Add RAC outpost

Co-authored-by: Maximilian Bosch <[email protected]>

Author: Victor Nawothnig

components/gopkgs.nix

@@ -5,6 +5,7 @@
   buildGo124Module,
   lib,
   makeWrapper,
+  guacamole-server,
 }:
 
 buildGo124Module {
@@ -14,6 +15,9 @@ buildGo124Module {
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' web/static.go
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' internal/web/static.go
     sed -i"" -e 's,./lifecycle/gunicorn.conf.py,${authentikComponents.staticWorkdirDeps}/lifecycle/gunicorn.conf.py,' internal/gounicorn/gounicorn.go
+    substituteInPlace internal/outpost/rac/guacd.go \
+      --replace-fail '/opt/guacamole/sbin/guacd' \
+                     "${lib.getExe guacamole-server}"
   '';
   src = lib.cleanSourceWith {
     src = authentik-src;
@@ -41,12 +45,14 @@ buildGo124Module {
     "ldap"
     "proxy"
     "radius"
+    "rac"
   ];
   subPackages = [
     "cmd/ldap"
     "cmd/server"
     "cmd/proxy"
     "cmd/radius"
+    "cmd/rac"
   ];
   vendorHash = "sha256-wTTEDBRYCW1UFaeX49ufLT0c17sacJzcCaW/8cPNYR4=";
   nativeBuildInputs = [ makeWrapper ];
@@ -55,9 +61,10 @@ buildGo124Module {
     wrapProgram $out/bin/server --prefix PATH : ${authentikComponents.pythonEnv}/bin
     wrapProgram $out/bin/server --prefix PYTHONPATH : ${authentikComponents.staticWorkdirDeps}
 
-    mkdir -p $ldap/bin $proxy/bin $radius/bin
+    mkdir -p $ldap/bin $proxy/bin $radius/bin $rac/bin
     mv $out/bin/ldap $ldap/bin/
     mv $out/bin/proxy $proxy/bin/
     mv $out/bin/radius $radius/bin/
+    mv $out/bin/rac $rac/bin/
   '';
 }

module.nix

@@ -204,6 +204,29 @@ in
       };
     };
 
+    # RAC oupost
+    authentik-rac = {
+      enable = mkEnableOption "authentik RAC outpost";
+
+      environmentFile = mkOption {
+        type = types.nullOr pathToSecret;
+        default = null;
+        example = "/run/secrets/authentik-rac/authentik-rac-env";
+        description = ''
+          Environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Secrets may be passed to the service without adding them to the world-readable
+          /nix/store, by specifying the desied secrets as environment variables according
+          to the authentic documentation.
+
+          ```
+          # example content
+          AUTHENTIK_TOKEN=<token from authentik for this outpost>
+          ```
+        '';
+      };
+    };
+
     # RADIUS oupost
     authentik-radius = {
       enable = mkEnableOption "authentik RADIUS outpost";
@@ -497,6 +520,32 @@ in
       }
     ))
 
+    # RAC outpost
+    (mkIf config.services.authentik-rac.enable (
+      let
+        cfg = config.services.authentik-rac;
+      in
+      {
+        systemd.services.authentik-rac = {
+          wantedBy = [ "multi-user.target" ];
+          wants = [ "network-online.target" ];
+          after = [
+            "network-online.target"
+            "authentik.service"
+          ];
+          serviceConfig = {
+            RuntimeDirectory = "authentik-rac";
+            UMask = "0027";
+            WorkingDirectory = "%t/authentik-rac";
+            DynamicUser = true;
+            ExecStart = "${config.services.authentik.authentikComponents.gopkgs.rac}/bin/rac";
+            EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+            Restart = "on-failure";
+          };
+        };
+      }
+    ))
+
     # RADIUS outpost
     (mkIf config.services.authentik-radius.enable (
       let