(define-module (glicid services authentication) #:use-module (guix) #:use-module (ice-9 match) #:use-module (guix gexp) #:use-module (guix records) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu system privilege) #:use-module (glicid system file-systems) #:use-module (glicid utils) #:use-module (gnu packages bash) #:use-module (gnu packages sssd) #:use-module (glicid packages authentik) #:export ( sssd-configuration sssd-configuration? sssd-service sssd-service-type %authentik-outpost-accounts authentik-outpost-ldap-configuration authentik-outpost-ldap-configuration? authentik-outpost-ldap-service privileged-authentik-outpost-ldap privileged-authentik-outpost-ldap-service-type )) (define-record-type* sssd-configuration make-sssd-configuration sssd-configuration? (sssd-pkg sssd-pkg (default sssd)) (pid-file pid-file (default "/var/run/sssd.pid")) (config-file config-file (default (file-append sssd "/etc/sssd/sssd.conf"))) (logger logger (default "stderr")) (debug-level debug-level (default "3")) (log-file log-file (default "/var/log/sssd.log"))) (define sssd-shepherd-service (match-lambda (($ sssd-pkg pid-file config-file logger debug-level log-file) (list (shepherd-service (provision '(sssd)) (documentation "Run sssd.") (requirement '(user-processes)) (respawn? #t) (start #~(make-forkexec-constructor (list #$(file-append sssd-pkg "/sbin/sssd") "-i" "-c" #$config-file "--logger" #$logger "-d" #$debug-level ) #:pid-file #$pid-file #:log-file #$log-file )) (stop #~(make-kill-destructor))))))) (define %sssd-activation #~(begin (mkdir-p "/etc/sssd/conf.d") (mkdir-p "/var/log/sssd") (mkdir-p "/var/lib/sss/db") (mkdir-p "/var/lib/sss/mc") (mkdir-p "/var/lib/sss/pipes/private") #t )) (define sssd-service-type (service-type (name 'sssd) (extensions (list (service-extension shepherd-root-service-type sssd-shepherd-service) (service-extension activation-service-type (const %sssd-activation)))) (description "Run sssd"))) (define %authentik-outpost-accounts (list (user-group (name "authentik-outpost") (system? #t)) (user-account (name "authentik-outpost") (group "authentik-outpost") (system? #t) (home-directory "/var/lib/authentik-outpost") (shell (file-append bash "/bin/bash"))))) (define-record-type* authentik-outpost-ldap-configuration make-authentik-outpost-ldap-configuration authentik-outpost-ldap-configuration? (authentik_host authentik_host (default "")) (authentik_token authentik_token (default "")) (authentik_insecure authentik_insecure (default "False")) (authentik_listen_ldap authentik_listen_ldap (default "127.0.0.1:3389")) (authentik_listen_ldaps authentik_listen_ldaps (default "127.0.0.1:6636")) (authentik_listen_metrics authentik_listen_metrics (default "127.0.0.1:9300")) (proxy proxy (default "")) (noproxy noproxy (default ""))) (define authentik-outpost-ldap-service (match-lambda (($ authentik_host authentik_token authentik_insecure authentik_listen_ldap authentik_listen_ldaps authentik_listen_metrics proxy noproxy) (list (shepherd-service (provision '(authentik-outpost-ldap)) (documentation "Run authentik-outpost-ldap.") (requirement '(user-processes)) (respawn? #t) (respawn-delay 10) (start #~(make-forkexec-constructor (list "/run/privileged/bin/ldap") #:log-file "/var/log/authentik-outpost-ldap.log" #:environment-variables (list "PATH=/run/current-system/profile/bin:/run/current-system/profile/sbin:/run/current-system/profile/libexec:/run/privileged/bin" "HOME=/var/lib/authentik-outpost-ldap" #$@(if proxy (list (string-append "http_proxy=" proxy) (string-append "https_proxy=" proxy)) '()) #$@(if noproxy (list (string-append "no_proxy=" noproxy)) '()) (string-append "AUTHENTIK_HOST=" authentik_host) (string-append "AUTHENTIK_TOKEN=" authentik_token) (string-append "AUTHENTIK_INSECURE=" authentik_insecure) (string-append "AUTHENTIK_LISTEN__LDAP" authentik_listen_ldap) (string-append "AUTHENTIK_LISTEN__LDAPS" authentik_listen_ldaps) (string-append "AUTHENTIK_LISTEN__METRICS" authentik_listen_metrics)) #:user "authentik-outpost-ldap" #:group "authentik-outpost-ldap")) (stop #~(make-kill-destructor))))))) (define privileged-authentik-outpost-ldap (list (privileged-program (program (file-append authentik-outpost-ldap "/sbin/ldap")) (capabilities "cap_net_admin,cap_net_bind_service=+ep")))) (define %authentik-outpost-activation #~(begin (chmod "/var/lib/authentik-outpost" #o0770) #t )) (define privileged-authentik-outpost-ldap-service-type (service-type (name 'authentik-outpost-ldap) (default-value (authentik-outpost-ldap-configuration)) (extensions (list (service-extension shepherd-root-service-type authentik-outpost-ldap-service) (service-extension privileged-program-service-type (const privileged-authentik-outpost-ldap)) (service-extension activation-service-type (const %authentik-outpost-activation)) (service-extension account-service-type (const %authentik-outpost-accounts)))) (description "Run authentik's ldap outpost"))) (define privileged-authentik-outpost-proxy (list (privileged-program (program (file-append authentik-outpost-proxy "/sbin/proxy")) (capabilities "cap_net_admin,cap_net_bind_service=+ep")))) (define privileged-authentik-outpost-rac (list (privileged-program (program (file-append authentik-outpost-rac "/sbin/rac")) (capabilities "cap_net_admin,cap_net_bind_service=+ep")))) (define privileged-authentik-outpost-radius (list (privileged-program (program (file-append authentik-outpost-radius "/sbin/radius")) (capabilities "cap_net_admin,cap_net_bind_service=+ep"))))