diff --git a/metznet/machines/kerberos.scm b/metznet/machines/kerberos.scm index 17ef491..56bc6d9 100644 --- a/metznet/machines/kerberos.scm +++ b/metznet/machines/kerberos.scm @@ -27,25 +27,24 @@ #:use-module (gnu services configuration) #:use-module (gnu services certbot) - #:export (kerberos.metznet.ca)) + #:export (kerberos.metznet.ca kerberos-services)) (define-public mit-krb5-ldap (package (name "mit-krb5-ldap") (version "1.20") - (source (origin - (method url-fetch) - (uri (list (string-append - "https://web.mit.edu/kerberos/dist/krb5/" - (version-major+minor version) "/krb5-" version - ".tar.gz") - (string-append "https://kerberos.org/dist/krb5/" - (version-major+minor version) "/krb5-" - version ".tar.gz"))) - (patches (search-patches "mit-krb5-hurd.patch")) - (sha256 - (base32 - "0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky")))) + (source + (origin + (method url-fetch) + (uri (list (string-append "https://web.mit.edu/kerberos/dist/krb5/" + (version-major+minor version) "/krb5-" + version ".tar.gz") + (string-append "https://kerberos.org/dist/krb5/" + (version-major+minor version) "/krb5-" + version ".tar.gz"))) + (patches (search-patches "mit-krb5-hurd.patch")) + (sha256 + (base32 "0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky")))) (build-system gnu-build-system) (native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests (inputs (list openssl readline)) @@ -130,27 +129,20 @@ "") (define-configuration kdc-realm-configuration - (name (string "EXAMPLE.COM") "realm name" serialize-none) - (database_module maybe-string "database module") - (acl_file maybe-file-like "acl file") - (key_stash_file (string "/var/lib/kerberos/stash") - "key stash file") - (kdc_ports (list-of-ports '(750 88)) - "list of ports to listen on" - realm-serialize-list-of-ports) - (kadmind_ports (list-of-ports '(749)) - "list of ports to listen on for kadmin connections" - realm-serialize-list-of-ports) - (max_life (string "10h 0m 0s") - "maximum life of granted tickets") - (max_renewable_type (string "7d 0h 0m 0s") - "maximum time to renew ticket") - (master_key_type (string "des3-hmac-sha1") - "master key type") - (supported_enctypes maybe-string - "supported encryption types") - (default_principal_flags maybe-string - "default flag for new principals")) + (name (string "EXAMPLE.COM") "realm name" serialize-none) + (database_module maybe-string "database module") + (acl_file maybe-file-like "acl file") + (key_stash_file (string "/var/lib/kerberos/stash") "key stash file") + (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on" + realm-serialize-list-of-ports) + (kadmind_ports (list-of-ports '(749)) + "list of ports to listen on for kadmin connections" + realm-serialize-list-of-ports) + (max_life (string "10h 0m 0s") "maximum life of granted tickets") + (max_renewable_type (string "7d 0h 0m 0s") "maximum time to renew ticket") + (master_key_type (string "des3-hmac-sha1") "master key type") + (supported_enctypes maybe-string "supported encryption types") + (default_principal_flags maybe-string "default flag for new principals")) (define list-of-kdc-realm-configuration? (list-of kdc-realm-configuration?)) @@ -169,20 +161,17 @@ (serialize-field number->string " ")) (define-configuration kldap-configuration - (db_library (string "kldap") "db library to use") - (disable_last_success (boolean #f) - "disable last success field") - (disable_lockout (boolean #f) "disable lockout field") - (ldap_kdc_dn (string "uid=kdc,dc=example,dc=com") - "dn to bind for kdc operations") - (ldap_kadmind_dn (string "uid=kadmind,dc=example,dc=com") - "dn to bind for kadmin operations") - (ldap_service_password_file maybe-file-like - "file that stores the passwords for the ldap bind dns") - (ldap_servers (string "ldap://example.com") - "ldap server url") - (ldap_conns_per_server (number 5) - "number of connections per ldap server")) + (db_library (string "kldap") "db library to use") + (disable_last_success (boolean #f) "disable last