GLiCID/guix-glicid
7
0
Fork 0
mirror of https://gitlab.univ-nantes.fr/glicid-public/guix-glicid.git synced 2025-07-12 05:40:01 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
guix-glicid/glicid/services/authentication.scm

176 lines
7.5 KiB
Scheme
Raw Blame History

(define-module (glicid services authentication)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (guix)
#:use-module (guix records)
#:use-module (ice-9 match)
#:use-module (gnu packages sssd)
#:use-module (glicid packages authentik)
#:use-module (glicid system file-systems)
#:use-module (glicid utils)
#:export (
sssd-configuration
sssd-configuration?
sssd-service
sssd-service-type
%authentik-outpost-accounts
authentik-outpost-ldap-configuration
authentik-outpost-ldap-configuration?
authentik-outpost-ldap-service
privileged-authentik-outpost-ldap
privileged-authentik-outpost-ldap-service-type
))
(define-record-type*
<sssd-configuration>
sssd-configuration make-sssd-configuration
sssd-configuration?
(sssd-pkg sssd-pkg (default sssd))
(pid-file pid-file (default "/var/run/sssd.pid"))
(config-file config-file (default (file-append sssd "/etc/sssd/sssd.conf")))
(logger logger (default "stderr"))
(debug-level debug-level (default "3"))
(log-file log-file (default "/var/log/sssd.log")))
(define sssd-shepherd-service
(match-lambda
(($ <sssd-configuration> sssd-pkg pid-file config-file logger debug-level log-file)
(list
(shepherd-service
(provision '(sssd))
(documentation "Run sssd.")
(requirement '(user-processes))
(respawn? #t)
(start #~(make-forkexec-constructor
(list
#$(file-append sssd-pkg "/sbin/sssd")
"-i"
"-c" #$config-file
"--logger" #$logger
"-d" #$debug-level
)
#:pid-file #$pid-file
#:log-file #$log-file ))
(stop #~(make-kill-destructor)))))))
(define %sssd-activation
#~(begin
(mkdir-p "/etc/sssd/conf.d")
(mkdir-p "/var/log/sssd")
(mkdir-p "/var/lib/sss/db")
(mkdir-p "/var/lib/sss/mc")
(mkdir-p "/var/lib/sss/pipes/private")
#t ))
(define sssd-service-type
(service-type
(name 'sssd)
(extensions (list
(service-extension shepherd-root-service-type sssd-shepherd-service)
(service-extension activation-service-type (const %sssd-activation))))
(description "Run sssd")))
(define %authentik-outpost-accounts
(list
(user-group (name "authentik-outpost") (system? #t))
(user-account
(name "authentik-outpost")
(group "authentik-outpost")
(system? #t)
(home-directory "/var/lib/authentik-outpost")
(shell (file-append bash "/bin/bash")))))
(define-record-type*
<authentik-outpost-ldap-configuration>
authentik-outpost-ldap-configuration make-authentik-outpost-ldap-configuration
authentik-outpost-ldap-configuration?
(authentik_host authentik_host (default ""))
(authentik_token authentik_token (default ""))
(authentik_insecure authentik_insecure (default "False"))
(authentik_listen_ldap authentik_listen_ldap (default "127.0.0.1:3389"))
(authentik_listen_ldaps authentik_listen_ldaps (default "127.0.0.1:6636"))
(authentik_listen_metrics authentik_listen_metrics (default "127.0.0.1:9300"))
(proxy proxy (default ""))
(noproxy noproxy (default "")))
(define authentik-outpost-ldap-service
(match-lambda
(($ <authentik-outpost-ldap-configuration>
authentik_host
authentik_token
authentik_insecure
authentik_listen_ldap
authentik_listen_ldaps
authentik_listen_metrics
proxy
noproxy)
(list (shepherd-service
(provision '(authentik-outpost-ldap))
(documentation "Run authentik-outpost-ldap.")
(requirement '(user-processes))
(respawn? #t)
(respawn-delay 10)
(start
#~(make-forkexec-constructor
(list "/run/privileged/bin/ldap")
#:log-file "/var/log/authentik-outpost-ldap.log"
#:environment-variables (list
"PATH=/run/current-system/profile/bin:/run/current-system/profile/sbin:/run/current-system/profile/libexec:/run/privileged/bin"
"HOME=/var/lib/authentik-outpost-ldap"
#$@(if proxy
(list
(string-append "http_proxy=" proxy)
(string-append "https_proxy=" proxy))
'())
#$@(if noproxy
(list (string-append "no_proxy=" noproxy))
'())
(string-append "AUTHENTIK_HOST=" authentik_host)
(string-append "AUTHENTIK_TOKEN=" authentik_token)
(string-append "AUTHENTIK_INSECURE=" authentik_insecure)
(string-append "AUTHENTIK_LISTEN__LDAP" authentik_listen_ldap)
(string-append "AUTHENTIK_LISTEN__LDAPS" authentik_listen_ldaps)
(string-append "AUTHENTIK_LISTEN__METRICS" authentik_listen_metrics))
#:user "authentik-outpost-ldap"
#:group "authentik-outpost-ldap"))
(stop #~(make-kill-destructor)))))))
(define privileged-authentik-outpost-ldap
(list
(privileged-program
(program (file-append authentik-outpost-ldap "/sbin/ldap"))
(capabilities "cap_net_admin,cap_net_bind_service=+ep"))))
(define %authentik-outpost-activation
#~(begin
(chmod "/var/lib/authentik-outpost" #o0770)
#t ))
(define privileged-authentik-outpost-ldap-service-type
(service-type
(name 'authentik-outpost-ldap)
(default-value (authentik-outpost-ldap-configuration))
(extensions (list
(service-extension shepherd-root-service-type authentik-outpost-ldap-service)
(service-extension privileged-program-service-type (const privileged-authentik-outpost-ldap))
(service-extension activation-service-type (const %authentik-outpost-activation))
(service-extension account-service-type (const %authentik-outpost-accounts))))
(description "Run authentik's ldap outpost")))
(define privileged-authentik-outpost-proxy
(list
(privileged-program
(program (file-append authentik-outpost-proxy "/sbin/proxy"))
(capabilities "cap_net_admin,cap_net_bind_service=+ep"))))
(define privileged-authentik-outpost-rac
(list
(privileged-program
(program (file-append authentik-outpost-rac "/sbin/rac"))
(capabilities "cap_net_admin,cap_net_bind_service=+ep"))))
(define privileged-authentik-outpost-radius
(list
(privileged-program
(program (file-append authentik-outpost-radius "/sbin/radius"))
(capabilities "cap_net_admin,cap_net_bind_service=+ep"))))
Reference in a new issue View git blame Copy permalink