From d40578487e7b7021e44f556fc00e424fa1deb37e Mon Sep 17 00:00:00 2001 From: Noah Metz Date: Thu, 30 Nov 2023 18:26:00 -0700 Subject: [PATCH] Moved all machines to defines, and styles --- machines/dh2048.pem | 1 + .../{kerberos.metznet.ca.scm => kerberos.scm} | 106 ++++++++++-------- machines/ldap.metznet.ca.scm | 26 ----- machines/ldap.scm | 29 +++++ machines/vpn.scm | 49 ++++---- system/base-system.scm | 38 ++++--- 6 files changed, 139 insertions(+), 110 deletions(-) create mode 120000 machines/dh2048.pem rename machines/{kerberos.metznet.ca.scm => kerberos.scm} (83%) delete mode 100644 machines/ldap.metznet.ca.scm create mode 100644 machines/ldap.scm diff --git a/machines/dh2048.pem b/machines/dh2048.pem new file mode 120000 index 0000000..bd7d333 --- /dev/null +++ b/machines/dh2048.pem @@ -0,0 +1 @@ +/home/nmetz/Code/metznet-channel/pki/dh.pem \ No newline at end of file diff --git a/machines/kerberos.metznet.ca.scm b/machines/kerberos.scm similarity index 83% rename from machines/kerberos.metznet.ca.scm rename to machines/kerberos.scm index 683ce8d..91336f7 100644 --- a/machines/kerberos.metznet.ca.scm +++ b/machines/kerberos.scm @@ -1,4 +1,4 @@ -(define-module (machines kerberos.metznet.ca) +(define-module (machines kerberos) #:use-module (srfi srfi-26) #:use-module (srfi srfi-9) #:use-module (srfi srfi-1) @@ -25,7 +25,9 @@ #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu services configuration) - #:use-module (gnu services certbot)) + #:use-module (gnu services certbot) + + #:export (kerberos.metznet.ca)) (define-public mit-krb5-ldap (package @@ -63,8 +65,10 @@ "ac_cv_printf_positional=yes" "ac_cv_file__etc_environment=yes" "ac_cv_file__etc_TIMEZONE=no") - #:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1" )) - '(#:configure-flags (list "--with-tls-impl=openssl" "--with-readline" "--with-ldap" "--localstatedir=/var"))) + #:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1")) + '(#:configure-flags (list "--with-tls-impl=openssl" + "--with-readline" "--with-ldap" + "--localstatedir=/var"))) #:phases (modify-phases %standard-phases (add-after 'unpack 'enter-source-directory (lambda _ @@ -85,9 +89,9 @@ (synopsis "MIT Kerberos 5") (description "Massachusetts Institute of Technology implementation of Kerberos. -Kerberos is a network authentication protocol designed to provide strong -authentication for client/server applications by using secret-key -cryptography.") + Kerberos is a network authentication protocol designed to provide strong + authentication for client/server applications by using secret-key + cryptography.") (license (license:non-copyleft "file://NOTICE" "See NOTICE in the distribution.")) (home-page "https://web.mit.edu/kerberos/") @@ -129,7 +133,8 @@ cryptography.") (name (string "EXAMPLE.COM") "realm name" serialize-none) (database_module maybe-string "database module") (acl_file maybe-file-like "acl file") - (key_stash_file (string "/var/lib/kerberos/stash") "key stash file") + (key_stash_file (string "/var/lib/kerberos/stash") + "key stash file") (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on" realm-serialize-list-of-ports) @@ -223,16 +228,16 @@ cryptography.") (define-configuration kdc-configuration (krb5 (file-like mit-krb5-ldap) "krb5 package to use" serialize-none) - (pkinit_anchors - (string "DIR:/run/current-system/profile/etc/ssl/certs/") - "CA certificate directory/file" - (serialize-field (lambda (x) x) " ")) + (pkinit_anchors (string + "DIR:/run/current-system/profile/etc/ssl/certs/") + "CA certificate directory/file" + (serialize-field (lambda (x) + x) " ")) (kdc_ports (list-of-ports '(750 88)) "list of ports to listen on") (realms (list-of-kdc-realm-configuration '()) "Realms to configure the KDC with") - (logging maybe-list-of-strings - "extra logging lines") + (logging maybe-list-of-strings "extra logging lines") (dbdefaults maybe-list-of-strings "extra dbdefault lines") (dbmodules (list-of-dbmodules '()) @@ -265,7 +270,6 @@ cryptography.") (define (kdc-etc configuration) `(("kdc.conf" ,(serialize-kdc-configuration configuration)))) - ; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot (define (kdc-shepherd configuration) (list (shepherd-service (documentation "") @@ -321,37 +325,43 @@ cryptography.") (service-extension etc-service-type kdc-etc))) (default-value (kdc-configuration)))) -(define %kerberos-dn "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca") - -(operating-system - (inherit %metznet-base-server-system) - (host-name "kerberos.guix.metznet.ca") - (services - (append (list (service kdc-service-type - (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca")) - (logging '("kdc = SYSLOG:DEBUG:DAEMON")) - (dbmodules (list (cons - "openldap_ldapconf" - (kldap-configuration - (ldap_kdc_dn %kerberos-dn) - (ldap_kadmind_dn %kerberos-dn) - (ldap_servers "ldaps://ldap.metznet.ca") - (ldap_service_password_file +(define %kerberos-dn + "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca") + +(define-public kerberos.metznet.ca + (operating-system + (inherit %metznet-base-server-system) + (host-name "kerberos.guix.metznet.ca") + (services + (append (list (service kdc-service-type + (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca")) + (logging '("kdc = SYSLOG:DEBUG:DAEMON")) + (dbmodules (list (cons + "openldap_ldapconf" + (kldap-configuration + (ldap_kdc_dn + %kerberos-dn) + (ldap_kadmind_dn + %kerberos-dn) + (ldap_servers + "ldaps://ldap.metznet.ca") + (ldap_service_password_file (plain-file - "service.keyfile" - "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n")))))) - (realms (list (kdc-realm-configuration - (name "METZNET.CA") - (database_module - "openldap_ldapconf") - (default_principal_flags - "+preauth") - (acl_file (plain-file - "kadm5.acl" - "*/admin@METZNET.CA *\n"))))))) - (service certbot-service-type - (certbot-configuration (email "admin@metznet.ca") - (certificates (list (certificate-configuration - (domains ' - ("kerberos.guix.metznet.ca")))))))) - %metznet-server-services))) + "service.keyfile" + "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n")))))) + (realms (list (kdc-realm-configuration + (name + "METZNET.CA") + (database_module + "openldap_ldapconf") + (default_principal_flags + "+preauth") + (acl_file (plain-file + "kadm5.acl" + "*/admin@METZNET.CA *\n"))))))) + (service certbot-service-type + (certbot-configuration (email "admin@metznet.ca") + (certificates (list (certificate-configuration + (domains ' + ("kerberos.guix.metznet.ca")))))))) + %metznet-server-services)))) diff --git a/machines/ldap.metznet.ca.scm b/machines/ldap.metznet.ca.scm deleted file mode 100644 index 5ff2bfe..0000000 --- a/machines/ldap.metznet.ca.scm +++ /dev/null @@ -1,26 +0,0 @@ -(define-module (machines ldap.metznet.ca) - #:use-module (gnu system) - #:use-module (guix gexp) - #:use-module (system base-system) - #:use-module (gnu packages slapd) - #:use-module (gnu services) - #:use-module (gnu services certbot) - #:use-module (gnu services slapd)) - -(operating-system - (inherit %metznet-base-server-system) - (host-name "ldap.guix.metznet.ca") - (services - (append (list (service certbot-service-type - (certbot-configuration (email "admin@metznet.ca") - (certificates (list (certificate-configuration - (domains ' - ("ldap.guix.metznet.ca"))))))) - (service slapd-service-type - (slapd-configuration (uris - "ldap:// ldapi:// ldaps:// ldapis://") - (backups (list (local-file - "0.ldif") - (local-file - "1.ldif")))))) - %metznet-server-services))) diff --git a/machines/ldap.scm b/machines/ldap.scm new file mode 100644 index 0000000..48ef2d6 --- /dev/null +++ b/machines/ldap.scm @@ -0,0 +1,29 @@ +(define-module (machines ldap) + #:use-module (gnu system) + #:use-module (guix gexp) + #:use-module (system base-system) + #:use-module (gnu packages slapd) + #:use-module (gnu services) + #:use-module (gnu services certbot) + #:use-module (gnu services slapd) + + #:export (ldap.metznet.ca)) + +(define-public ldap.metznet.ca + (operating-system + (inherit %metznet-base-server-system) + (host-name "ldap.guix.metznet.ca") + (services + (append (list (service certbot-service-type + (certbot-configuration (email "admin@metznet.ca") + (certificates (list (certificate-configuration + (domains ' + ("ldap.guix.metznet.ca"))))))) + (service slapd-service-type + (slapd-configuration (uris + "ldap:// ldapi:// ldaps:// ldapis://") + (backups (list (local-file + "0.ldif") + (local-file + "1.ldif")))))) + %metznet-server-services)))) diff --git a/machines/vpn.scm b/machines/vpn.scm index 8d7cda1..d7389f7 100644 --- a/machines/vpn.scm +++ b/machines/vpn.scm @@ -1,29 +1,32 @@ (define-module (machines vpn) - #:use-module (guix gexp) - #:use-module (gnu system) - #:use-module (gnu services) - #:use-module (gnu services certbot) - #:use-module (gnu services vpn) - #:use-module (system base-system) + #:use-module (guix gexp) + #:use-module (gnu system) + #:use-module (gnu services) + #:use-module (gnu services certbot) + #:use-module (gnu services vpn) + #:use-module (system base-system) - #:export (vpn.metznet.ca)) + #:export (vpn.metznet.ca)) (define-public vpn.metznet.ca - (operating-system - (inherit %metznet-base-server-system) - (host-name "vpn.metznet.ca") - (services - (append (list (service openvpn-server-service-type - (openvpn-server-configuration - (tls-auth "/etc/openvpn/ta.key") - (server "10.0.80.0 255.255.255.0"))) + (operating-system + (inherit %metznet-base-server-system) + (host-name "vpn.metznet.ca") + (services + (append (list (service openvpn-server-service-type + (openvpn-server-configuration (tls-auth + "/etc/openvpn/ta.key") + (server + "10.0.80.0 255.255.255.0"))) - (simple-service 'vpn-server-etc etc-service-type - `(("openvpn/dh2048.pem" ,(local-file "dh2048.pem")))) - (service certbot-service-type - (certbot-configuration (email "admin@metznet.ca") - (certificates (list (certificate-configuration - (domains ' - ("vpn.metznet.ca")))))))) - (modify-services %metznet-server-services (delete openvpn-client-service-type)))))) + (simple-service 'vpn-server-etc etc-service-type + `(("openvpn/dh2048.pem" ,(local-file + "dh2048.pem")))) + (service certbot-service-type + (certbot-configuration (email "admin@metznet.ca") + (certificates (list (certificate-configuration + (domains ' + ("vpn.metznet.ca")))))))) + (modify-services %metznet-server-services + (delete openvpn-client-service-type)))))) diff --git a/system/base-system.scm b/system/base-system.scm index 7fa4c06..b645061 100644 --- a/system/base-system.scm +++ b/system/base-system.scm @@ -76,7 +76,8 @@ (name "root") (group "root") (uid 0) - (password (crypt (or (getenv "GUIX_ROOT_PW")"root") "$6$salt")) + (password (crypt (or (getenv "GUIX_ROOT_PW") "root") + "$6$salt")) (shell (file-append zsh "/bin/zsh")))) %base-user-accounts)) (define %metznet-base-groups @@ -145,16 +146,24 @@ (shadow services) (group services)))) -(define list-of-strings? (list-of string?)) +(define list-of-strings? + (list-of string?)) -(define-configuration/no-serialization - metznet-system-configuration - (certs (file-like le-certs) "certificate package") - (pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "list of pam services to configure")) +(define-configuration/no-serialization metznet-system-configuration + (certs (file-like le-certs) + "certificate package") + (pam-services (list-of-strings (list + "su" + "gdm-password" + "login" + "sshd" + "passwd")) + "list of pam services to configure")) (define (pam-mkhomedir-service configuration) (lambda (pam) - (if (member (pam-service-name pam) (metznet-system-configuration-pam-services configuration)) + (if (member (pam-service-name pam) + (metznet-system-configuration-pam-services configuration)) (let ((required (pam-entry (control "required") (module "pam_mkhomedir.so")))) (pam-service (inherit pam) @@ -183,7 +192,8 @@ (extensions (list (service-extension activation-service-type metznet-activation) (service-extension profile-service-type - (compose list metznet-system-configuration-certs)) + (compose list + metznet-system-configuration-certs)) (service-extension etc-service-type metznet-etc-service) (service-extension pam-root-service-type @@ -199,7 +209,9 @@ (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) (service sssd-service-type - (sssd-configuration (pam-services (list "su" "gdm-password" "login" "sshd" "passwd")))) + (sssd-configuration (pam-services (list "su" "gdm-password" + "login" "sshd" + "passwd")))) (service metznet-service-type))) (define %metznet-nscd-configuration @@ -255,7 +267,8 @@ "/var/run/openvpn/client.pid") (persist-key? #f) (remote (list (openvpn-remote-configuration - (name "vpn.metznet.ca")))) + (name + "vpn.metznet.ca")))) (tls-auth "/etc/openvpn/ta.key")))) (modify-services %base-services @@ -284,12 +297,11 @@ (device (file-system-label "guix-data")) (type "ext4") (check? #f)) - (file-system + (file-system (mount-point "/boot/efi") (device (file-system-label "guix-boot")) (type "fat32") - (check? #f)) - %base-file-systems)) + (check? #f)) %base-file-systems)) (users %metznet-base-user-accounts) (groups %metznet-base-groups) (packages %metznet-base-packages)