services/sssd: create config file with correct permissions in /etc

The sssd.conf must be readable only by root for sssd to start.
2022-10-01 12:28:26 +02:00 · 2022-10-01 12:28:26 +02:00 · 4834bb2d59
commit 4834bb2d59
parent 9f38f95e38
1 changed files with 22 additions and 10 deletions
--- a/services/sssd.scm
+++ b/services/sssd.scm
@ -17,11 +17,13 @@
  sssd-configuration make-sssd-configuration
  sssd-configuration?
  (package sssd-configuration-package (default sssd))
+  (configuration sssd-configuration-configuration (default ""))
  (config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf")))

 (define (sssd-shepherd-service config)
  "Return a <shepherd-service> for SSSD with CONFIG."
-  (let ((sssd (sssd-configuration-package config)))
+  (let ((sssd (sssd-configuration-package config))
+        (config-file (sssd-configuration-config-file config)))
    (list
     (shepherd-service
      (requirement '(dbus-system))
@ -29,26 +31,36 @@
      (documentation "Start sssd")
      (start #~(make-forkexec-constructor
                (list (string-append #$sssd "/sbin/sssd")
-                      "-c" #$(sssd-configuration-config-file config)
+                      "--config" #$config-file
                      "--logger=files")
                #:pid-file "/var/run/sssd.pid"
                #:log-file "/var/log/sssd/daemon.log"))
      (stop #~(make-kill-destructor))))))

-(define sssd-activation
-  ;; Create data directories for sssd.
-  #~(begin
-      (use-modules (guix build utils))
-      (mkdir-p "/var/log/sssd")
-      (for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir)))
-                '("db" "gpo_cache" "mc" "pipes/private" "pubconf"))))
+(define (sssd-activation config)
+  (let ((configuration (sssd-configuration-configuration config))
+        (config-file (sssd-configuration-config-file config)))
+    #~(begin
+        (use-modules (guix build utils))
+        ;; Create data directories for sssd.
+        (mkdir-p "/var/log/sssd")
+        (for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir)))
+                  '("db" "gpo_cache" "mc" "pipes/private" "pubconf"))
+        ;; Create config file if a configuration is given; otherwise we assume
+        ;; the file is managed externally.
+        (unless (string-null? #$configuration)
+          (mkdir-p (dirname #$config-file))
+          (with-output-to-file #$config-file
+            (lambda _ (display #$configuration))))
+        ;; Must be a regular file readable only by root.
+        (chmod #$config-file #o600))))

 (define sssd-service-type
  (service-type
   (name 'sssd)
   (extensions
    (list (service-extension activation-service-type
-                             (const sssd-activation))
+                             sssd-activation)
          (service-extension dbus-root-service-type
                             (compose list sssd-configuration-package))
          (service-extension nscd-service-type