(define-module (system base-system) #:use-module (guix gexp) #:use-module (nongnu system linux-initrd) #:use-module (nongnu packages linux) #:use-module (gnu bootloader) #:use-module (gnu bootloader grub) #:use-module (gnu system accounts) #:use-module (gnu system shadow) #:use-module (gnu system setuid) #:use-module (gnu services configuration) #:use-module (gnu system file-systems) #:use-module (gnu system) #:use-module (gnu system nss) #:use-module (gnu services kerberos) #:use-module (gnu services sssd) #:use-module (gnu services base) #:use-module (gnu services) #:use-module (gnu services desktop) #:use-module (gnu services networking) #:use-module (gnu services ssh) #:use-module (gnu services vpn) #:use-module (gnu system pam) #:use-module (gnu services dbus) #:use-module (gnu system keyboard) #:use-module (gnu packages admin) #:use-module (gnu packages slapd) #:use-module (gnu packages linux) #:use-module (gnu packages shells) #:use-module (gnu packages gnome) #:use-module (gnu packages ssh) #:use-module (gnu packages dns) #:use-module (gnu packages version-control) #:use-module (gnu packages vim) #:use-module (gnu packages certs) #:use-module (gnu packages kerberos) #:use-module (gnu packages vpn) #:use-module (gnu packages wm) #:use-module (gnu packages suckless) #:use-module (gnu packages terminals) #:use-module (gnu packages gnuzilla) #:export (%metznet-base-user-accounts) #:export (%metznet-base-groups) #:export (%metznet-desktop-packages) #:export (%metznet-base-packages) #:export (%kvm-udev-rule) #:export (%usb-udev-rule) #:export (%tun-udev-rule) #:export (%metznet-desktop-services) #:export (%metznet-server-services) #:export (%metznet-base-server-system) #:export (%metznet-base-desktop-system)) (define %domain-realm "METZNET.CA") (define %domain-name "metznet.ca") (define %domain-kadmin (string-append "kerberos." %domain-name)) (define %domain-kdc (string-append "kerberos." %domain-name)) (define %metznet-base-user-accounts (append (list (user-account (name "root") (group "root") (uid 0) (password (crypt (or (getenv "GUIX_ROOT_PW")"root") "$6$salt")) (shell (file-append zsh "/bin/zsh")))) %base-user-accounts)) (define %metznet-base-groups (append (list (user-group (system? #t) (name "realtime")) (user-group (system? #t) (name "usb"))) %base-groups)) (define %metznet-base-packages (append (list openssh openldap-slapd strace git neovim zsh le-certs nss-certs mit-krb5) %base-packages)) (define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages)) (define %desktop-setuid-programs (append (list (setuid-program (program #~(string-append #$openvpn "/sbin/openvpn"))) (setuid-program (program #~(string-append #$openresolv "/sbin/resolvconf")))) %setuid-programs)) (define %metznet-krb5-config (krb5-configuration (default-realm %domain-realm) (allow-weak-crypto? #t) (rdns? #f) (realms (list (krb5-realm (name %domain-realm) (admin-server %domain-kadmin) (kdc %domain-kdc)))))) (define %default-keyboard-layout (keyboard-layout "us")) (define %kvm-udev-rule (udev-rule "65-kvm.rules" "KERNEL==\"KVM\", GROUP=\"libvirt\", MODE=\"0660\"")) (define %usb-udev-rule (udev-rule "51-usb.rules" (string-append "SUBSYSTEM==\"usb\", GROUP=\"usb\"\n" "SUBSYSTEM==\"usbmisc\", GROUP=\"usb\""))) (define %tun-udev-rule (udev-rule "90-tun.rules" "KERNEL==\"tun\", GROUP=\"netdev\", MODE=\"0660\", OPTIONS+=\"static_node=net/tun\"")) (define %backlight-udev-rule (udev-rule "55-backlight.rules" "RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\"")) (define %metznet-name-service-switch (let ((services (list (name-service (name "sss")) (name-service (name "files"))))) (name-service-switch (password services) (shadow services) (group services)))) (define list-of-strings? (list-of string?)) (define-configuration/no-serialization metznet-system-configuration (certs (file-like le-certs) "certificate package") (pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "list of pam services to configure")) (define (pam-mkhomedir-service configuration) (lambda (pam) (if (member (pam-service-name pam) (metznet-system-configuration-pam-services configuration)) (let ((required (pam-entry (control "required") (module "pam_mkhomedir.so")))) (pam-service (inherit pam) (session (cons required (pam-service-account pam))))) pam))) (define (pam-mkhomedir-services