metznet-channel/system/base-system.scm

370 lines
16 KiB
Scheme

(define-module (system base-system)
#:use-module (guix gexp)
#:use-module (nongnu system linux-initrd)
#:use-module (nongnu packages linux)
#:use-module (gnu bootloader)
#:use-module (gnu bootloader grub)
#:use-module (gnu system accounts)
#:use-module (gnu system shadow)
#:use-module (gnu system setuid)
#:use-module (gnu services configuration)
#:use-module (gnu system file-systems)
#:use-module (gnu system)
#:use-module (gnu system nss)
#:use-module (gnu services kerberos)
#:use-module (gnu services sssd)
#:use-module (gnu services base)
#:use-module (gnu services)
#:use-module (gnu services desktop)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services vpn)
#:use-module (gnu system pam)
#:use-module (gnu services dbus)
#:use-module (gnu system keyboard)
#:use-module (gnu packages admin)
#:use-module (gnu packages slapd)
#:use-module (gnu packages linux)
#:use-module (gnu packages shells)
#:use-module (gnu packages gnome)
#:use-module (gnu packages ssh)
#:use-module (gnu packages dns)
#:use-module (gnu packages version-control)
#:use-module (gnu packages vim)
#:use-module (gnu packages certs)
#:use-module (gnu packages kerberos)
#:use-module (gnu packages vpn)
#:use-module (gnu packages wm)
#:use-module (gnu packages suckless)
#:use-module (gnu packages terminals)
#:use-module (gnu packages gnuzilla)
#:export (%metznet-base-user-accounts)
#:export (%metznet-base-groups)
#:export (%metznet-desktop-packages)
#:export (%metznet-base-packages)
#:export (%kvm-udev-rule)
#:export (%usb-udev-rule)
#:export (%tun-udev-rule)
#:export (%metznet-desktop-services)
#:export (%metznet-server-services)
#:export (%metznet-base-server-system)
#:export (%metznet-base-desktop-system))
(define %domain-realm
"METZNET.CA")
(define %domain-name
"metznet.ca")
(define %domain-kadmin
(string-append "kerberos." %domain-name))
(define %domain-kdc
(string-append "kerberos." %domain-name))
(define %metznet-base-user-accounts
(append (list (user-account
(name "root")
(group "root")
(uid 0)
(password (crypt (or (getenv "GUIX_ROOT_PW") "root")
"$6$salt"))
(shell (file-append zsh "/bin/zsh")))) %base-user-accounts))
(define %metznet-base-groups
(append (list (user-group
(system? #t)
(name "realtime"))
(user-group
(system? #t)
(name "usb"))) %base-groups))
(define %metznet-base-packages
(append (list openssh
openldap-slapd
strace
git
neovim
zsh
le-certs
nss-certs
mit-krb5) %base-packages))
(define %metznet-desktop-packages
(append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages))
(define %desktop-setuid-programs
(append (list (setuid-program
(program #~(string-append #$openvpn "/sbin/openvpn")))
(setuid-program
(program #~(string-append #$openresolv "/sbin/resolvconf"))))
%setuid-programs))
(define %metznet-krb5-config
(krb5-configuration (default-realm %domain-realm)
(allow-weak-crypto? #t)
(rdns? #f)
(realms (list (krb5-realm (name %domain-realm)
(admin-server %domain-kadmin)
(kdc %domain-kdc))))))
(define %default-keyboard-layout
(keyboard-layout "us"))
(define %kvm-udev-rule
(udev-rule "65-kvm.rules"
"KERNEL==\"KVM\", GROUP=\"libvirt\", MODE=\"0660\""))
(define %usb-udev-rule
(udev-rule "51-usb.rules"
(string-append "SUBSYSTEM==\"usb\", GROUP=\"usb\"\n"
"SUBSYSTEM==\"usbmisc\", GROUP=\"usb\"")))
(define %tun-udev-rule
(udev-rule "90-tun.rules"
"KERNEL==\"tun\", GROUP=\"netdev\", MODE=\"0660\", OPTIONS+=\"static_node=net/tun\""))
(define %backlight-udev-rule
(udev-rule "55-backlight.rules"
"RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\""))
(define %metznet-name-service-switch
(let ((services (list (name-service (name "sss"))
(name-service (name "files")))))
(name-service-switch (password services)
(shadow services)
(group services))))
(define list-of-strings?
(list-of string?))
(define-maybe/no-serialization string)
(define (file-like-pair? val)
(let ((name (car val))
(file (cdr val)))
(and (string? name) (file-like? file))))
(define alist-of-file-like? (list-of file-like-pair?))
