390 lines
16 KiB
Scheme
390 lines
16 KiB
Scheme
(define-module (system base-system)
|
|
#:use-module (metznet)
|
|
#:use-module (ice-9 exceptions)
|
|
#:use-module (nongnu system linux-initrd)
|
|
#:use-module (nongnu packages linux)
|
|
#:use-module (guix gexp)
|
|
#:use-module (guix utils)
|
|
#:use-module (guix packages)
|
|
#:use-module (guix download)
|
|
#:use-module (guix build-system gnu)
|
|
#:use-module ((guix licenses) #:prefix license:)
|
|
#:use-module (gnu)
|
|
#:use-module (gnu system setuid)
|
|
#:use-module (gnu system nss)
|
|
#:use-module (gnu system pam)
|
|
#:use-module (gnu services)
|
|
#:use-module (gnu services dbus)
|
|
#:use-module (gnu services pm)
|
|
#:use-module (gnu services shepherd)
|
|
#:use-module (gnu services authentication)
|
|
#:use-module (gnu services configuration)
|
|
#:use-module (gnu services vpn)
|
|
#:use-module (gnu services networking)
|
|
#:use-module (gnu services ssh)
|
|
#:use-module (gnu services kerberos)
|
|
#:use-module (gnu services desktop)
|
|
#:use-module (gnu services xorg)
|
|
#:use-module (gnu services base)
|
|
#:use-module (gnu packages linux)
|
|
#:use-module (gnu packages ssh)
|
|
#:use-module (gnu packages sssd)
|
|
#:use-module (gnu packages compression)
|
|
#:use-module (gnu packages libedit)
|
|
#:use-module (gnu packages hurd)
|
|
#:use-module (gnu packages tls)
|
|
#:use-module (gnu packages xorg)
|
|
#:use-module (gnu packages pkg-config)
|
|
#:use-module (gnu packages groff)
|
|
#:use-module (gnu packages gcc)
|
|
#:use-module (gnu packages commencement)
|
|
#:use-module (gnu packages security-token)
|
|
#:use-module (gnu packages vim)
|
|
#:use-module (gnu packages certs)
|
|
#:use-module (gnu packages vpn)
|
|
#:use-module (gnu packages networking)
|
|
#:use-module (gnu packages dns)
|
|
#:use-module (gnu packages base)
|
|
#:use-module (gnu packages openldap)
|
|
#:use-module (gnu packages kerberos)
|
|
#:use-module (gnu packages admin)
|
|
#:use-module (gnu packages shells)
|
|
#:use-module (gnu packages gnome)
|
|
#:use-module (gnu packages wm)
|
|
#:use-module (gnu packages suckless)
|
|
#:use-module (gnu packages gnuzilla)
|
|
#:use-module (gnu packages terminals)
|
|
#:use-module (gnu packages virtualization)
|
|
#:use-module (gnu packages version-control)
|
|
#:export (%domain-realm)
|
|
#:export (%domain-name)
|
|
#:export (%domain-kadmin)
|
|
#:export (%domain-kdc)
|
|
#:export (%metznet-base-user-accounts)
|
|
#:export (%metznet-base-groups)
|
|
#:export (%metznet-base-packages)
|
|
#:export (%metznet-desktop-packages)
|
|
#:export (%metznet-server-packages)
|
|
#:export (%metznet-setuid-programs)
|
|
#:export (%default-keyboard-layout)
|
|
#:export (%kvm-udev-rule)
|
|
#:export (%usb-udev-rule)
|
|
#:export (%tun-udev-rule)
|
|
#:export (%metznet-desktop-services)
|
|
#:export (%metznet-server-services)
|
|
#:export (%metznet-base-server-system)
|
|
#:export (%metznet-base-desktop-system))
|
|
|
|
(define %domain-realm "METZNET.CA")
|
|
|
|
(define %domain-name "metznet.ca")
|
|
|
|
(define %domain-kadmin (string-append "kerberos." %domain-name))
|
|
|
|
(define %domain-kdc (string-append "kerberos." %domain-name))
|
|
|
|
(define %metznet-base-user-accounts (append (list
|
|
(user-account
|
|
(name "root")
|
|
