(define-module (services sssd) #:use-module (gnu) #:use-module (gnu packages sssd) #:use-module (gnu services dbus) #:use-module (gnu services shepherd) #:use-module (guix modules) #:use-module (guix packages) #:use-module (guix records) #:use-module (srfi srfi-1) #:export (pam-sss-service-type sssd-service-type sssd-configuration)) ;;; ;;; System Security Services Daemon. ;;; (define-record-type* sssd-configuration make-sssd-configuration sssd-configuration? (package sssd-configuration-package (default sssd)) (configuration sssd-configuration-configuration (default "")) (config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf"))) (define (sssd-shepherd-service config) "Return a for SSSD with CONFIG." (let ((sssd (sssd-configuration-package config)) (config-file (sssd-configuration-config-file config))) (list (shepherd-service (requirement '(dbus-system)) (provision '(sssd)) (documentation "Start sssd") (start #~(make-forkexec-constructor (list (string-append #$sssd "/sbin/sssd") "--config" #$config-file "--logger=files") #:pid-file "/var/run/sssd.pid" #:log-file "/var/log/sssd/daemon.log")) (stop #~(make-kill-destructor)))))) (define (sssd-activation config) (let ((configuration (sssd-configuration-configuration config)) (config-file (sssd-configuration-config-file config))) #~(begin (use-modules (guix build utils)) ;; Create data directories for sssd. (mkdir-p "/var/log/sssd") (for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir))) '("db" "gpo_cache" "mc" "pipes/private" "pubconf")) ;; Create config file if a configuration is given; otherwise we assume ;; the file is managed externally. (unless (string-null? #$configuration) (mkdir-p (dirname #$config-file)) (with-output-to-file #$config-file (lambda _ (display #$configuration)))) ;; Must be a regular file readable only by root. (chmod #$config-file #o600)))) (define sssd-service-type (service-type (name 'sssd) (extensions (list (service-extension activation-service-type sssd-activation) (service-extension dbus-root-service-type (compose list sssd-configuration-package)) (service-extension nscd-service-type (compose list sssd-configuration-package)) (service-extension profile-service-type (compose list sssd-configuration-package)) (service-extension shepherd-root-service-type sssd-shepherd-service))) (default-value (sssd-configuration)) (description "Run @command{sssd}."))) (define-record-type* pam-sss-configuration make-pam-sss-configuration pam-sss-configuration? (sssd pam-sss-configuration-sssd (default sssd))) ;;; ;;; SSSD PAM service. ;;; (define (pam-sss-pam-service config) "Return a PAM service for SSSD authentication." (list (pam-extension (transformer (lambda (pam) (define pam-sss-module #~(string-append #$(pam-sss-configuration-sssd config) "/lib/security/pam_sss.so")) (pam-service (inherit pam) (auth (cons* (pam-entry (control "sufficient") (module pam-sss-module)) ;(arguments (list "use_first_pass"))) (pam-service-auth pam))) (account (cons* (pam-entry (control "[default=bad success=ok user_unknown=ignore]") (module pam-sss-module)) (pam-service-account pam))) (password (cons* (pam-entry (control "sufficient") (module pam-sss-module)) ;(arguments (list "use_authtok"))) (pam-service-password pam))) (session (cons* (pam-entry (control "optional") (module pam-sss-module)) (pam-service-session pam))))))))) (define pam-sss-service-type (service-type (name 'pam-sss) (extensions (list (service-extension pam-root-service-type pam-sss-pam-service))) (default-value (pam-sss-configuration)) (description "Activate PAM SSSD support.")))