diff options
author | EuAndreh <eu@euandre.org> | 2024-08-24 10:41:52 -0300 |
---|---|---|
committer | EuAndreh <eu@euandre.org> | 2024-08-24 10:41:52 -0300 |
commit | b05e3bc565a19b3e4e1b4514b32e170efeaa1799 (patch) | |
tree | b67d921c9a54aff1126287318aa2df879fcd09b2 | |
parent | packages.scm: Replace url-fetch with git-fetch (diff) | |
download | packages-b05e3bc565a19b3e4e1b4514b32e170efeaa1799.tar.gz packages-b05e3bc565a19b3e4e1b4514b32e170efeaa1799.tar.xz |
packages.scm: Add "secrets-keeper" accounts and sudoers configuration
-rw-r--r-- | src/org/euandre/packages.scm | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/src/org/euandre/packages.scm b/src/org/euandre/packages.scm index f166387..d0117bd 100644 --- a/src/org/euandre/packages.scm +++ b/src/org/euandre/packages.scm @@ -482,8 +482,11 @@ syskeep-configuration make-syskeep-configuration syskeep-configuration? - (package syskeep-configuration-package (default syskeep)) - (log-file syskeep-configuration-log-file (default "/var/log/cronjobs/cronjobs.log"))) + (package syskeep-configuration-package (default syskeep)) + (secrets-user syskeep-configuration-secrets-user (default "secrets-keeper")) + (secrets-group syskeep-configuration-secrets-group (default "secrets-keeper")) + (become-secrets-group syskeep-configuration-become-secrets-group (default "become-secrets-keeper")) + (log-file syskeep-configuration-log-file (default "/var/log/cronjobs/cronjobs.log"))) (define (syskeep-profile config) (match-record config <syskeep-configuration> @@ -544,11 +547,37 @@ "init.scm" "gitconfig")))) +(define (syskeep-accounts config) + (match-record config <syskeep-configuration> + (secrets-user secrets-group become-secrets-group) + (list + (user-account + (name secrets-user) + (group secrets-group) + (system? #t) + (comment "System account used to manage production secrets") + (home-directory "/var/empty") + (create-home-directory? #f) + (shell + (file-append shadow "/sbin/nologin"))) + (user-group + (name secrets-group) + (system? #t)) + (user-group + (name become-secrets-group) + (system? #t))))) + (define (syskeep-activation config) (match-record config <syskeep-configuration> (log-file) (activation-gexp "syskeep" "root" log-file #f #f))) +(define-public syskeep-sudoers-file + (plain-file "sudoers-syskeep" "\ +root +%become-secrets-keeper ALL=(secrets-keeper) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/setfacl, /run/current-system/profile/bin/rm +")) + (define-public syskeep-service-type (service-type (name 'syskeep) @@ -560,6 +589,8 @@ syskeep-cronjobs) (service-extension etc-service-type syskeep-etc-files) + (service-extension account-service-type + syskeep-accounts) (service-extension activation-service-type syskeep-activation) (service-extension profile-service-type |