(group "root")
|
|
(uid 0)
|
|
(password (crypt "root" "$6$salt"))
|
|
(shell (file-append zsh "/bin/zsh"))))
|
|
%base-user-accounts))
|
|
|
|
(define %metznet-base-groups (append (list
|
|
(user-group
|
|
(system? #t)
|
|
(name "realtime"))
|
|
(user-group
|
|
(system? #t)
|
|
(name "usb")))
|
|
%base-groups))
|
|
|
|
(define %metznet-base-packages (append (list openssh nss-pam-ldapd openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
|
|
|
|
(define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages))
|
|
|
|
(define %metznet-server-packages (append (list isc-dhcp) %metznet-base-packages))
|
|
|
|
(define %desktop-setuid-programs (append
|
|
(list (setuid-program
|
|
(program #~(string-append #$openvpn "/sbin/openvpn")))
|
|
(setuid-program
|
|
(program #~(string-append #$openresolv "/sbin/resolvconf"))))
|
|
%setuid-programs))
|
|
|
|
(define %metznet-krb5-config (krb5-configuration
|
|
(default-realm %domain-realm)
|
|
(allow-weak-crypto? #t)
|
|
(rdns? #f)
|
|
(realms (list (krb5-realm
|
|
(name %domain-realm)
|
|
(admin-server %domain-kadmin)
|
|
(kdc %domain-kdc))))))
|
|
|
|
(define %default-keyboard-layout (keyboard-layout "us"))
|
|
|
|
(define %kvm-udev-rule
|
|
(udev-rule
|
|
"65-kvm.rules"
|
|
"KERNEL==\"KVM\", GROUP=\"libvirt\", MODE=\"0660\""))
|
|
|
|
(define %usb-udev-rule
|
|
(udev-rule
|
|
"51-usb.rules"
|
|
(string-append "SUBSYSTEM==\"usb\", GROUP=\"usb\"\n"
|
|
"SUBSYSTEM==\"usbmisc\", GROUP=\"usb\"")))
|
|
|
|
(define %tun-udev-rule
|
|
(udev-rule
|
|
"90-tun.rules"
|
|
"KERNEL==\"tun\", GROUP=\"netdev\", MODE=\"0660\", OPTIONS+=\"static_node=net/tun\""))
|
|
|
|
(define %backlight-udev-rule
|
|
(udev-rule
|
|
"55-backlight.rules"
|
|
"RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\""))
|
|
|
|
(define %metznet-name-service-switch
|
|
(let ((services (list (name-service (name "sss"))
|
|
(name-service (name "files")))))
|
|
(name-service-switch
|
|
(password services)
|
|
(shadow services)
|
|
(group services))))
|
|
|
|
|
|
(define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so"))
|
|
|
|
(define (metznet-pam-service config)
|
|
(lambda (pam)
|
|
(if (member (pam-service-name pam) config)
|
|
(let ((sufficient
|
|
(pam-entry
|
|
(control "sufficient")
|
|
(module pam-ldap-module)))
|
|
(required
|
|
(pam-entry
|
|
(control "required")
|
|
(module "pam_mkhomedir.so"))))
|
|
(pam-service
|
|
(inherit pam)
|
|
(session (cons required (pam-service-account pam)))
|
|
(password (cons sufficient (pam-service-account pam)))))
|
|
pam)))
|
|
|
|
(define (metznet-pam-services config)
|
|
(list (metznet-pam-service config)))
|
|
|
|
(define default-sssd-conf-file (plain-file "sssd.conf" (string-join (list
|
|
"[sssd]"
|
|
"domains = metznet.ca"
|
|
"services = nss, sudo, pam, ssh, ifp"
|
|
""
|
|
"[domain/metznet.ca]"
|
|
"id_provider = ldap"
|
|
"auth_provider = ldap"
|
|
"cache_credentials = True"
|
|
"ldap_uri = ldaps://ldap.metznet.ca"
|
|
"ldap_tls_reqcert = never"
|
|
"ldap_tls_cacertdir = /etc/ssl/certs"
|
|
"ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca"
|
|
(string-append "ldap_default_bind_dn = " (getenv "LDAP_BINDDN"))
|
|
"ldap_default_authtok_type = password"
|
|
(string-append "ldap_default_authtok = " (getenv "LDAP_BINDPW"))) "\n")))
|
|
|
|
