Add RAC outpost

Author: Victor Nawothnig

components/gopkgs.nix

@@ -5,6 +5,7 @@
   buildGo124Module,
   lib,
   makeWrapper,
+  guacamole-server,
 }:
 
 buildGo124Module {
@@ -14,6 +15,9 @@ buildGo124Module {
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' web/static.go
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' internal/web/static.go
     sed -i"" -e 's,./lifecycle/gunicorn.conf.py,${authentikComponents.staticWorkdirDeps}/lifecycle/gunicorn.conf.py,' internal/gounicorn/gounicorn.go
+    substituteInPlace internal/outpost/rac/guacd.go \
+      --replace-fail '/opt/guacamole/sbin/guacd' \
+                     "${lib.getExe guacamole-server}/"
   '';
   src = lib.cleanSourceWith {
     src = authentik-src;
@@ -41,6 +45,7 @@ buildGo124Module {
     "cmd/server"
     "cmd/proxy"
     "cmd/radius"
+    "cmd/rac"
   ];
   vendorHash = "sha256-wTTEDBRYCW1UFaeX49ufLT0c17sacJzcCaW/8cPNYR4=";
   nativeBuildInputs = [ makeWrapper ];

module.nix

@@ -204,6 +204,29 @@ in
       };
     };
 
+    # RAC oupost
+    authentik-rac = {
+      enable = mkEnableOption "authentik RAC outpost";
+
+      environmentFile = mkOption {
+        type = types.nullOr pathToSecret;
+        default = null;
+        example = "/run/secrets/authentik-rac/authentik-rac-env";
+        description = ''
+          Environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Secrets may be passed to the service without adding them to the world-readable
+          /nix/store, by specifying the desied secrets as environment variables according
+          to the authentic documentation.
+
+          ```
+            # example content
+            AUTHENTIK_TOKEN=<token from authentik for this outpost>
+          ```
+        '';
+      };
+    };
+
     # RADIUS oupost
     authentik-radius = {
       enable = mkEnableOption "authentik RADIUS outpost";
@@ -497,6 +520,32 @@ in
       }
     ))
 
+    # RAC outpost
+    (mkIf config.services.authentik-rac.enable (
+      let
+        cfg = config.services.authentik-rac;
+      in
+      {
+        systemd.services.authentik-rac = {
+          wantedBy = [ "multi-user.target" ];
+          wants = [ "network-online.target" ];
+          after = [
+            "network-online.target"
+            "authentik.service"
+          ];
+          serviceConfig = {
+            RuntimeDirectory = "authentik-rac";
+            UMask = "0027";
+            WorkingDirectory = "%t/authentik-rac";
+            DynamicUser = true;
+            ExecStart = "${config.services.authentik.authentikComponents.gopkgs}/bin/rac";
+            EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+            Restart = "on-failure";
+          };
+        };
+      }
+    ))
+
     # RADIUS outpost
     (mkIf config.services.authentik-radius.enable (
       let