diff --git a/services/sssd.scm b/services/sssd.scm new file mode 100644 index 0000000..d1b6fe7 --- /dev/null +++ b/services/sssd.scm @@ -0,0 +1,105 @@ +(define-module (services sssd) + #:use-module (gnu) + #:use-module (gnu packages sssd) + #:use-module (gnu services dbus) + #:use-module (gnu services shepherd) + #:use-module (guix modules) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (srfi srfi-1) + #:export (pam-sss-service-type sssd-service-type sssd-configuration)) + +;;; +;;; System Security Services Daemon. +;;; + +(define-record-type* + sssd-configuration make-sssd-configuration + sssd-configuration? + (package sssd-configuration-package (default sssd)) + (config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf"))) + +(define (sssd-shepherd-service config) + "Return a for SSSD with CONFIG." + (let ((sssd (sssd-configuration-package config))) + (list + (shepherd-service + (requirement '(dbus-system)) + (provision '(sssd)) + (documentation "Start sssd") + (start #~(make-forkexec-constructor + (list (string-append #$sssd "/sbin/sssd") + "-c" #$(sssd-configuration-config-file config) + "--logger=files") + #:pid-file "/var/run/sssd.pid" + #:log-file "/var/log/sssd/daemon.log")) + (stop #~(make-kill-destructor)))))) + +(define sssd-activation + ;; Create data directories for sssd. + #~(begin + (use-modules (guix build utils)) + (mkdir-p "/var/log/sssd") + (for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir))) + '("db" "gpo_cache" "mc" "pipes/private" "pubconf")))) + +(define sssd-service-type + (service-type + (name 'sssd) + (extensions + (list (service-extension activation-service-type + (const sssd-activation)) + (service-extension dbus-root-service-type + (compose list sssd-configuration-package)) + (service-extension nscd-service-type + (compose list sssd-configuration-package)) + (service-extension profile-service-type + (compose list sssd-configuration-package)) + (service-extension shepherd-root-service-type + sssd-shepherd-service))) + (default-value (sssd-configuration)) + (description "Run @command{sssd}."))) + +(define-record-type* + pam-sss-configuration make-pam-sss-configuration + pam-sss-configuration? + (sssd pam-sss-configuration-sssd (default sssd))) + + +;;; +;;; SSSD PAM service. +;;; + +(define (pam-sss-pam-service config) + (let ((module #~(string-append #$(pam-sss-configuration-sssd config) + "/lib/security/pam_sss.so"))) + (list + (lambda (pam) + (pam-service + (inherit pam) + (auth (cons* (pam-entry + (control "sufficient") + (module module)) + ;(arguments (list "use_first_pass"))) + (pam-service-auth pam))) + (account (cons* (pam-entry + (control "[default=bad success=ok user_unknown=ignore]") + (module module)) + (pam-service-account pam))) + (password (cons* (pam-entry + (control "sufficient") + (module module)) + ;(arguments (list "use_authtok"))) + (pam-service-password pam))) + (session (cons* (pam-entry + (control "optional") + (module module)) + (pam-service-session pam)))))))) + +(define pam-sss-service-type + (service-type + (name 'pam-sss) + (extensions + (list (service-extension pam-root-service-type pam-sss-pam-service))) + (default-value (pam-sss-configuration)) + (description "Activate PAM SSSD support.")))