(define metznet-service-type
|
|
(service-type
|
|
(name 'metznet-service)
|
|
(description "MetzNet Services")
|
|
(extensions
|
|
(list (service-extension pam-root-service-type metznet-pam-services)))
|
|
(default-value '())))
|
|
|
|
(define-configuration sssd-configuration
|
|
(sssd (file-like sssd) "SSSD Package to use")
|
|
(config (file-like default-sssd-conf-file) "sssd.conf file"))
|
|
|
|
(define (sssd-pam-service config)
|
|
(define sssd-pam-module
|
|
(file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so"))
|
|
(lambda (pam)
|
|
(if (member (pam-service-name pam) pam-service-list)
|
|
(let ((sufficient
|
|
(pam-entry
|
|
(control "sufficient")
|
|
(module sssd-pam-module))))
|
|
(pam-service
|
|
(inherit pam)
|
|
(auth (cons sufficient (pam-service-auth pam)))
|
|
(account (cons sufficient (pam-service-account pam)))
|
|
(password (cons sufficient (pam-service-password pam)))
|
|
(session (cons sufficient (pam-service-session pam)))))
|
|
pam)))
|
|
|
|
|
|
(define (sssd-pam-services config)
|
|
(list (sssd-pam-service config)))
|
|
|
|
(define (sssd-shepherd-service config)
|
|
(list (shepherd-service
|
|
(documentation "")
|
|
(provision '(sssd))
|
|
(requirement '(networking user-processes))
|
|
(start #~(make-forkexec-constructor
|
|
(list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i" "-d" "0x77f0")
|
|
#:user "root"
|
|
#:group "root"
|
|
#:environment-variables
|
|
(list (string-append "LD_LIBRARY_PATH=" #$(sssd-configuration-sssd config) "/lib"))))
|
|
(stop #~(make-kill-destructor)))))
|
|
|
|
(define %sssd-activation
|
|
#~(begin
|
|
(let ((dbdir "/var/lib/sss/db")
|
|
(dbusdir "/var/lib/sss/pipes/private")
|
|
(user (getpw "root")))
|
|
(mkdir-p/perms dbusdir user #o755)
|
|
(mkdir-p/perms dbdir user #o755)
|
|
(chmod "/etc/sssd/sssd.conf" #o600))))
|
|
|
|
(define (sssd-etc-service config)
|
|
`(("sssd/sssd.conf" ,(sssd-configuration-config config))))
|
|
|
|
(define sssd-service-type
|
|
(service-type
|
|
(name 'sssd)
|
|
(description "MetzNet SSSD Service")
|
|
(extensions
|
|
(list (service-extension pam-root-service-type sssd-pam-services)
|
|
(service-extension dbus-root-service-type
|
|
(compose
|
|
list
|
|
sssd-configuration-sssd))
|
|
(service-extension etc-service-type sssd-etc-service)
|
|
(service-extension activation-service-type (const %sssd-activation))
|
|
(service-extension nscd-service-type (const (list sssd)))
|
|
(service-extension shepherd-root-service-type sssd-shepherd-service)))
|
|
(default-value (sssd-configuration))))
|
|
|
|
(define pam-service-list (list "su" "gdm-password" "login" "sshd" "passwd"))
|
|
|
|
(define %metznet-services
|
|
(list
|
|
(simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh"))
|
|
(service openssh-service-type (openssh-configuration
|
|
(extra-content "KerberosAuthentication yes")))
|
|
(service krb5-service-type %metznet-krb5-config)
|
|
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
|
|
(service sssd-service-type)
|
|
(service metznet-service-type pam-service-list)))
|
|
|
|
(define %metznet-nscd-configuration (nscd-configuration
|
|
(caches (append (list
|
|
(nscd-cache
|
|
(database 'passwd)
|
|
(positive-time-to-live (* 3600 12))
|
|
(negative-time-to-live 20)
|
|
(persistent? #t))
|
|
(nscd-cache
