MetzNet
/
metznet-channel
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Moved all machines to defines, and styles

master
noah metz 2023-11-30 18:26:00 -07:00
parent f98417eded
commit d40578487e
6 changed files with 139 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
machines/dh2048.pem
Unescape Escape View File

@ -0,0 +1 @@
/home/nmetz/Code/metznet-channel/pki/dh.pem

106
machines/kerberos.metznet.ca.scm → machines/kerberos.scm
Unescape Escape View File

@ -1,4 +1,4 @@
(define-module (machines kerberos.metznet.ca)
(define-module (machines kerberos)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-1)
@ -25,7 +25,9 @@
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu services configuration)
#:use-module (gnu services certbot))
#:use-module (gnu services certbot)
#:export (kerberos.metznet.ca))
(define-public mit-krb5-ldap
(package
@ -63,8 +65,10 @@
"ac_cv_printf_positional=yes"
"ac_cv_file__etc_environment=yes"
"ac_cv_file__etc_TIMEZONE=no")
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1" ))
'(#:configure-flags (list "--with-tls-impl=openssl" "--with-readline" "--with-ldap" "--localstatedir=/var")))
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1"))
'(#:configure-flags (list "--with-tls-impl=openssl"
"--with-readline" "--with-ldap"
"--localstatedir=/var")))
#:phases (modify-phases %standard-phases
(add-after 'unpack 'enter-source-directory
(lambda _
@ -85,9 +89,9 @@
(synopsis "MIT Kerberos 5")
(description
"Massachusetts Institute of Technology implementation of Kerberos.
Kerberos is a network authentication protocol designed to provide strong
authentication for client/server applications by using secret-key
cryptography.")
Kerberos is a network authentication protocol designed to provide strong
authentication for client/server applications by using secret-key
cryptography.")
(license (license:non-copyleft "file://NOTICE"
"See NOTICE in the distribution."))
(home-page "https://web.mit.edu/kerberos/")
@ -129,7 +133,8 @@ cryptography.")
(name (string "EXAMPLE.COM") "realm name" serialize-none)
(database_module maybe-string "database module")
(acl_file maybe-file-like "acl file")
(key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
(key_stash_file (string "/var/lib/kerberos/stash")
"key stash file")
(kdc_ports (list-of-ports '(750 88))
"list of ports to listen on"
realm-serialize-list-of-ports)
@ -223,16 +228,16 @@ cryptography.")
(define-configuration kdc-configuration
(krb5 (file-like mit-krb5-ldap) "krb5 package to use"
serialize-none)
(pkinit_anchors
(string "DIR:/run/current-system/profile/etc/ssl/certs/")
"CA certificate directory/file"
(serialize-field (lambda (x) x) " "))
(pkinit_anchors (string
"DIR:/run/current-system/profile/etc/ssl/certs/")
"CA certificate directory/file"
(serialize-field (lambda (x)
x) " "))
(kdc_ports (list-of-ports '(750 88))
"list of ports to listen on")
(realms (list-of-kdc-realm-configuration '())
"Realms to configure the KDC with")
(logging maybe-list-of-strings
"extra logging lines")
(logging maybe-list-of-strings "extra logging lines")
(dbdefaults maybe-list-of-strings
"extra dbdefault lines")
(dbmodules (list-of-dbmodules '())
@ -265,7 +270,6 @@ cryptography.")
(define (kdc-etc configuration)
`(("kdc.conf" ,(serialize-kdc-configuration configuration))))
; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
(define (kdc-shepherd configuration)
(list (shepherd-service (documentation "")
@ -321,37 +325,43 @@ cryptography.")
(service-extension etc-service-type kdc-etc)))
(default-value (kdc-configuration))))
(define %kerberos-dn "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
(operating-system
(inherit %metznet-base-server-system)
(host-name "kerberos.guix.metznet.ca")
(services
(append (list (service kdc-service-type
(kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
(logging '("kdc = SYSLOG:DEBUG:DAEMON"))
(dbmodules (list (cons
"openldap_ldapconf"
(kldap-configuration
(ldap_kdc_dn %kerberos-dn)
(ldap_kadmind_dn %kerberos-dn)
(ldap_servers "ldaps://ldap.metznet.ca")
(ldap_service_password_file
(define %kerberos-dn
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
(define-public kerberos.metznet.ca
(operating-system
(inherit %metznet-base-server-system)
(host-name "kerberos.guix.metznet.ca")
(services
(append (list (service kdc-service-type
(kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
(logging '("kdc = SYSLOG:DEBUG:DAEMON"))
(dbmodules (list (cons
"openldap_ldapconf"
(kldap-configuration
(ldap_kdc_dn
%kerberos-dn)
(ldap_kadmind_dn
%kerberos-dn)
(ldap_servers
"ldaps://ldap.metznet.ca")
(ldap_service_password_file
(plain-file
"service.keyfile"
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n"))))))
(realms (list (kdc-realm-configuration
(name "METZNET.CA")
(database_module
"openldap_ldapconf")
(default_principal_flags
"+preauth")
(acl_file (plain-file
"kadm5.acl"
"*/admin@METZNET.CA *\n")))))))
(service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("kerberos.guix.metznet.ca"))))))))
%metznet-server-services)))
"service.keyfile"
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n"))))))
(realms (list (kdc-realm-configuration
(name
"METZNET.CA")
(database_module
"openldap_ldapconf")
(default_principal_flags
"+preauth")
(acl_file (plain-file
"kadm5.acl"
"*/admin@METZNET.CA *\n")))))))
(service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("kerberos.guix.metznet.ca"))))))))
%metznet-server-services))))

