|
|
(uri (list "ldap://ldap.metznet.ca"))))
|
|
|
|
|
|
|
|
|
|
(define %metznet-services
|
|
|
|
|
(list
|
|
|
|
|
(simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh"))
|
|
|
|
|
(service openssh-service-type (openssh-configuration
|
|
|
|
|
(openssh openssh-ldap)
|
|
|
|
|
(log-level 'debug3)
|
|
|
|
|
(extra-content "KerberosAuthentication yes")))
|
|
|
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
|
|
|
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
|
|
|
|
|
(service metznet-service-type (list "su" "login" "sshd" "passwd"))
|
|
|
|
|
(service nslcd-service-type %metznet-nslcd-config)))
|
|
|
|
|
|
|
|
|
|
(define %metznet-desktop-services
|
|
|
|
|
(append (list (service openssh-service-type)
|
|
|
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
|
|
|
(service nslcd-service-type %metznet-nslcd-config))
|
|
|
|
|
(append %metznet-services
|
|
|
|
|
(modify-services %desktop-services
|
|
|
|
|
(guix-service-type config => (guix-configuration
|
|
|
|
|
(inherit config)
|
|
|
|
@ -171,18 +345,16 @@
|
|
|
|
|
(network-manager-configuration (inherit config)
|
|
|
|
|
(vpn-plugins (list network-manager-openvpn)))))))
|
|
|
|
|
|
|
|
|
|
(define %metznet-server-services (append (list
|
|
|
|
|
(service openssh-service-type)
|
|
|
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
|
|
|
(service nslcd-service-type %metznet-nslcd-config)
|
|
|
|
|
(service dhcp-client-service-type)
|
|
|
|
|
(openvpn-client-service
|
|
|
|
|
#:config (openvpn-client-configuration
|
|
|
|
|
(openvpn openvpn)
|
|
|
|
|
(pid-file "/var/run/openvpn/client.pid")
|
|
|
|
|
(persist-key? #f)
|
|
|
|
|
(tls-auth "/etc/openvpn/ta.key"))))
|
|
|
|
|
%base-services))
|
|
|
|
|
(define %metznet-server-services (append (append %metznet-services
|
|
|
|
|
(list
|
|
|
|
|
(service dhcp-client-service-type)
|
|
|
|
|
(openvpn-client-service
|
|
|
|
|
#:config (openvpn-client-configuration
|
|
|
|
|
(openvpn openvpn)
|
|
|
|
|
(pid-file "/var/run/openvpn/client.pid")
|
|
|
|
|
(persist-key? #f)
|
|
|
|
|
(tls-auth "/etc/openvpn/ta.key"))))
|
|
|
|
|
%base-services)))
|
|
|
|
|
|
|
|
|
|
(define %metznet-base-operating-system
|
|
|
|
|
(operating-system
|
|
|
|
@ -218,7 +390,7 @@
|
|
|
|
|
(users %metznet-base-user-accounts)
|
|
|
|
|
(groups %metznet-base-groups)
|
|
|
|
|
(packages %metznet-base-packages)
|
|
|
|
|
(services %metznet-base-services)))
|
|
|
|
|
(services (append %metznet-services %base-services))))
|
|
|
|
|
|
|
|
|
|
(define %metznet-base-server-system
|
|
|
|
|
(operating-system
|
|
|
|
|