Moved all machines to defines, and styles

machines/dh2048.pem

@@ -0,0 +1 @@
+/home/nmetz/Code/metznet-channel/pki/dh.pem

machines/kerberos.scm

@@ -1,4 +1,4 @@
-(define-module (machines kerberos.metznet.ca)
+(define-module (machines kerberos)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-9)
   #:use-module (srfi srfi-1)
@@ -25,7 +25,9 @@
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu services configuration)
-  #:use-module (gnu services certbot))
+  #:use-module (gnu services certbot)
+
+  #:export (kerberos.metznet.ca))
 
 (define-public mit-krb5-ldap
   (package
@@ -63,8 +65,10 @@
                                   "ac_cv_printf_positional=yes"
                                   "ac_cv_file__etc_environment=yes"
                                   "ac_cv_file__etc_TIMEZONE=no")
-               #:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1" ))
+               #:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1"))
-             '(#:configure-flags (list "--with-tls-impl=openssl" "--with-readline" "--with-ldap" "--localstatedir=/var")))
+             '(#:configure-flags (list "--with-tls-impl=openssl"
+                                       "--with-readline" "--with-ldap"
+                                       "--localstatedir=/var")))
        #:phases (modify-phases %standard-phases
                   (add-after 'unpack 'enter-source-directory
                     (lambda _
@@ -85,9 +89,9 @@
     (synopsis "MIT Kerberos 5")
     (description
      "Massachusetts Institute of Technology implementation of Kerberos.
-Kerberos is a network authentication protocol designed to provide strong
+                   Kerberos is a network authentication protocol designed to provide strong
-authentication for client/server applications by using secret-key
+                   authentication for client/server applications by using secret-key
-cryptography.")
+                   cryptography.")
     (license (license:non-copyleft "file://NOTICE"
                                    "See NOTICE in the distribution."))
     (home-page "https://web.mit.edu/kerberos/")
@@ -129,7 +133,8 @@ cryptography.")
                       (name (string "EXAMPLE.COM") "realm name" serialize-none)
                       (database_module maybe-string "database module")
                       (acl_file maybe-file-like "acl file")
-                      (key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
+                      (key_stash_file (string "/var/lib/kerberos/stash")
+                                      "key stash file")
                       (kdc_ports (list-of-ports '(750 88))
                                  "list of ports to listen on"
                                  realm-serialize-list-of-ports)
@@ -223,16 +228,16 @@ cryptography.")
 (define-configuration kdc-configuration
                       (krb5 (file-like mit-krb5-ldap) "krb5 package to use"
                             serialize-none)
-                      (pkinit_anchors
+                      (pkinit_anchors (string
-                        (string "DIR:/run/current-system/profile/etc/ssl/certs/")
+                                       "DIR:/run/current-system/profile/etc/ssl/certs/")
-                        "CA certificate directory/file"
+                                      "CA certificate directory/file"
-                        (serialize-field (lambda (x) x) "  "))
+                                      (serialize-field (lambda (x)
+                                                         x) "  "))
                       (kdc_ports (list-of-ports '(750 88))
                                  "list of ports to listen on")
                       (realms (list-of-kdc-realm-configuration '())
                               "Realms to configure the KDC with")
-                      (logging maybe-list-of-strings
+                      (logging maybe-list-of-strings "extra logging lines")
-                               "extra logging lines")
                       (dbdefaults maybe-list-of-strings
                                   "extra dbdefault lines")
                       (dbmodules (list-of-dbmodules '())
@@ -265,7 +270,6 @@ cryptography.")
 (define (kdc-etc configuration)
   `(("kdc.conf" ,(serialize-kdc-configuration configuration))))
 
-
 ; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
 (define (kdc-shepherd configuration)
   (list (shepherd-service (documentation "")
@@ -321,37 +325,43 @@ cryptography.")
                                   (service-extension etc-service-type kdc-etc)))
                 (default-value (kdc-configuration))))
 