|
|
(database 'group)
|
|
(positive-time-to-live (* 3600 12))
|
|
(negative-time-to-live 20)
|
|
(persistent? #t)))
|
|
%nscd-default-caches))))
|
|
|
|
(define %metznet-desktop-services
|
|
(append
|
|
%metznet-services
|
|
(modify-services %desktop-services
|
|
(nscd-service-type config => %metznet-nscd-configuration)
|
|
(elogind-service-type config =>
|
|
(elogind-configuration (inherit config)
|
|
(handle-lid-switch-external-power 'suspend)))
|
|
(guix-service-type config => (guix-configuration
|
|
(inherit config)
|
|
(substitute-urls
|
|
(append (list "https://substitutes.nonguix.org")
|
|
%default-substitute-urls))
|
|
(authorized-keys
|
|
(append (list (plain-file "nonguix.pub"
|
|
"(public-key
|
|
(ecc
|
|
(curve Ed25519)
|
|
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))"))
|
|
%default-authorized-guix-keys))))
|
|
(udev-service-type config =>
|
|
(udev-configuration (inherit config)
|
|
(rules (append (list %tun-udev-rule
|
|
%backlight-udev-rule)
|
|
(udev-configuration-rules config)))))
|
|
(network-manager-service-type config =>
|
|
(network-manager-configuration (inherit config)
|
|
(vpn-plugins (list network-manager-openvpn)))))))
|
|
|
|
(define %metznet-server-services
|
|
(append %metznet-services
|
|
(list
|
|
(dbus-service)
|
|
(service dhcp-client-service-type)
|
|
(openvpn-client-service
|
|
#:config (openvpn-client-configuration
|
|
(openvpn openvpn)
|
|
(pid-file "/var/run/openvpn/client.pid")
|
|
(persist-key? #f)
|
|
(tls-auth "/etc/openvpn/ta.key"))))
|
|
(modify-services %base-services
|
|
(nscd-service-type config => %metznet-nscd-configuration))))
|
|
|
|
(define %metznet-base-operating-system
|
|
(operating-system
|
|
;; Hostname and localization information
|
|
(host-name "base")
|
|
(timezone "America/Edmonton")
|
|
(locale "en_CA.utf8")
|
|
(keyboard-layout %default-keyboard-layout)
|
|
(name-service-switch %metznet-name-service-switch)
|
|
;; Kernel and firmware definitions
|
|
(kernel linux)
|
|
(kernel-arguments (append '("console=ttyS0") %default-kernel-arguments))
|
|
(firmware (list linux-firmware))
|
|
(initrd microcode-initrd)
|
|
;; Grub UEFI Bootloader installed to /boot/efi
|
|
(bootloader
|
|
(bootloader-configuration
|
|
(bootloader grub-efi-bootloader)
|
|
(targets '("/boot/efi"))
|
|
(keyboard-layout keyboard-layout)))
|
|
(file-systems (cons*
|
|
(file-system
|
|
(mount-point "/boot/efi")
|
|
(device "/dev/vda1")
|
|
(type "vfat")
|
|
(check? #f))
|
|
(file-system
|
|
(mount-point "/")
|
|
(device "/dev/vda3")
|
|
(type "xfs")
|
|
(check? #f))
|
|
%base-file-systems))
|
|
(users %metznet-base-user-accounts)
|
|
(groups %metznet-base-groups)
|
|
(packages %metznet-base-packages)
|
|
(services (append %metznet-services %base-services))))
|
|
|
|
(define %metznet-base-server-system
|
|
(operating-system
|
|
(inherit %metznet-base-operating-system)
|
|
(host-name "metznet-base-server")
|
|
(packages %metznet-server-packages)
|
|
(services %metznet-server-services)))
|
|
|
|
(define %metznet-base-desktop-system
|
|
(operating-system
|
|
(inherit %metznet-base-operating-system)
|
|
(host-name "metznet-base-desktop")
|
|
(setuid-programs %desktop-setuid-programs)
|
|
(packages %metznet-desktop-packages)
|
|
(services %metznet-desktop-services)))
|