26
machines/ldap.metznet.ca.scm
Unescape Escape View File

@ -1,26 +0,0 @@
(define-module (machines ldap.metznet.ca)
#:use-module (gnu system)
#:use-module (guix gexp)
#:use-module (system base-system)
#:use-module (gnu packages slapd)
#:use-module (gnu services)
#:use-module (gnu services certbot)
#:use-module (gnu services slapd))
(operating-system
(inherit %metznet-base-server-system)
(host-name "ldap.guix.metznet.ca")
(services
(append (list (service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("ldap.guix.metznet.ca")))))))
(service slapd-service-type
(slapd-configuration (uris
"ldap:// ldapi:// ldaps:// ldapis://")
(backups (list (local-file
"0.ldif")
(local-file
"1.ldif"))))))
%metznet-server-services)))

29
machines/ldap.scm
Unescape Escape View File

@ -0,0 +1,29 @@
(define-module (machines ldap)
#:use-module (gnu system)
#:use-module (guix gexp)
#:use-module (system base-system)
#:use-module (gnu packages slapd)
#:use-module (gnu services)
#:use-module (gnu services certbot)
#:use-module (gnu services slapd)
#:export (ldap.metznet.ca))
(define-public ldap.metznet.ca
(operating-system
(inherit %metznet-base-server-system)
(host-name "ldap.guix.metznet.ca")
(services
(append (list (service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("ldap.guix.metznet.ca")))))))
(service slapd-service-type
(slapd-configuration (uris
"ldap:// ldapi:// ldaps:// ldapis://")
(backups (list (local-file
"0.ldif")
(local-file
"1.ldif"))))))
%metznet-server-services))))

