|
|
|
@ -1,20 +1,24 @@
|
|
|
|
|
;; This is an operating system configuration template
|
|
|
|
|
;; for a "bare bones" setup, with no X11 display server.
|
|
|
|
|
|
|
|
|
|
(use-modules (gnu)
|
|
|
|
|
(metznet aws)
|
|
|
|
|
(metznet machines kerberos)
|
|
|
|
|
(gnu services kdc)
|
|
|
|
|
(gnu services certbot)
|
|
|
|
|
(gnu packages kdc)
|
|
|
|
|
(metznet system base-system)
|
|
|
|
|
(gnu packages vim)
|
|
|
|
|
(gnu packages version-control)
|
|
|
|
|
(gnu packages shells))
|
|
|
|
|
|
|
|
|
|
(define %kerberos-dn
|
|
|
|
|
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
|
|
|
|
|
|
|
|
|
|
(operating-system
|
|
|
|
|
(inherit kerberos.metznet.ca)
|
|
|
|
|
(inherit %metznet-base-server-system)
|
|
|
|
|
(host-name "kerberos.metznet.ca")
|
|
|
|
|
(bootloader (bootloader-configuration
|
|
|
|
|
(bootloader grub-minimal-bootloader)
|
|
|
|
|
(targets '("/dev/nvme0n1"))))
|
|
|
|
|
(swap-devices (list (swap-space (target (file-system-label "krb-guix-swap")))))
|
|
|
|
|
(swap-devices (list (swap-space
|
|
|
|
|
(target (file-system-label "krb-guix-swap")))))
|
|
|
|
|
(file-systems (cons (file-system
|
|
|
|
|
(device (file-system-label "krb-guix-data"))
|
|
|
|
|
(mount-point "/")
|
|
|
|
@ -32,10 +36,40 @@
|
|
|
|
|
(string-join (list
|
|
|
|
|
"root ALL=(ALL:ALL) NOPASSWD:ALL"
|
|
|
|
|
"%aws ALL=(ALL:ALL) ALL"
|
|
|
|
|
"%aws ALL=(root) NOPASSWD:/run/setuid-programs/passwd" "") "\n")))
|
|
|
|
|
"%aws ALL=(root) NOPASSWD:/run/setuid-programs/passwd"
|
|
|
|
|
"") "\n")))
|
|
|
|
|
|
|
|
|
|
(packages (cons* git neovim %metznet-base-packages))
|
|
|
|
|
|
|
|
|
|
(services
|
|
|
|
|
(cons* (service aws-service-type) kerberos-services)))
|
|
|
|
|
(append (list (service aws-service-type)
|
|
|
|
|
(service kdc-service-type
|
|
|
|
|
(kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
|
|
|
|
|
(logging '("kdc = SYSLOG:DEBUG:DAEMON"))
|
|
|
|
|
(dbmodules (list (cons
|
|
|
|
|
"openldap_ldapconf"
|
|
|
|
|
(kldap-configuration
|
|
|
|
|
(ldap_kdc_dn
|
|
|
|
|
%kerberos-dn)
|
|
|
|
|
(ldap_kadmind_dn
|
|
|
|
|
%kerberos-dn)
|
|
|
|
|
(ldap_servers
|
|
|
|
|
"ldaps://ldap.metznet.ca")
|
|
|
|
|
(ldap_service_password_file
|
|
|
|
|
"/var/lib/kerberos/service.keyfile")))))
|
|
|
|
|
(realms (list (kdc-realm-configuration
|
|
|
|
|
(name "METZNET.CA")
|
|
|
|
|
(database_module
|
|
|
|
|
"openldap_ldapconf")
|
|
|
|
|
(default_principal_flags
|
|
|
|
|
"+preauth")
|
|
|
|
|
(acl_file (plain-file
|
|
|
|
|
"kadm5.acl"
|
|
|
|
|
"*/admin@METZNET.CA *\n")))))))
|
|
|
|
|
(service certbot-service-type
|
|
|
|
|
(certbot-configuration (email "admin@metznet.ca")
|
|
|
|
|
(certificates (list (certificate-configuration
|
|
|
|
|
(domains '
|
|
|
|
|
("kerberos.metznet.ca"))))))))
|
|
|
|
|
%metznet-server-services)))
|
|
|
|
|
|
|
|
|
|