jetomit/monguix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
monguix/services/sssd.scm

121 lines
4.6 KiB
Scheme
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

(define-module (services sssd)
#:use-module (gnu)
#:use-module (gnu packages sssd)
#:use-module (gnu services dbus)
#:use-module (gnu services shepherd)
#:use-module (guix modules)
#:use-module (guix packages)
#:use-module (guix records)
#:use-module (srfi srfi-1)
#:export (pam-sss-service-type sssd-service-type sssd-configuration))
;;;
;;; System Security Services Daemon.
;;;
(define-record-type* <sssd-configuration>
sssd-configuration make-sssd-configuration
sssd-configuration?
(package sssd-configuration-package (default sssd))
(configuration sssd-configuration-configuration (default ""))
(config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf")))
(define (sssd-shepherd-service config)
"Return a <shepherd-service> for SSSD with CONFIG."
(let ((sssd (sssd-configuration-package config))
(config-file (sssd-configuration-config-file config)))
(list
(shepherd-service
(requirement '(dbus-system))
(provision '(sssd))
(documentation "Start sssd")
(start #~(make-forkexec-constructor
(list (string-append #$sssd "/sbin/sssd")
"--config" #$config-file
"--logger=files")
#:pid-file "/var/run/sssd.pid"
#:log-file "/var/log/sssd/daemon.log"))
(stop #~(make-kill-destructor))))))
(define (sssd-activation config)
(let ((configuration (sssd-configuration-configuration config))
(config-file (sssd-configuration-config-file config)))
#~(begin
(use-modules (guix build utils))
;; Create data directories for sssd.
(mkdir-p "/var/log/sssd")
(for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir)))
'("db" "gpo_cache" "mc" "pipes/private" "pubconf"))
;; Create config file if a configuration is given; otherwise we assume
;; the file is managed externally.
(unless (string-null? #$configuration)
(mkdir-p (dirname #$config-file))
(with-output-to-file #$config-file
(lambda _ (display #$configuration))))
;; Must be a regular file readable only by root.
(chmod #$config-file #o600))))
(define sssd-service-type
(service-type
(name 'sssd)
(extensions
(list (service-extension activation-service-type
sssd-activation)
(service-extension dbus-root-service-type
(compose list sssd-configuration-package))
(service-extension nscd-service-type
(compose list sssd-configuration-package))
(service-extension profile-service-type
(compose list sssd-configuration-package))
(service-extension shepherd-root-service-type
sssd-shepherd-service)))
(default-value (sssd-configuration))
(description "Run @command{sssd}.")))
(define-record-type* <pam-sss-configuration>
pam-sss-configuration make-pam-sss-configuration
pam-sss-configuration?
(sssd pam-sss-configuration-sssd (default sssd)))
;;;
;;; SSSD PAM service.
;;;
(define (pam-sss-pam-service config)
"Return a PAM service for SSSD authentication."
(list
(pam-extension
(transformer
(lambda (pam)
(define pam-sss-module
#~(string-append #$(pam-sss-configuration-sssd config)
"/lib/security/pam_sss.so"))
(pam-service
(inherit pam)
(auth (cons* (pam-entry
(control "sufficient")
(module pam-sss-module))
;(arguments (list "use_first_pass")))
(pam-service-auth pam)))
(account (cons* (pam-entry
(control "[default=bad success=ok user_unknown=ignore]")
(module pam-sss-module))
(pam-service-account pam)))
(password (cons* (pam-entry
(control "sufficient")
(module pam-sss-module))
;(arguments (list "use_authtok")))
(pam-service-password pam)))
(session (cons* (pam-entry
(control "optional")
(module pam-sss-module))
(pam-service-session pam)))))))))
(define pam-sss-service-type
(service-type
(name 'pam-sss)
(extensions
(list (service-extension pam-root-service-type pam-sss-pam-service)))
(default-value (pam-sss-configuration))
(description "Activate PAM SSSD support.")))
Reference in a new issue View git blame Copy permalink