49
machines/vpn.scm
Unescape Escape View File

@ -1,29 +1,32 @@
(define-module (machines vpn)
#:use-module (guix gexp)
#:use-module (gnu system)
#:use-module (gnu services)
#:use-module (gnu services certbot)
#:use-module (gnu services vpn)
#:use-module (system base-system)
#:use-module (guix gexp)
#:use-module (gnu system)
#:use-module (gnu services)
#:use-module (gnu services certbot)
#:use-module (gnu services vpn)
#:use-module (system base-system)
#:export (vpn.metznet.ca))
#:export (vpn.metznet.ca))
(define-public vpn.metznet.ca
(operating-system
(inherit %metznet-base-server-system)
(host-name "vpn.metznet.ca")
(services
(append (list (service openvpn-server-service-type
(openvpn-server-configuration
(tls-auth "/etc/openvpn/ta.key")
(server "10.0.80.0 255.255.255.0")))
(operating-system
(inherit %metznet-base-server-system)
(host-name "vpn.metznet.ca")
(services
(append (list (service openvpn-server-service-type
(openvpn-server-configuration (tls-auth
"/etc/openvpn/ta.key")
(server
"10.0.80.0 255.255.255.0")))
(simple-service 'vpn-server-etc etc-service-type
`(("openvpn/dh2048.pem" ,(local-file "dh2048.pem"))))
(service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("vpn.metznet.ca"))))))))
(modify-services %metznet-server-services (delete openvpn-client-service-type))))))
(simple-service 'vpn-server-etc etc-service-type
`(("openvpn/dh2048.pem" ,(local-file
"dh2048.pem"))))
(service certbot-service-type
(certbot-configuration (email "admin@metznet.ca")
(certificates (list (certificate-configuration
(domains '
("vpn.metznet.ca"))))))))
(modify-services %metznet-server-services
(delete openvpn-client-service-type))))))

38
system/base-system.scm
Unescape Escape View File

@ -76,7 +76,8 @@
(name "root")
(group "root")
(uid 0)
(password (crypt (or (getenv "GUIX_ROOT_PW")"root") "$6$salt"))
(password (crypt (or (getenv "GUIX_ROOT_PW") "root")
"$6$salt"))
(shell (file-append zsh "/bin/zsh")))) %base-user-accounts))
(define %metznet-base-groups
@ -145,16 +146,24 @@
(shadow services)
(group services))))
(define list-of-strings? (list-of string?))
(define list-of-strings?
(list-of string?))
(define-configuration/no-serialization
metznet-system-configuration
(certs (file-like le-certs) "certificate package")
(pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "list of pam services to configure"))
(define-configuration/no-serialization metznet-system-configuration
(certs (file-like le-certs)
"certificate package")
(pam-services (list-of-strings (list
"su"
"gdm-password"
"login"
"sshd"
"passwd"))
"list of pam services to configure"))
(define (pam-mkhomedir-service configuration)
(lambda (pam)
(if (member (pam-service-name pam) (metznet-system-configuration-pam-services configuration))
(if (member (pam-service-name pam)
(metznet-system-configuration-pam-services configuration))
(let ((required (pam-entry (control "required")
(module "pam_mkhomedir.so"))))
(pam-service (inherit pam)
@ -183,7 +192,8 @@
(extensions (list (service-extension activation-service-type
metznet-activation)
(service-extension profile-service-type
(compose list metznet-system-configuration-certs))
(compose list
metznet-system-configuration-certs))
(service-extension etc-service-type
metznet-etc-service)
(service-extension pam-root-service-type
@ -199,7 +209,9 @@
(pam-krb5-configuration (pam-krb5 pam-krb5)
(minimum-uid 1000)))
(service sssd-service-type
(sssd-configuration (pam-services (list "su" "gdm-password" "login" "sshd" "passwd"))))
(sssd-configuration (pam-services (list "su" "gdm-password"
"login" "sshd"
"passwd"))))
(service metznet-service-type)))
(define %metznet-nscd-configuration
@ -255,7 +267,8 @@
"/var/run/openvpn/client.pid")
(persist-key? #f)
(remote (list (openvpn-remote-configuration
(name "vpn.metznet.ca"))))
(name
"vpn.metznet.ca"))))
(tls-auth
"/etc/openvpn/ta.key"))))
(modify-services %base-services
@ -284,12 +297,11 @@
(device (file-system-label "guix-data"))
(type "ext4")
(check? #f))
(file-system
(file-system
(mount-point "/boot/efi")
(device (file-system-label "guix-boot"))
(type "fat32")
(check? #f))
%base-file-systems))
(check? #f)) %base-file-systems))
(users %metznet-base-user-accounts)
(groups %metznet-base-groups)
(packages %metznet-base-packages)