guix/vkraus/services/webid-oidc.scm


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

(define-module (vkraus services webid-oidc)
  #:use-module (gnu services)
  #:use-module (gnu services shepherd)
  #:use-module (gnu system shadow)
  #:use-module (gnu packages admin)
  #:use-module (vkraus packages webid-oidc)
  #:use-module (guix gexp)
  #:use-module (guix modules)
  #:use-module (guix records)
  #:use-module (ice-9 match)
  #:use-module (ice-9 optargs))

(define-record-type* <webid-oidc-issuer-configuration>
  webid-oidc-issuer-configuration
  make-webid-oidc-issuer-configuration
  webid-oidc-issuer-configuration?
  (webid-oidc webid-oidc-issuer-configuration-webid-oidc
              (default webid-oidc))
  (issuer webid-oidc-issuer-configuration-issuer)
  (key-file webid-oidc-issuer-configuration-key-file
            (default "/var/lib/webid-oidc/issuer/key.jwk"))
  (subject webid-oidc-issuer-configuration-subject)
  (password webid-oidc-issuer-configuration-password)
  (jwks-uri webid-oidc-issuer-configuration-jwks-uri)
  (authorization-endpoint-uri
   webid-oidc-issuer-configuration-authorization-endpoint-uri)
  (token-endpoint-uri
   webid-oidc-issuer-configuration-token-endpoint-uri)
  (port webid-oidc-issuer-configuration-port (default 8088))
  (extra-options
   webid-oidc-issuer-configuration-extra-options
   (default '())))

(export <webid-oidc-issuer-configuration>
        webid-oidc-issuer-configuration
        make-webid-oidc-issuer-configuration
        webid-oidc-issuer-configuration?
        webid-oidc-issuer-configuration-webid-oidc
        webid-oidc-issuer-configuration-issuer
        webid-oidc-issuer-configuration-key-file
        webid-oidc-issuer-configuration-subject
        webid-oidc-issuer-configuration-password
        webid-oidc-issuer-configuration-jwks-uri
        webid-oidc-issuer-configuration-authorization-endpoint-uri
        webid-oidc-issuer-configuration-token-endpoint-uri
        webid-oidc-issuer-configuration-port
        webid-oidc-issuer-configuration-extra-options)

(define webid-oidc-issuer-shepherd-service
  (match-lambda
    (($ <webid-oidc-issuer-configuration>
        webid-oidc issuer key-file subject password jwks-uri
        authorization-endpoint-uri token-endpoint-uri port
        extra-options)
     (with-imported-modules
      (source-module-closure
       '((gnu build shepherd)
         (gnu system file-systems)))
      (list (shepherd-service
             (provision '(webid-oidc-issuer))
             (documentation "Run the Solid identity provider.")
             (requirement '(user-processes))
             (modules '((gnu build shepherd)
                        (gnu system file-systems)))
             (start
              #~(begin
                  (let* ((user (getpwnam "webid-oidc-issuer"))
                         (prepare-directory
                          (lambda (dir)
                            (mkdir-p dir)
                            (chown dir (passwd:uid user) (passwd:gid user))
                            (chmod dir #o700))))
                    (prepare-directory "/var/log/webid-oidc")
                    (prepare-directory "/var/lib/webid-oidc")
                    (prepare-directory "/var/cache/webid-oidc"))
                  (make-forkexec-constructor
                   (list
                    (string-append #$webid-oidc "/bin/webid-oidc-issuer")
                    "--issuer" #$issuer
                    "--key-file" #$key-file
                    "--subject" #$subject
                    "--password" #$password
                    "--jwks-uri" #$jwks-uri
                    "--authorization-endpoint-uri" #$authorization-endpoint-uri
                    "--token-endpoint-uri" #$token-endpoint-uri
                    "--port" (with-output-to-string (lambda () (display #$port)))
                    "--log-file" "issuer.log"
                    "--error-file" "issuer.err"
                    #$@extra-options)
                   #:user "webid-oidc-issuer"
                   #:group "webid-oidc-issuer"
                   #:directory "/var/log/webid-oidc"
                   #:environment-variables
                   `("XDG_DATA_HOME=/var/lib"
                     "XDG_CACHE_HOME=/var/cache"
                     "LANG=C"))))
             (stop #~(make-kill-destructor))))))))

(define %webid-oidc-issuer-accounts
  (list (user-group (name "webid-oidc-issuer")
                    (system? #t))
        (user-account
         (name "webid-oidc-issuer")
         (group "webid-oidc-issuer")
         (system? #t)
         (comment "The user that runs the webid-oidc issuer.")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))))

(define-public webid-oidc-issuer-service-type
  (service-type
   (name 'webid-oidc-issuer)
   (extensions
    (list
     (service-extension account-service-type
                        (const %webid-oidc-issuer-accounts))
     (service-extension
      shepherd-root-service-type
      webid-oidc-issuer-shepherd-service)))))