diff --git a/gnu/services/slapd.scm b/gnu/services/slapd.scm index c4f639b..40ee8bf 100644 --- a/gnu/services/slapd.scm +++ b/gnu/services/slapd.scm @@ -42,8 +42,6 @@ (let ((homedir (slapd-configuration-home config)) (backups (slapd-configuration-backups config)) (ldapdir (slapd-configuration-openldap config))) - (with-imported-modules '((srfi srfi-19) - (ice-9 textual-ports)) #~(begin (use-modules (srfi srfi-19) (ice-9 textual-ports)) @@ -119,7 +117,7 @@ 488)) (with-exception-handler slapadd-seeds check-slapadd-seed-date - #:unwind? #t))))) + #:unwind? #t)))) (define (slapd-shepherd-service config) (list (shepherd-service (documentation "") diff --git a/gnu/services/sssd.scm b/gnu/services/sssd.scm index 1c3d079..c8be43c 100644 --- a/gnu/services/sssd.scm +++ b/gnu/services/sssd.scm @@ -26,20 +26,16 @@ (if val "True" "False")))) (define-configuration sssd-domain-configuration - (id_provider maybe-string "id provider") - (auth_provider maybe-string "auth provider") - (cache_credentials maybe-boolean "cache credentials") - (ldap_uri maybe-string "ldap server uri") - (ldap_tls_reqcert maybe-string "tls_reqcert") - (ldap_tls_cacertdir maybe-string - "ca certificate directory") - (ldap_search_base maybe-string "base dn for search") - (ldap_default_bind_dn maybe-string - "dn to bind for search") - (ldap_default_authtok_type maybe-string - "ldap auth token type") - (ldap_default_authtok maybe-string - "token to use for ldap bind")) + (id_provider maybe-string "id provider") + (auth_provider maybe-string "auth provider") + (cache_credentials maybe-boolean "cache credentials") + (ldap_uri maybe-string "ldap server uri") + (ldap_tls_reqcert maybe-string "tls_reqcert") + (ldap_tls_cacertdir maybe-string "ca certificate directory") + (ldap_search_base maybe-string "base dn for search") + (ldap_default_bind_dn maybe-string "dn to bind for search") + (ldap_default_authtok_type maybe-string "ldap auth token type") + (ldap_default_authtok maybe-string "token to use for ldap bind")) (define (sssd-domain-configuration-with-name? val) (if (pair? val) @@ -69,36 +65,39 @@ (string-join value ", ")))) (define-configuration sssd-configuration - (sssd (file-like sssd) "sssd package to use") - (pam-services (list-of-strings (list "su" "gdm-password" - "login" "sshd" - "passwd")) - "list of pam services to configure login for" - (lambda (a b) - "")) - (services (list-of-strings (list "nss" "sudo" "pam" - "ssh" "ifp")) - "list of services") - (domains (list-of-sssd-domain-configurations '()) - "sssd domains to configure")) + (sssd (file-like sssd) "sssd package to use") + (pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" + "passwd")) + "list of pam services to configure login for" + (lambda (a b) + "")) + (services (list-of-strings (list "nss" "sudo" "pam" "ssh" "ifp")) + "list of services") + (domains (list-of-sssd-domain-configurations '()) + "sssd domains to configure")) (define (sssd-pam-service config) - (define sssd-pam-module - (file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so")) - (lambda (pam) - (if (member (pam-service-name pam) - (sssd-configuration-pam-services config)) - (let ((sufficient (pam-entry (control "sufficient") - (module sssd-pam-module)))) - (pam-service (inherit pam) - (auth (cons sufficient - (pam-service-auth pam))) - (account (cons sufficient - (pam-service-account pam))) - (password (cons sufficient - (pam-service-password pam))) - (session (cons sufficient - (pam-service-session