diff --git a/glicid/services/authentication.scm b/glicid/services/authentication.scm index 6b719dc..e4890ba 100644 --- a/glicid/services/authentication.scm +++ b/glicid/services/authentication.scm @@ -5,6 +5,7 @@ #:use-module (guix records) #:use-module (ice-9 match) #:use-module (gnu packages sssd) + #:use-module (glicid packages authentik) #:use-module (glicid system file-systems) #:use-module (glicid utils) #:export ( @@ -12,6 +13,12 @@ sssd-configuration? sssd-service sssd-service-type + %authentik-outpost-accounts + authentik-outpost-ldap-configuration + authentik-outpost-ldap-configuration? + authentik-outpost-ldap-service + privileged-authentik-outpost-ldap + privileged-authentik-outpost-ldap-service-type )) (define-record-type* @@ -62,3 +69,108 @@ (service-extension shepherd-root-service-type sssd-shepherd-service) (service-extension activation-service-type (const %sssd-activation)))) (description "Run sssd"))) + +(define %authentik-outpost-accounts + (list + (user-group (name "authentik-outpost") (system? #t)) + (user-account + (name "authentik-outpost") + (group "authentik-outpost") + (system? #t) + (home-directory "/var/lib/authentik-outpost") + (shell (file-append bash "/bin/bash"))))) + +(define-record-type* + + authentik-outpost-ldap-configuration make-authentik-outpost-ldap-configuration + authentik-outpost-ldap-configuration? + (authentik_host authentik_host (default "")) + (authentik_token authentik_token (default "")) + (authentik_insecure authentik_insecure (default "False")) + (authentik_listen_ldap authentik_listen_ldap (default "127.0.0.1:3389")) + (authentik_listen_ldaps authentik_listen_ldaps (default "127.0.0.1:6636")) + (authentik_listen_metrics authentik_listen_metrics (default "127.0.0.1:9300")) + (proxy proxy (default "")) + (noproxy noproxy (default ""))) + +(define authentik-outpost-ldap-service + (match-lambda + (($ + authentik_host + authentik_token + authentik_insecure + authentik_listen_ldap + authentik_listen_ldaps + authentik_listen_metrics + proxy + noproxy) + (list (shepherd-service + (provision '(authentik-outpost-ldap)) + (documentation "Run authentik-outpost-ldap.") + (requirement '(user-processes)) + (respawn? #t) + (respawn-delay 10) + (start + #~(make-forkexec-constructor + (list "/run/privileged/bin/ldap") + #:log-file "/var/log/authentik-outpost-ldap.log" + #:environment-variables (list + "PATH=/run/current-system/profile/bin:/run/current-system/profile/sbin:/run/current-system/profile/libexec:/run/privileged/bin" + "HOME=/var/lib/authentik-outpost-ldap" + #$@(if proxy + (list + (string-append "http_proxy=" proxy) + (string-append "https_proxy=" proxy)) + '()) + #$@(if noproxy + (list (string-append "no_proxy=" noproxy)) + '()) + (string-append "AUTHENTIK_HOST=" authentik_host) + (string-append "AUTHENTIK_TOKEN=" authentik_token) + (string-append "AUTHENTIK_INSECURE=" authentik_insecure) + (string-append "AUTHENTIK_LISTEN__LDAP" authentik_listen_ldap) + (string-append "AUTHENTIK_LISTEN__LDAPS" authentik_listen_ldaps) + (string-append "AUTHENTIK_LISTEN__METRICS" authentik_listen_metrics)) + #:user "authentik-outpost-ldap" + #:group "authentik-outpost-ldap")) + (stop #~(make-kill-destructor))))))) + +(define privileged-authentik-outpost-ldap + (list + (privileged-program + (program (file-append authentik-outpost-ldap "/sbin/ldap")) + (capabilities "cap_net_admin,cap_net_bind_service=+ep")))) + +(define %authentik-outpost-activation + #~(begin + (chmod "/var/lib/authentik-outpost" #o0770) + #t )) + +(define privileged-authentik-outpost-ldap-service-type + (service-type + (name 'authentik-outpost-ldap) + (default-value (authentik-outpost-ldap-configuration)) + (extensions (list + (service-extension shepherd-root-service-type authentik-outpost-ldap-service) + (service-extension privileged-program-service-type (const privileged-authentik-outpost-ldap)) + (service-extension activation-service-type (const %authentik-outpost-activation)) + (service-extension account-service-type (const %authentik-outpost-accounts)))) + (description "Run authentik's ldap outpost"))) + +(define privileged-authentik-outpost-proxy + (list + (privileged-program + (program (file-append authentik-outpost-proxy "/sbin/proxy")) + (capabilities "cap_net_admin,cap_net_bind_service=+ep")))) + +(define privileged-authentik-outpost-rac + (list + (privileged-program + (program (file-append authentik-outpost-rac "/sbin/rac")) + (capabilities "cap_net_admin,cap_net_bind_service=+ep")))) + +(define privileged-authentik-outpost-radius + (list + (privileged-program + (program (file-append authentik-outpost-radius "/sbin/radius")) + (capabilities "cap_net_admin,cap_net_bind_service=+ep"))))