Moved kerberos services to kerberos-services exported variable

master
noah metz 2023-12-03 13:19:12 -07:00
parent 5d42b8e470
commit afc0f17da0
1 changed files with 84 additions and 97 deletions

@ -27,25 +27,24 @@
#:use-module (gnu services configuration) #:use-module (gnu services configuration)
#:use-module (gnu services certbot) #:use-module (gnu services certbot)
#:export (kerberos.metznet.ca)) #:export (kerberos.metznet.ca kerberos-services))
(define-public mit-krb5-ldap (define-public mit-krb5-ldap
(package (package
(name "mit-krb5-ldap") (name "mit-krb5-ldap")
(version "1.20") (version "1.20")
(source (origin (source
(origin
(method url-fetch) (method url-fetch)
(uri (list (string-append (uri (list (string-append "https://web.mit.edu/kerberos/dist/krb5/"
"https://web.mit.edu/kerberos/dist/krb5/" (version-major+minor version) "/krb5-"
(version-major+minor version) "/krb5-" version version ".tar.gz")
".tar.gz")
(string-append "https://kerberos.org/dist/krb5/" (string-append "https://kerberos.org/dist/krb5/"
(version-major+minor version) "/krb5-" (version-major+minor version) "/krb5-"
version ".tar.gz"))) version ".tar.gz")))
(patches (search-patches "mit-krb5-hurd.patch")) (patches (search-patches "mit-krb5-hurd.patch"))
(sha256 (sha256
(base32 (base32 "0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
"0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests (native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests
(inputs (list openssl readline)) (inputs (list openssl readline))
@ -133,24 +132,17 @@
(name (string "EXAMPLE.COM") "realm name" serialize-none) (name (string "EXAMPLE.COM") "realm name" serialize-none)
(database_module maybe-string "database module") (database_module maybe-string "database module")
(acl_file maybe-file-like "acl file") (acl_file maybe-file-like "acl file")
(key_stash_file (string "/var/lib/kerberos/stash") (key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
"key stash file") (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on"
(kdc_ports (list-of-ports '(750 88))
"list of ports to listen on"
realm-serialize-list-of-ports) realm-serialize-list-of-ports)
(kadmind_ports (list-of-ports '(749)) (kadmind_ports (list-of-ports '(749))
"list of ports to listen on for kadmin connections" "list of ports to listen on for kadmin connections"
realm-serialize-list-of-ports) realm-serialize-list-of-ports)
(max_life (string "10h 0m 0s") (max_life (string "10h 0m 0s") "maximum life of granted tickets")
"maximum life of granted tickets") (max_renewable_type (string "7d 0h 0m 0s") "maximum time to renew ticket")
(max_renewable_type (string "7d 0h 0m 0s") (master_key_type (string "des3-hmac-sha1") "master key type")
"maximum time to renew ticket") (supported_enctypes maybe-string "supported encryption types")
(master_key_type (string "des3-hmac-sha1") (default_principal_flags maybe-string "default flag for new principals"))
"master key type")
(supported_enctypes maybe-string
"supported encryption types")
(default_principal_flags maybe-string
"default flag for new principals"))
(define list-of-kdc-realm-configuration? (define list-of-kdc-realm-configuration?
(list-of kdc-realm-configuration?)) (list-of kdc-realm-configuration?))