configuration) (list (pam-mkhomedir-service configuration))) (define (metznet-activation configuration) #~(if (access? "/bin/zsh" F_OK) (display "zsh already linked") (begin (display "linking zsh") (symlink (string-append #$zsh "/bin/zsh") "/bin/zsh")))) (define (metznet-etc-service configuration) '(("/etc/openvpn/ta.key" (local-file "ta.key")) ("/etc/openvpn/ca.crt" (local-file "ca.crt")) ("/etc/openvpn/client.crt" (local-file "client.crt")) ("/etc/openvpn/client.key" (local-file "client.key")))) (define metznet-service-type (service-type (name 'metznet-service) (description "MetzNet Services") (extensions (list (service-extension activation-service-type metznet-activation) (service-extension profile-service-type (compose list metznet-system-configuration-certs)) (service-extension etc-service-type metznet-etc-service) (service-extension pam-root-service-type pam-mkhomedir-services))) (default-value (metznet-system-configuration)))) (define %metznet-services (list (service openssh-service-type (openssh-configuration (extra-content "KerberosAuthentication yes"))) (service krb5-service-type %metznet-krb5-config) (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) (service sssd-service-type (sssd-configuration (pam-services (list "su" "gdm-password" "login" "sshd" "passwd")))) (service metznet-service-type))) (define %metznet-nscd-configuration (nscd-configuration (caches (append (list (nscd-cache (database 'passwd) (positive-time-to-live (* 3600 12)) (negative-time-to-live 20) (persistent? #t)) (nscd-cache (database 'group) (positive-time-to-live (* 3600 12)) (negative-time-to-live 20) (persistent? #t))) %nscd-default-caches)))) (define %metznet-desktop-services (append %metznet-services (modify-services %desktop-services (nscd-service-type config => %metznet-nscd-configuration) (guix-service-type config => (guix-configuration (inherit config) (substitute-urls (append (list "https://substitutes.nonguix.org") %default-substitute-urls)) (authorized-keys (append (list (plain-file "nonguix.pub" "(public-key\n (ecc\n (curve Ed25519)\n (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")) %default-authorized-guix-keys)))) (udev-service-type config => (udev-configuration (inherit config) (rules (append (list %tun-udev-rule %backlight-udev-rule) (udev-configuration-rules config))))) (network-manager-service-type config => (network-manager-configuration (inherit config) (vpn-plugins (list network-manager-openvpn))))))) (define %metznet-server-services (append %metznet-services (list (dbus-service) (service dhcp-client-service-type) (openvpn-client-service #:config (openvpn-client-configuration (openvpn openvpn) (pid-file "/var/run/openvpn/client.pid") (persist-key? #f) (remote (list (openvpn-remote-configuration (name "vpn.metznet.ca")))) (tls-auth "/etc/openvpn/ta.key")))) (modify-services %base-services (nscd-service-type config => %metznet-nscd-configuration)))) (define %metznet-base-operating-system (operating-system ;; Hostname and localization information (host-name "base") (timezone "America/Edmonton") (locale "en_CA.utf8") (keyboard-layout %default-keyboard-layout) (name-service-switch %metznet-name-service-switch) ;; Kernel and firmware definitions (kernel linux) (kernel-arguments (append '("console=ttyS0") %default-kernel-arguments)) (firmware (list linux-firmware)) (initrd microcode-initrd) ;; Grub UEFI Bootloader installed to /boot/efi (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets '("/boot/efi")) (keyboard-layout keyboard-layout))) (file-systems (cons* (file-system (mount-point "/boot/efi") (device "/dev/vda1") (type "vfat") (check? #f)) (file-system (mount-point "/") (device "/dev/vda3") (type "xfs") (check? #f)) %base-file-systems)) (users %metznet-base-user-accounts) (groups %metznet-base-groups) (packages %metznet-base-packages) (services (append %metznet-services %base-services)))) (define %metznet-base-server-system (operating-system (inherit %metznet-base-operating-system) (host-name "metznet-base-server") (packages %metznet-base-packages) (services %metznet-server-services))) (define %metznet-base-desktop-system (operating-system (inherit %metznet-base-operating-system) (host-name "metznet-base-desktop") (setuid-programs %desktop-setuid-programs) (packages %metznet-desktop-packages) (services %metznet-desktop-services)))