1 files changed, 33 insertions, 2 deletions

diff --git a/src/org/euandre/packages.scm b/src/org/euandre/packages.scm
index f166387..d0117bd 100644
--- a/src/org/euandre/packages.scm
+++ b/src/org/euandre/packages.scm
@@ -482,8 +482,11 @@
   syskeep-configuration
   make-syskeep-configuration
   syskeep-configuration?
-  (package  syskeep-configuration-package  (default syskeep))
-  (log-file syskeep-configuration-log-file (default "/var/log/cronjobs/cronjobs.log")))
+  (package              syskeep-configuration-package              (default syskeep))
+  (secrets-user         syskeep-configuration-secrets-user         (default        "secrets-keeper"))
+  (secrets-group        syskeep-configuration-secrets-group        (default        "secrets-keeper"))
+  (become-secrets-group syskeep-configuration-become-secrets-group (default "become-secrets-keeper"))
+  (log-file             syskeep-configuration-log-file             (default "/var/log/cronjobs/cronjobs.log")))
 
 (define (syskeep-profile config)
   (match-record config <syskeep-configuration>
@@ -544,11 +547,37 @@
        "init.scm"
        "gitconfig"))))
 
+(define (syskeep-accounts config)
+  (match-record config <syskeep-configuration>
+      (secrets-user secrets-group become-secrets-group)
+    (list
+     (user-account
+       (name secrets-user)
+       (group secrets-group)
+       (system? #t)
+       (comment "System account used to manage production secrets")
+       (home-directory "/var/empty")
+       (create-home-directory? #f)
+       (shell
+         (file-append shadow "/sbin/nologin")))
+     (user-group
+       (name secrets-group)
+       (system? #t))
+     (user-group
+       (name become-secrets-group)
+       (system? #t)))))
+
 (define (syskeep-activation config)
   (match-record config <syskeep-configuration>
       (log-file)
     (activation-gexp "syskeep" "root" log-file #f #f)))
 
+(define-public syskeep-sudoers-file
+  (plain-file "sudoers-syskeep" "\
+root
+%become-secrets-keeper ALL=(secrets-keeper) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/setfacl, /run/current-system/profile/bin/rm
+"))
+
 (define-public syskeep-service-type
   (service-type
     (name 'syskeep)
@@ -560,6 +589,8 @@
                           syskeep-cronjobs)
        (service-extension etc-service-type
                           syskeep-etc-files)
+       (service-extension account-service-type
+                          syskeep-accounts)
        (service-extension activation-service-type
                           syskeep-activation)
        (service-extension profile-service-type