diff --git a/Makefile b/Makefile index 6f8ff90..2ea3d1a 100644 --- a/Makefile +++ b/Makefile @@ -13,9 +13,9 @@ VM_CPU ?= 4 %: %.qcow2 $(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf)) - qemu-system-x86_64 -nic user,model=virtio-net-pci -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin + qemu-system-x86_64 -nic bridge,br=virbr0 -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin .PHONY: % %-ro: %.scm - $(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $< --expose=$(PWD)/pki=/var/lib/openvpn)) - $(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic user,model=virtio-net-pci + $(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $<)) + $(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic bridge,br=virbr0 diff --git a/metznet/system/base-system.scm b/metznet/system/base-system.scm index cb96245..a7e5311 100644 --- a/metznet/system/base-system.scm +++ b/metznet/system/base-system.scm @@ -1,6 +1,8 @@ (define-module (metznet system base-system) #:use-module (guix gexp) + #:use-module (metznet golang) + #:use-module (gnu bootloader) #:use-module (gnu bootloader grub) #:use-module (gnu system accounts) @@ -251,11 +253,59 @@ "LDAP_AUTHTOK") %unset-value)))))))) + +(define pubkey-command + (program-file "pubkey-command" + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils) (ice-9 format) (ice-9 popen) (ice-9 textual-ports)) + (define* (shell-command-to-string + cmd) + (catch 'shell-command-error + (lambda () + (let* ((port (open-pipe + cmd + OPEN_READ)) + (str (get-string-all + port)) + (wtpd (close-pipe + port)) + (xval (status:exit-val + wtpd))) + (if (or (eqv? xval #f) + (> xval 0)) + (throw 'shell-command-error + cmd str)) + str)) + (lambda (key cmd str) + (simple-format #t + "ERROR: in command ~a\nstring: ~a\n" + cmd str) + (throw 'error-in-shell-command-to-string + cmd str)))) + + (display (shell-command-to-string (string-join + (list #$(file-append + metznet-pubkey + "/bin/pubkey") + "ldaps://ldap.metznet.ca" + "uid=guix,ou=system,ou=accounts,dc=metznet,dc=ca" + #$(or (getenv "LDAP_AUTHTOK") "") + "dc=metznet,dc=ca" + (list-ref (command-line) 1)) + " "))))))) + (define %metznet-services (list (service openssh-service-type (openssh-configuration (password-authentication? #f) - (extra-content - "KerberosAuthentication yes"))) + (extra-content #~(string-join + (list + "AuthorizedKeysCommandUser root" + (string-append + "AuthorizedKeysCommand " + #$pubkey-command) + "KerberosAuthentication yes") + "\n")))) (service krb5-service-type %metznet-krb5-config) (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5)