-(define %kerberos-dn "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
+(define %kerberos-dn
-
+  "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
-(operating-system
+
-  (inherit %metznet-base-server-system)
+(define-public kerberos.metznet.ca
-  (host-name "kerberos.guix.metznet.ca")
+  (operating-system
-  (services
+    (inherit %metznet-base-server-system)
-   (append (list (service kdc-service-type
+    (host-name "kerberos.guix.metznet.ca")
-                          (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
+    (services
-                                             (logging '("kdc = SYSLOG:DEBUG:DAEMON"))
+     (append (list (service kdc-service-type
-                                             (dbmodules (list (cons
+                            (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
-                                                               "openldap_ldapconf"
+                                               (logging '("kdc = SYSLOG:DEBUG:DAEMON"))
-                                                               (kldap-configuration
+                                               (dbmodules (list (cons
-                                                                 (ldap_kdc_dn %kerberos-dn)
+                                                                 "openldap_ldapconf"
-                                                                 (ldap_kadmind_dn %kerberos-dn)
+                                                                 (kldap-configuration
-                                                                 (ldap_servers "ldaps://ldap.metznet.ca")
+                                                                  (ldap_kdc_dn
-                                                                 (ldap_service_password_file
+                                                                   %kerberos-dn)
+                                                                  (ldap_kadmind_dn
+                                                                   %kerberos-dn)
+                                                                  (ldap_servers
+                                                                   "ldaps://ldap.metznet.ca")
+                                                                  (ldap_service_password_file
                                                                    (plain-file
-                                                                     "service.keyfile"
+                                                                    "service.keyfile"
-                                                                     "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n"))))))
+                                                                    "uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n"))))))
-                                             (realms (list (kdc-realm-configuration
+                                               (realms (list (kdc-realm-configuration
-                                                            (name "METZNET.CA")
+                                                              (name
-                                                            (database_module
+                                                               "METZNET.CA")
-                                                             "openldap_ldapconf")
+                                                              (database_module
-                                                            (default_principal_flags
+                                                               "openldap_ldapconf")
-                                                             "+preauth")
+                                                              (default_principal_flags
-                                                            (acl_file (plain-file
+                                                               "+preauth")
-                                                                       "kadm5.acl"
+                                                              (acl_file (plain-file
-                                                                       "*/admin@METZNET.CA    *\n")))))))
+                                                                         "kadm5.acl"
-                 (service certbot-service-type
+                                                                         "*/admin@METZNET.CA    *\n")))))))
-                          (certbot-configuration (email "admin@metznet.ca")
+                   (service certbot-service-type
-                                                 (certificates (list (certificate-configuration
+                            (certbot-configuration (email "admin@metznet.ca")
-                                                                      (domains '
+                                                   (certificates (list (certificate-configuration
-                                                                       ("kerberos.guix.metznet.ca"))))))))
+                                                                        (domains '
-           %metznet-server-services)))
+                                                                         ("kerberos.guix.metznet.ca"))))))))
+             %metznet-server-services))))

machines/ldap.metznet.ca.scm

@@ -1,26 +0,0 @@
-(define-module (machines ldap.metznet.ca)
-  #:use-module (gnu system)
-  #:use-module (guix gexp)
-  #:use-module (system base-system)
-  #:use-module (gnu packages slapd)
-  #:use-module (gnu services)
-  #:use-module (gnu services certbot)
-  #:use-module (gnu services slapd))
-
-(operating-system
-  (inherit %metznet-base-server-system)
-  (host-name "ldap.guix.metznet.ca")
-  (services
-   (append (list (service certbot-service-type
-                          (certbot-configuration (email "admin@metznet.ca")
-                                                 (certificates (list (certificate-configuration
-                                                                      (domains '
-                                                                       ("ldap.guix.metznet.ca")))))))
-                 (service slapd-service-type
-                          (slapd-configuration (uris
-                                                "ldap:// ldapi:// ldaps:// ldapis://")
-                                               (backups (list (local-file
-                                                               "0.ldif")
-                                                              (local-file
-                                                               "1.ldif"))))))
-           %metznet-server-services)))

machines/ldap.scm

@@ -0,0 +1,29 @@
+(define-module (machines ldap)
+  #:use-module (gnu system)
+  #:use-module (guix gexp)
+  #:use-module (system base-system)
+  #:use-module (gnu packages slapd)
+  #:use-module (gnu services)
+  #:use-module (gnu services certbot)
+  #:use-module (gnu services slapd)
+
+  #:export (ldap.metznet.ca))
+
+(define-public ldap.metznet.ca
+  (operating-system
+    (inherit %metznet-base-server-system)
+    (host-name "ldap.guix.metznet.ca")
+    (services
+     (append (list (service certbot-service-type
+                            (certbot-configuration (email "admin@metznet.ca")
+                                                   (certificates (list (certificate-configuration
+                                                                        (domains '
+                                                                         ("ldap.guix.metznet.ca")))))))
+                   (service slapd-service-type
+                            (slapd-configuration (uris
+                                                  "ldap:// ldapi:// ldaps:// ldapis://")
+                                                 (backups (list (local-file
+                                                                 "0.ldif")
+                                                                (local-file
+                                                                 "1.ldif"))))))
+             %metznet-server-services))))

machines/vpn.scm

@@ -1,29 +1,32 @@
 (define-module (machines vpn)
-               #:use-module (guix gexp)
+  #:use-module (guix gexp)
-               #:use-module (gnu system)
+  #:use-module (gnu system)
-               #:use-module (gnu services)
+  #:use-module (gnu services)
-               #:use-module (gnu services certbot)
+  #:use-module (gnu services certbot)
-               #:use-module (gnu services vpn)
+  #:use-module (gnu services vpn)
-               #:use-module (system base-system)
+  #:use-module (system base-system)
 
-               #:export (vpn.metznet.ca))
+  #:export (vpn.metznet.ca))
 
