From 7722da6fa5422c4fec69d6c8b9536c7d6fc3d326 Mon Sep 17 00:00:00 2001 From: David Thompson Date: Sun, 19 Nov 2023 14:46:52 -0500 Subject: [PATCH] services: laminar: Add configuration option for supplementary groups. * gnu/services/ci ()[supplemental-groups]: New field. (laminar-shepherd-service): Exec laminard with supplementary groups. (laminar-account): Add supplementary groups to laminar user. * doc/guix.texi (Laminar): Document new configuration field. Change-Id: Iebfdbb58ea8c6dfa22bb8f64f6463e3ad133d2f9 --- doc/guix.texi | 3 +++ gnu/services/ci.scm | 42 ++++++++++++++++++++++++------------------ 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a9a9272c35..bc04bb8150 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34163,6 +34163,9 @@ The Laminar package to use. @item @code{home-directory} (default: @code{"/var/lib/laminar"}) The directory for job configurations and run directories. +@item @code{supplementary-groups} (default: @code{()}) +Supplementary groups for the Laminar user account. + @item @code{bind-http} (default: @code{"*:8080"}) The interface/port or unix socket on which laminard should listen for incoming connections to the web frontend. diff --git a/gnu/services/ci.scm b/gnu/services/ci.scm index 172f85fe8e..01cc7c7d86 100644 --- a/gnu/services/ci.scm +++ b/gnu/services/ci.scm @@ -31,6 +31,7 @@ (define-module (gnu services ci) #:export (laminar-configuration laminar-configuration? laminar-configuration-home-directory + laminar-configuration-supplementary-groups laminar-configuration-bind-http laminar-configuration-bind-rpc laminar-configuration-title @@ -50,26 +51,28 @@ (define-module (gnu services ci) (define-record-type* laminar-configuration make-laminar-configuration laminar-configuration? - (laminar laminars-configuration-laminar - (default laminar)) - (home-directory laminar-configuration-home-directory - (default "/var/lib/laminar")) - (bind-http laminar-configuration-bind-http - (default "*:8080")) - (bind-rpc laminar-configuration-bind-rpc - (default "unix-abstract:laminar")) - (title laminar-configuration-title - (default "Laminar")) - (keep-rundirs laminar-keep-rundirs - (default 0)) - (archive-url laminar-archive-url - (default #f)) - (base-url laminar-base-url - (default #f))) + (laminar laminars-configuration-laminar + (default laminar)) + (home-directory laminar-configuration-home-directory + (default "/var/lib/laminar")) + (supplementary-groups laminar-configuration-supplementary-groups + (default '())) + (bind-http laminar-configuration-bind-http + (default "*:8080")) + (bind-rpc laminar-configuration-bind-rpc + (default "unix-abstract:laminar")) + (title laminar-configuration-title + (default "Laminar")) + (keep-rundirs laminar-keep-rundirs + (default 0)) + (archive-url laminar-archive-url + (default #f)) + (base-url laminar-base-url + (default #f))) (define laminar-shepherd-service (match-lambda - (($ laminar home-directory + (($ laminar home-directory supplementary-groups bind-http bind-rpc title keep-rundirs archive-url base-url) @@ -102,7 +105,8 @@ (define laminar-shepherd-service #$base-url)) '())) #:user "laminar" - #:group "laminar")) + #:group "laminar" + #:supplementary-groups '#$supplementary-groups)) (stop #~(make-kill-destructor))))))) (define (laminar-account config) @@ -113,6 +117,8 @@ (define (laminar-account config) (user-account (name "laminar") (group "laminar") + (supplementary-groups + (laminar-configuration-supplementary-groups config)) (system? #t) (comment "Laminar privilege separation user") (home-directory (laminar-configuration-home-directory config))