aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Thompson <dthompson2@worcester.edu>2023-11-19 14:46:52 -0500
committerDavid Thompson <dthompson2@worcester.edu>2023-12-28 11:02:56 -0500
commit7722da6fa5422c4fec69d6c8b9536c7d6fc3d326 (patch)
tree24cc9829fe3ee10a4bc2493aeb8891e3c63817d2
parent9c0a06c98cef9e7445c9134e49add25f9beb48e5 (diff)
downloadguix-7722da6fa5422c4fec69d6c8b9536c7d6fc3d326.tar
guix-7722da6fa5422c4fec69d6c8b9536c7d6fc3d326.tar.gz
services: laminar: Add configuration option for supplementary groups.
* gnu/services/ci (<laminar-configuration>)[supplemental-groups]: New field. (laminar-shepherd-service): Exec laminard with supplementary groups. (laminar-account): Add supplementary groups to laminar user. * doc/guix.texi (Laminar): Document new configuration field. Change-Id: Iebfdbb58ea8c6dfa22bb8f64f6463e3ad133d2f9
-rw-r--r--doc/guix.texi3
-rw-r--r--gnu/services/ci.scm42
2 files changed, 27 insertions, 18 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index a9a9272c35..bc04bb8150 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34163,6 +34163,9 @@ The Laminar package to use.
@item @code{home-directory} (default: @code{"/var/lib/laminar"})
The directory for job configurations and run directories.
+@item @code{supplementary-groups} (default: @code{()})
+Supplementary groups for the Laminar user account.
+
@item @code{bind-http} (default: @code{"*:8080"})
The interface/port or unix socket on which laminard should listen for
incoming connections to the web frontend.
diff --git a/gnu/services/ci.scm b/gnu/services/ci.scm
index 172f85fe8e..01cc7c7d86 100644
--- a/gnu/services/ci.scm
+++ b/gnu/services/ci.scm
@@ -31,6 +31,7 @@
#:export (laminar-configuration
laminar-configuration?
laminar-configuration-home-directory
+ laminar-configuration-supplementary-groups
laminar-configuration-bind-http
laminar-configuration-bind-rpc
laminar-configuration-title
@@ -50,26 +51,28 @@
(define-record-type* <laminar-configuration>
laminar-configuration make-laminar-configuration
laminar-configuration?
- (laminar laminars-configuration-laminar
- (default laminar))
- (home-directory laminar-configuration-home-directory
- (default "/var/lib/laminar"))
- (bind-http laminar-configuration-bind-http
- (default "*:8080"))
- (bind-rpc laminar-configuration-bind-rpc
- (default "unix-abstract:laminar"))
- (title laminar-configuration-title
- (default "Laminar"))
- (keep-rundirs laminar-keep-rundirs
- (default 0))
- (archive-url laminar-archive-url
- (default #f))
- (base-url laminar-base-url
- (default #f)))
+ (laminar laminars-configuration-laminar
+ (default laminar))
+ (home-directory laminar-configuration-home-directory
+ (default "/var/lib/laminar"))
+ (supplementary-groups laminar-configuration-supplementary-groups
+ (default '()))
+ (bind-http laminar-configuration-bind-http
+ (default "*:8080"))
+ (bind-rpc laminar-configuration-bind-rpc
+ (default "unix-abstract:laminar"))
+ (title laminar-configuration-title
+ (default "Laminar"))
+ (keep-rundirs laminar-keep-rundirs
+ (default 0))
+ (archive-url laminar-archive-url
+ (default #f))
+ (base-url laminar-base-url
+ (default #f)))
(define laminar-shepherd-service
(match-lambda
- (($ <laminar-configuration> laminar home-directory
+ (($ <laminar-configuration> laminar home-directory supplementary-groups
bind-http bind-rpc
title keep-rundirs archive-url
base-url)
@@ -102,7 +105,8 @@
#$base-url))
'()))
#:user "laminar"
- #:group "laminar"))
+ #:group "laminar"
+ #:supplementary-groups '#$supplementary-groups))
(stop #~(make-kill-destructor)))))))
(define (laminar-account config)
@@ -113,6 +117,8 @@
(user-account
(name "laminar")
(group "laminar")
+ (supplementary-groups
+ (laminar-configuration-supplementary-groups config))
(system? #t)
(comment "Laminar privilege separation user")
(home-directory (laminar-configuration-home-directory config))