@ -170,8 +162,7 @@
(define-configuration kldap-configuration (define-configuration kldap-configuration
(db_library (string "kldap") "db library to use") (db_library (string "kldap") "db library to use")
(disable_last_success (boolean #f) (disable_last_success (boolean #f) "disable last success field")
"disable last success field")
(disable_lockout (boolean #f) "disable lockout field") (disable_lockout (boolean #f) "disable lockout field")
(ldap_kdc_dn (string "uid=kdc,dc=example,dc=com") (ldap_kdc_dn (string "uid=kdc,dc=example,dc=com")
"dn to bind for kdc operations") "dn to bind for kdc operations")
@ -179,10 +170,8 @@
"dn to bind for kadmin operations") "dn to bind for kadmin operations")
(ldap_service_password_file maybe-file-like (ldap_service_password_file maybe-file-like
"file that stores the passwords for the ldap bind dns") "file that stores the passwords for the ldap bind dns")
(ldap_servers (string "ldap://example.com") (ldap_servers (string "ldap://example.com") "ldap server url")
"ldap server url") (ldap_conns_per_server (number 5) "number of connections per ldap server"))
(ldap_conns_per_server (number 5)
"number of connections per ldap server"))
(define (serialize-list-of-kdc-realm-configuration field-name value) (define (serialize-list-of-kdc-realm-configuration field-name value)
#~(string-join (list "[realms]" #~(string-join (list "[realms]"
@ -226,22 +215,17 @@
(define-maybe list-of-strings) (define-maybe list-of-strings)
(define-configuration kdc-configuration (define-configuration kdc-configuration
(krb5 (file-like mit-krb5-ldap) "krb5 package to use" (krb5 (file-like mit-krb5-ldap) "krb5 package to use" serialize-none)
serialize-none) (pkinit_anchors (string "DIR:/run/current-system/profile/etc/ssl/certs/")
(pkinit_anchors (string
"DIR:/run/current-system/profile/etc/ssl/certs/")
"CA certificate directory/file" "CA certificate directory/file"
(serialize-field (lambda (x) (serialize-field (lambda (x)
x) " ")) x) " "))
(kdc_ports (list-of-ports '(750 88)) (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on")
"list of ports to listen on")
(realms (list-of-kdc-realm-configuration '()) (realms (list-of-kdc-realm-configuration '())
"Realms to configure the KDC with") "Realms to configure the KDC with")
(logging maybe-list-of-strings "extra logging lines") (logging maybe-list-of-strings "extra logging lines")
(dbdefaults maybe-list-of-strings (dbdefaults maybe-list-of-strings "extra dbdefault lines")
"extra dbdefault lines") (dbmodules (list-of-dbmodules '()) "dbmodules to configure"))
(dbmodules (list-of-dbmodules '())
"dbmodules to configure"))
(define (serialize-kdc-configuration configuration) (define (serialize-kdc-configuration configuration)
(mixed-text-file "kdc.conf" (mixed-text-file "kdc.conf"
@ -328,11 +312,7 @@
(define %kerberos-dn (define %kerberos-dn
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca") "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
(define-public kerberos.metznet.ca (define-public kerberos-services
(operating-system
(inherit %metznet-base-server-system)
(host-name "kerberos.guix.metznet.ca")
(services
(append (list (service kdc-service-type (append (list (service kdc-service-type
(kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca")) (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
(logging '("kdc = SYSLOG:DEBUG:DAEMON")) (logging '("kdc = SYSLOG:DEBUG:DAEMON"))
@ -348,10 +328,10 @@
(ldap_service_password_file (ldap_service_password_file
(plain-file (plain-file
"service.keyfile" "service.keyfile"
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n")))))) "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139
"))))))
(realms (list (kdc-realm-configuration (realms (list (kdc-realm-configuration
(name (name "METZNET.CA")
"METZNET.CA")
(database_module (database_module
"openldap_ldapconf") "openldap_ldapconf")
(default_principal_flags (default_principal_flags
@ -364,4 +344,11 @@
(certificates (list (certificate-configuration (certificates (list (certificate-configuration
(domains ' (domains '
("kerberos.guix.metznet.ca")))))))) ("kerberos.guix.metznet.ca"))))))))
%metznet-server-services)))) %metznet-server-services))
(define-public kerberos.metznet.ca
(operating-system
(inherit %metznet-base-server-system)
(host-name "kerberos.guix.metznet.ca")
(services
kerberos-services)))