 (define-public vpn.metznet.ca
-               (operating-system
+  (operating-system
-                 (inherit %metznet-base-server-system)
+    (inherit %metznet-base-server-system)
-                 (host-name "vpn.metznet.ca")
+    (host-name "vpn.metznet.ca")
-                 (services
+    (services
-                   (append (list (service openvpn-server-service-type
+     (append (list (service openvpn-server-service-type
-                                          (openvpn-server-configuration
+                            (openvpn-server-configuration (tls-auth
-                                            (tls-auth "/etc/openvpn/ta.key")
+                                                           "/etc/openvpn/ta.key")
-                                            (server "10.0.80.0 255.255.255.0")))
+                                                          (server
+                                                           "10.0.80.0 255.255.255.0")))
 
-                                 (simple-service 'vpn-server-etc etc-service-type
+                   (simple-service 'vpn-server-etc etc-service-type
-                                                 `(("openvpn/dh2048.pem" ,(local-file "dh2048.pem"))))
+                                   `(("openvpn/dh2048.pem" ,(local-file
-                                 (service certbot-service-type
+                                                             "dh2048.pem"))))
-                                          (certbot-configuration (email "admin@metznet.ca")
+                   (service certbot-service-type
-                                                                 (certificates (list (certificate-configuration
+                            (certbot-configuration (email "admin@metznet.ca")
-                                                                                       (domains '
+                                                   (certificates (list (certificate-configuration
-                                                                                                ("vpn.metznet.ca"))))))))
+                                                                        (domains '
-                           (modify-services %metznet-server-services (delete openvpn-client-service-type))))))
+                                                                         ("vpn.metznet.ca"))))))))
+             (modify-services %metznet-server-services
+               (delete openvpn-client-service-type))))))
 

system/base-system.scm

@@ -76,7 +76,8 @@
                   (name "root")
                   (group "root")
                   (uid 0)
-                  (password (crypt (or (getenv "GUIX_ROOT_PW")"root") "$6$salt"))
+                  (password (crypt (or (getenv "GUIX_ROOT_PW") "root")
+                                   "$6$salt"))
                   (shell (file-append zsh "/bin/zsh")))) %base-user-accounts))
 
 (define %metznet-base-groups
@@ -145,16 +146,24 @@
                          (shadow services)
                          (group services))))
 
-(define list-of-strings? (list-of string?))
+(define list-of-strings?
+  (list-of string?))
 
-(define-configuration/no-serialization
+(define-configuration/no-serialization metznet-system-configuration
-  metznet-system-configuration
+                                       (certs (file-like le-certs)
-  (certs (file-like le-certs) "certificate package")
+                                              "certificate package")
-  (pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "list of pam services to configure"))
+                                       (pam-services (list-of-strings (list
+                                                                       "su"
+                                                                       "gdm-password"
+                                                                       "login"
+                                                                       "sshd"
+                                                                       "passwd"))
+                                        "list of pam services to configure"))
 
 (define (pam-mkhomedir-service configuration)
   (lambda (pam)
-    (if (member (pam-service-name pam) (metznet-system-configuration-pam-services configuration))
+    (if (member (pam-service-name pam)
+                (metznet-system-configuration-pam-services configuration))
         (let ((required (pam-entry (control "required")
                                    (module "pam_mkhomedir.so"))))
           (pam-service (inherit pam)
@@ -183,7 +192,8 @@
                 (extensions (list (service-extension activation-service-type
                                                      metznet-activation)
                                   (service-extension profile-service-type
-                                                     (compose list metznet-system-configuration-certs))
+                                                     (compose list
+                                                      metznet-system-configuration-certs))
                                   (service-extension etc-service-type
                                                      metznet-etc-service)
                                   (service-extension pam-root-service-type
@@ -199,7 +209,9 @@
                  (pam-krb5-configuration (pam-krb5 pam-krb5)
                                          (minimum-uid 1000)))
         (service sssd-service-type
-                 (sssd-configuration (pam-services (list "su" "gdm-password" "login" "sshd" "passwd"))))
+                 (sssd-configuration (pam-services (list "su" "gdm-password"
+                                                         "login" "sshd"
+                                                         "passwd"))))
         (service metznet-service-type)))
 
 (define %metznet-nscd-configuration
@@ -255,7 +267,8 @@
                                                    "/var/run/openvpn/client.pid")
                                                   (persist-key? #f)
                                                   (remote (list (openvpn-remote-configuration
-                                                              (name "vpn.metznet.ca"))))
+                                                                 (name
+                                                                  "vpn.metznet.ca"))))
                                                   (tls-auth
                                                    "/etc/openvpn/ta.key"))))
           (modify-services %base-services
@@ -284,12 +297,11 @@
                            (device (file-system-label "guix-data"))
                            (type "ext4")
                            (check? #f))
-                          (file-system
+                         (file-system
                            (mount-point "/boot/efi")
                            (device (file-system-label "guix-boot"))
                            (type "fat32")
-                           (check? #f))
+                           (check? #f)) %base-file-systems))
-                         %base-file-systems))
     (users %metznet-base-user-accounts)
     (groups %metznet-base-groups)
     (packages %metznet-base-packages)