Add RAC outpost

Author: Victor Nawothnig

components/gopkgs.nix

@@ -41,6 +41,7 @@ buildGo124Module {
     "cmd/server"
     "cmd/proxy"
     "cmd/radius"
+    "cmd/rac"
   ];
   vendorHash = "sha256-wTTEDBRYCW1UFaeX49ufLT0c17sacJzcCaW/8cPNYR4=";
   nativeBuildInputs = [ makeWrapper ];

module.nix

@@ -204,6 +204,29 @@ in
       };
     };
 
+    # RAC oupost
+    authentik-rac = {
+      enable = mkEnableOption "authentik RAC outpost";
+
+      environmentFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        example = "/run/secrets/authentik-rac/authentik-rac-env";
+        description = ''
+          Environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Secrets may be passed to the service without adding them to the world-readable
+          /nix/store, by specifying the desied secrets as environment variables according
+          to the authentic documentation.
+
+          ```
+            # example content
+            AUTHENTIK_TOKEN=<token from authentik for this outpost>
+          ```
+        '';
+      };
+    };
+
     # RADIUS oupost
     authentik-radius = {
       enable = mkEnableOption "authentik RADIUS outpost";
@@ -497,6 +520,33 @@ in
       }
     ))
 
+    # RAC outpost
+    (mkIf config.services.authentik-rac.enable (
+      let
+        cfg = config.services.authentik-rac;
+      in
+      {
+        systemd.services.authentik-rac = {
+          wantedBy = [ "multi-user.target" ];
+          wants = [ "network-online.target" ];
+          after = [
+            "network-online.target"
+            "authentik.service"
+          ];
+          serviceConfig = {
+            RuntimeDirectory = "authentik-rac";
+            UMask = "0027";
+            WorkingDirectory = "%t/authentik-rac";
+            DynamicUser = true;
+            ExecStart = "${config.services.authentik.authentikComponents.gopkgs}/bin/rac";
+            EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+            Restart = "on-failure";
+            BindReadOnlyPaths = "${lib.getExe pkgs.guacamole-server}:/opt/guacamole/sbin/guacd";
+          };
+        };
+      }
+    ))
+
     # RADIUS outpost
     (mkIf config.services.authentik-radius.enable (
       let