Merge pull request #48 from dminuoso/add-rac-outpost

Add RAC outpost

Author: Ma27

components/gopkgs.nix

@@ -5,15 +5,24 @@
   buildGo124Module,
   lib,
   makeWrapper,
+  guacamole-server,
+  stdenv,
 }:
 
+let
+  guacamoleAvailable = lib.meta.availableOn stdenv.hostPlatform guacamole-server;
+in
 buildGo124Module {
   pname = "authentik-gopkgs";
   version = authentik-version;
   prePatch = ''
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' web/static.go
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' internal/web/static.go
     sed -i"" -e 's,./lifecycle/gunicorn.conf.py,${authentikComponents.staticWorkdirDeps}/lifecycle/gunicorn.conf.py,' internal/gounicorn/gounicorn.go
+  '' + lib.optionalString guacamoleAvailable ''
+    substituteInPlace internal/outpost/rac/guacd.go \
+      --replace-fail '/opt/guacamole/sbin/guacd' \
+                     "${lib.getExe guacamole-server}"
   '';
   src = lib.cleanSourceWith {
     src = authentik-src;
@@ -41,12 +50,16 @@ buildGo124Module {
     "ldap"
     "proxy"
     "radius"
+  ] ++ lib.optionals guacamoleAvailable [
+    "rac"
   ];
   subPackages = [
     "cmd/ldap"
     "cmd/server"
     "cmd/proxy"
     "cmd/radius"
+  ] ++ lib.optionals guacamoleAvailable [
+    "cmd/rac"
   ];
   vendorHash = "sha256-wTTEDBRYCW1UFaeX49ufLT0c17sacJzcCaW/8cPNYR4=";
   nativeBuildInputs = [ makeWrapper ];
@@ -59,5 +72,8 @@ buildGo124Module {
     mv $out/bin/ldap $ldap/bin/
     mv $out/bin/proxy $proxy/bin/
     mv $out/bin/radius $radius/bin/
+  '' + lib.optionalString guacamoleAvailable ''
+    mkdir -p $rac/bin
+    mv $out/bin/rac $rac/bin/
   '';
 }

module.nix

@@ -204,6 +204,29 @@ in
       };
     };
 
+    # RAC oupost
+    authentik-rac = {
+      enable = mkEnableOption "authentik RAC outpost";
+
+      environmentFile = mkOption {
+        type = types.nullOr pathToSecret;
+        default = null;
+        example = "/run/secrets/authentik-rac/authentik-rac-env";
+        description = ''
+          Environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Secrets may be passed to the service without adding them to the world-readable
+          /nix/store, by specifying the desied secrets as environment variables according
+          to the authentic documentation.
+
+          ```
+          # example content
+          AUTHENTIK_TOKEN=<token from authentik for this outpost>
+          ```
+        '';
+      };
+    };
+
     # RADIUS oupost
     authentik-radius = {
       enable = mkEnableOption "authentik RADIUS outpost";
@@ -497,6 +520,40 @@ in
       }
     ))
 
+    # RAC outpost
+    (mkIf config.services.authentik-rac.enable (
+      let
+        cfg = config.services.authentik-rac;
+      in
+      {
+        assertions = [
+          {
+            assertion = config.services.authentik.authentikComponents.gopkgs?rac;
+            message = ''
+              guacamole-server is not available on the host's platform!
+            '';
+          }
+        ];
+        systemd.services.authentik-rac = {
+          wantedBy = [ "multi-user.target" ];
+          wants = [ "network-online.target" ];
+          after = [
+            "network-online.target"
+            "authentik.service"
+          ];
+          serviceConfig = {
+            RuntimeDirectory = "authentik-rac";
+            UMask = "0027";
+            WorkingDirectory = "%t/authentik-rac";
+            DynamicUser = true;
+            ExecStart = "${config.services.authentik.authentikComponents.gopkgs.rac}/bin/rac";
+            EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+            Restart = "on-failure";
+          };
+        };
+      }
+    ))
+
     # RADIUS outpost
     (mkIf config.services.authentik-radius.enable (
       let