(define-configuration/no-serialization metznet-system-configuration
(certs (file-like le-certs)
"certificate package")
(vpn-pki-dir (maybe-string (let ((pki-dir (getenv "VPN_PKI_DIR")))
(or pki-dir
%unset-value)))
"openvpn pki directory")
(user-shells (alist-of-file-like (list (cons "/bin/zsh" zsh))) "user shells to link")
(channels-file (file-like (scheme-file
"channels.scm"
#~(append (list
(channel
(name 'metznet-channel)
(url
"https://git.metznet.ca/MetzNet/metznet-channel.git"))
(channel
(name 'nonguix)
(url
"https://gitlab.com/nonguix/nonguix.git"))
%default-channels))))
"channels.scm")
(pam-services (list-of-strings (list
"su"
"gdm-password"
"login"
"sshd"
"passwd"))
"list of pam services to configure"))
(define (pam-mkhomedir-service configuration)
(lambda (pam)
(if (member (pam-service-name pam)
(metznet-system-configuration-pam-services configuration))
(let ((required (pam-entry (control "required")
(module "pam_mkhomedir.so"))))
(pam-service (inherit pam)
(session (cons required
(pam-service-account pam))))) pam)))
(define (pam-mkhomedir-services configuration)
(list (pam-mkhomedir-service configuration)))
(define (shell-paths configuration)
(map car (metznet-system-configuration-user-shells configuration)))
(define (shell-packages configuration)
(map cdr (metznet-system-configuration-user-shells configuration)))
(define (metznet-activation configuration)
#~(for-each
(lambda
(path package)
(begin
(display path)
(display "\n")
(display package)
(display "\n")
(unless (access? path F_OK) (symlink (string-append package path) path))))
(list #$@(shell-paths configuration)) (list #$@(shell-packages configuration))))
(define (metznet-etc-service configuration)
(let ((channels-file (metznet-system-configuration-channels-file configuration))
(pki-dir (metznet-system-configuration-vpn-pki-dir configuration)))
(if (maybe-value-set? pki-dir)
`(("guix/channels.scm" ,channels-file)
("openvpn/ta.key" ,(local-file (string-append pki-dir "/ta.key")))
("openvpn/ca.crt" ,(local-file (string-append pki-dir "/ca.crt")))
("openvpn/client.key" ,(local-file (string-append pki-dir "/client.key")))
("openvpn/client.crt" ,(local-file (string-append pki-dir "/client.crt"))))
`(("guix/channels.scm" ,channels-file)))))
(define metznet-service-type
(service-type (name 'metznet-service)
(description "MetzNet Services")
(extensions (list (service-extension activation-service-type
metznet-activation)
(service-extension profile-service-type
(compose list
metznet-system-configuration-certs))
(service-extension etc-service-type
metznet-etc-service)
(service-extension pam-root-service-type
pam-mkhomedir-services)))
(default-value (metznet-system-configuration))))
(define %metznet-services
(list (service openssh-service-type
(openssh-configuration (extra-content
"KerberosAuthentication yes")))
(service krb5-service-type %metznet-krb5-config)
(service pam-krb5-service-type
(pam-krb5-configuration (pam-krb5 pam-krb5)
(minimum-uid 1000)))
(service sssd-service-type
(sssd-configuration (pam-services (list "su" "gdm-password"
"login" "sshd"
"passwd"))))
(service metznet-service-type)))
(define %metznet-nscd-configuration
(nscd-configuration (caches (append (list (nscd-cache (database 'passwd)
(positive-time-to-live
(* 3600 12))
(negative-time-to-live
20)
(persistent? #t))
(nscd-cache (database 'group)
(positive-time-to-live
(* 3600 12))
(negative-time-to-live
20)
(persistent? #t)))
%nscd-default-caches))))
(define %metznet-desktop-services
(append %metznet-services
(modify-services %desktop-services
(nscd-service-type config => %metznet-nscd-configuration)
(guix-service-type config =>
(guix-configuration (inherit config)
(substitute-urls (append (list
"https://substitutes.nonguix.org")
%default-substitute-urls))
(authorized-keys (append (list
(plain-file
"nonguix.pub"
"(public-key\n (ecc\n (curve Ed25519)\n (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))"))
%default-authorized-guix-keys))))
(udev-service-type config =>
(udev-configuration (inherit config)
(rules (append (list
%tun-udev-rule
%backlight-udev-rule)
(udev-configuration-rules
config)))))
(network-manager-service-type config =>
(network-manager-configuration (inherit
config)
(vpn-plugins
(list
network-manager-openvpn)))))))
(define %metznet-server-services
(append %metznet-services
(list (dbus-service)
(service dhcp-client-service-type)
(openvpn-client-service #:config (openvpn-client-configuration
(openvpn openvpn)
(pid-file
"/var/run/openvpn/client.pid")
(persist-key? #f)
(remote (list (openvpn-remote-configuration
(name
"vpn.metznet.ca"))))
(tls-auth
"/etc/openvpn/ta.key"))))
(modify-services %base-services
(nscd-service-type config => %metznet-nscd-configuration))))
(define %metznet-base-operating-system
(operating-system
;; Hostname and localization information
(host-name "base")
(timezone "America/Edmonton")
(locale "en_CA.utf8")
(keyboard-layout %default-keyboard-layout)
(name-service-switch %metznet-name-service-switch)
;; Kernel and firmware definitions
(kernel linux)
(kernel-arguments (append '("console=ttyS0") %default-kernel-arguments))
(firmware (list linux-firmware))
(initrd microcode-initrd)
;; Grub UEFI Bootloader installed to /boot/efi
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
(file-systems (cons* (file-system
(mount-point "/")
(device (file-system-label "guix-data"))
(type "ext4")
(check? #f))
(file-system
(mount-point "/boot/efi")
(device (file-system-label "guix-boot"))
(type "fat32")
(check? #f)) %base-file-systems))
(users %metznet-base-user-accounts)
(groups %metznet-base-groups)
(packages %metznet-base-packages)
(services
(append %metznet-services %base-services))))
(define %metznet-base-server-system
(operating-system
(inherit %metznet-base-operating-system)
(host-name "metznet-base-server")
(packages %metznet-base-packages)
(services
%metznet-server-services)))
(define %metznet-base-desktop-system
(operating-system
(inherit %metznet-base-operating-system)
(host-name "metznet-base-desktop")
(setuid-programs %desktop-setuid-programs)
(packages %metznet-desktop-packages)
(services
%metznet-desktop-services)))