(define-module (services sssd)
  #:use-module (gnu)
  #:use-module (gnu packages sssd)
  #:use-module (gnu services dbus)
  #:use-module (gnu services shepherd)
  #:use-module (guix modules)
  #:use-module (guix packages)
  #:use-module (guix records)
  #:use-module (srfi srfi-1)
  #:export (pam-sss-service-type sssd-service-type sssd-configuration))

;;;
;;; System Security Services Daemon.
;;;

(define-record-type* <sssd-configuration>
  sssd-configuration make-sssd-configuration
  sssd-configuration?
  (package sssd-configuration-package (default sssd))
  (config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf")))

(define (sssd-shepherd-service config)
  "Return a <shepherd-service> for SSSD with CONFIG."
  (let ((sssd (sssd-configuration-package config)))
    (list
     (shepherd-service
      (requirement '(dbus-system))
      (provision '(sssd))
      (documentation "Start sssd")
      (start #~(make-forkexec-constructor
                (list (string-append #$sssd "/sbin/sssd")
                      "-c" #$(sssd-configuration-config-file config)
                      "--logger=files")
                #:pid-file "/var/run/sssd.pid"
                #:log-file "/var/log/sssd/daemon.log"))
      (stop #~(make-kill-destructor))))))

(define sssd-activation
  ;; Create data directories for sssd.
  #~(begin
      (use-modules (guix build utils))
      (mkdir-p "/var/log/sssd")
      (for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir)))
                '("db" "gpo_cache" "mc" "pipes/private" "pubconf"))))

(define sssd-service-type
  (service-type
   (name 'sssd)
   (extensions
    (list (service-extension activation-service-type
                             (const sssd-activation))
          (service-extension dbus-root-service-type
                             (compose list sssd-configuration-package))
          (service-extension nscd-service-type
                             (compose list sssd-configuration-package))
          (service-extension profile-service-type
                             (compose list sssd-configuration-package))
          (service-extension shepherd-root-service-type
                             sssd-shepherd-service)))
   (default-value (sssd-configuration))
   (description "Run @command{sssd}.")))

(define-record-type* <pam-sss-configuration>
  pam-sss-configuration make-pam-sss-configuration
  pam-sss-configuration?
  (sssd pam-sss-configuration-sssd (default sssd)))


;;;
;;; SSSD PAM service.
;;;

(define (pam-sss-pam-service config)
  (let ((module #~(string-append #$(pam-sss-configuration-sssd config)
                                 "/lib/security/pam_sss.so")))
    (list
     (lambda (pam)
       (pam-service
        (inherit pam)
        (auth (cons* (pam-entry
                      (control "sufficient")
                      (module module))
                                        ;(arguments (list "use_first_pass")))
                     (pam-service-auth pam)))
        (account (cons* (pam-entry
                         (control "[default=bad success=ok user_unknown=ignore]")
                         (module module))
                        (pam-service-account pam)))
        (password (cons* (pam-entry
                          (control "sufficient")
                          (module module))
                                        ;(arguments (list "use_authtok")))
                         (pam-service-password pam)))
        (session (cons* (pam-entry
                         (control "optional")
                         (module module))
                        (pam-service-session pam))))))))

(define pam-sss-service-type
  (service-type
   (name 'pam-sss)
   (extensions
    (list (service-extension pam-root-service-type pam-sss-pam-service)))
   (default-value (pam-sss-configuration))
   (description "Activate PAM SSSD support.")))