pam))))) pam))) + (let ((sufficient (pam-entry (control "sufficient") + (module (file-append (sssd-configuration-sssd + config) + "/lib/security/pam_sss.so"))))) + (pam-extension (transformer (lambda (pam) + (if (member (pam-service-name pam) + (sssd-configuration-pam-services + config)) + (pam-service (inherit pam) + (auth (cons sufficient + (pam-service-auth + pam))) + (account (cons sufficient + (pam-service-account + pam))) + (password (cons sufficient + (pam-service-password + pam))) + (session (cons sufficient + (pam-service-session + pam)))) pam)))))) (define (sssd-pam-services config) (list (sssd-pam-service config))) diff --git a/metznet/system/base-system.scm b/metznet/system/base-system.scm index a7e5311..6c82c24 100644 --- a/metznet/system/base-system.scm +++ b/metznet/system/base-system.scm @@ -79,9 +79,8 @@ (group "root") (uid 0) (password (let ((env-pw (getenv "GUIX_ROOT_PW"))) - (if env-pw - (crypt env-pw "$6$salt") - "!"))) + (if env-pw + (crypt env-pw "$6$salt") "!"))) (shell (file-append zsh "/bin/zsh")))) %base-user-accounts)) (define %metznet-base-groups @@ -182,14 +181,19 @@ "list of pam services to configure")) (define (pam-mkhomedir-service configuration) - (lambda (pam) - (if (member (pam-service-name pam) - (metznet-system-configuration-pam-services configuration)) - (let ((required (pam-entry (control "required") - (module "pam_mkhomedir.so")))) - (pam-service (inherit pam) - (session (cons required - (pam-service-account pam))))) pam))) + (pam-extension (transformer (lambda (pam) + (if (member (pam-service-name pam) + (metznet-system-configuration-pam-services + configuration)) + (let ((required (pam-entry (control + "required") + (module + "pam_mkhomedir.so")))) + (pam-service (inherit pam) + (session (cons required + (pam-service-account + pam))))) + pam))))) (define (pam-mkhomedir-services configuration) (list (pam-mkhomedir-service configuration))) @@ -253,12 +257,14 @@ "LDAP_AUTHTOK") %unset-value)))))))) - (define pubkey-command (program-file "pubkey-command" (with-imported-modules '((guix build utils)) #~(begin - (use-modules (guix build utils) (ice-9 format) (ice-9 popen) (ice-9 textual-ports)) + (use-modules (guix build utils) + (ice-9 format) + (ice-9 popen) + (ice-9 textual-ports)) (define* (shell-command-to-string cmd) (catch 'shell-command-error @@ -285,27 +291,34 @@ cmd str)))) (display (shell-command-to-string (string-join - (list #$(file-append - metznet-pubkey - "/bin/pubkey") - "ldaps://ldap.metznet.ca" - "uid=guix,ou=system,ou=accounts,dc=metznet,dc=ca" - #$(or (getenv "LDAP_AUTHTOK") "") - "dc=metznet,dc=ca" - (list-ref (command-line) 1)) - " "))))))) + (list #$ + (file-append + metznet-pubkey + "/bin/pubkey") + "ldaps://ldap.metznet.ca" + "uid=guix,ou=system,ou=accounts,dc=metznet,dc=ca" + #$ + (or + (getenv + "LDAP_AUTHTOK") + "") + "dc=metznet,dc=ca" + + (list-ref + (command-line) + 1)) + " "))))))) (define %metznet-services (list (service openssh-service-type (openssh-configuration (password-authentication? #f) - (extra-content #~(string-join - (list - "AuthorizedKeysCommandUser root" - (string-append - "AuthorizedKeysCommand " - #$pubkey-command) - "KerberosAuthentication yes") - "\n")))) + (extra-content #~(string-join (list + "AuthorizedKeysCommandUser root" + (string-append + "AuthorizedKeysCommand " + #$pubkey-command) + "KerberosAuthentication yes") + "\n")))) (service krb5-service-type %metznet-krb5-config) (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5)