success field") + (disable_lockout (boolean #f) "disable lockout field") + (ldap_kdc_dn (string "uid=kdc,dc=example,dc=com") + "dn to bind for kdc operations") + (ldap_kadmind_dn (string "uid=kadmind,dc=example,dc=com") + "dn to bind for kadmin operations") + (ldap_service_password_file maybe-file-like + "file that stores the passwords for the ldap bind dns") + (ldap_servers (string "ldap://example.com") "ldap server url") + (ldap_conns_per_server (number 5) "number of connections per ldap server")) (define (serialize-list-of-kdc-realm-configuration field-name value) #~(string-join (list "[realms]" @@ -226,22 +215,17 @@ (define-maybe list-of-strings) (define-configuration kdc-configuration - (krb5 (file-like mit-krb5-ldap) "krb5 package to use" - serialize-none) - (pkinit_anchors (string - "DIR:/run/current-system/profile/etc/ssl/certs/") - "CA certificate directory/file" - (serialize-field (lambda (x) - x) " ")) - (kdc_ports (list-of-ports '(750 88)) - "list of ports to listen on") - (realms (list-of-kdc-realm-configuration '()) - "Realms to configure the KDC with") - (logging maybe-list-of-strings "extra logging lines") - (dbdefaults maybe-list-of-strings - "extra dbdefault lines") - (dbmodules (list-of-dbmodules '()) - "dbmodules to configure")) + (krb5 (file-like mit-krb5-ldap) "krb5 package to use" serialize-none) + (pkinit_anchors (string "DIR:/run/current-system/profile/etc/ssl/certs/") + "CA certificate directory/file" + (serialize-field (lambda (x) + x) " ")) + (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on") + (realms (list-of-kdc-realm-configuration '()) + "Realms to configure the KDC with") + (logging maybe-list-of-strings "extra logging lines") + (dbdefaults maybe-list-of-strings "extra dbdefault lines") + (dbmodules (list-of-dbmodules '()) "dbmodules to configure")) (define (serialize-kdc-configuration configuration) (mixed-text-file "kdc.conf" @@ -328,40 +312,43 @@ (define %kerberos-dn "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca") +(define-public kerberos-services + (append (list (service kdc-service-type + (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca")) + (logging '("kdc = SYSLOG:DEBUG:DAEMON")) + (dbmodules (list (cons + "openldap_ldapconf" + (kldap-configuration + (ldap_kdc_dn + %kerberos-dn) + (ldap_kadmind_dn + %kerberos-dn) + (ldap_servers + "ldaps://ldap.metznet.ca") + (ldap_service_password_file + (plain-file + "service.keyfile" + "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139 +")))))) + (realms (list (kdc-realm-configuration + (name "METZNET.CA") + (database_module + "openldap_ldapconf") + (default_principal_flags + "+preauth") + (acl_file (plain-file + "kadm5.acl" + "*/admin@METZNET.CA *\n"))))))) + (service certbot-service-type + (certbot-configuration (email "admin@metznet.ca") + (certificates (list (certificate-configuration + (domains ' + ("kerberos.guix.metznet.ca")))))))) + %metznet-server-services)) + (define-public kerberos.metznet.ca (operating-system (inherit %metznet-base-server-system) (host-name "kerberos.guix.metznet.ca") (services - (append (list (service kdc-service-type - (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca")) - (logging '("kdc = SYSLOG:DEBUG:DAEMON")) - (dbmodules (list (cons - "openldap_ldapconf" - (kldap-configuration - (ldap_kdc_dn - %kerberos-dn) - (ldap_kadmind_dn - %kerberos-dn) - (ldap_servers - "ldaps://ldap.metznet.ca") - (ldap_service_password_file - (plain-file - "service.keyfile" - "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n")))))) - (realms (list (kdc-realm-configuration - (name - "METZNET.CA") - (database_module - "openldap_ldapconf") - (default_principal_flags - "+preauth") - (acl_file (plain-file - "kadm5.acl" - "*/admin@METZNET.CA *\n"))))))) - (service certbot-service-type - (certbot-configuration (email "admin@metznet.ca") - (certificates (list (certificate-configuration - (domains ' - ("kerberos.guix.metznet.ca")))))))) - %metznet-server-services)))) + kerberos-services)))