gentoo · CyberTailor · May 3, 2024 · May 3, 2024 · May 3, 2024
diff --git a/acct-group/kanidm/kanidm-0.ebuild b/acct-group/kanidm/kanidm-0.ebuild
@@ -0,0 +1,8 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=-1
diff --git a/acct-group/kanidm/metadata.xml b/acct-group/kanidm/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>cyber+gentoo@sysrq.in</email>
+		<name>Anna</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/acct-user/kanidm/kanidm-0.ebuild b/acct-user/kanidm/kanidm-0.ebuild
@@ -0,0 +1,11 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-user
+
+ACCT_USER_ID=-1
+ACCT_USER_GROUPS=( kanidm ldap tss )
+
+acct-user_add_deps
diff --git a/acct-user/kanidm/metadata.xml b/acct-user/kanidm/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>cyber+gentoo@sysrq.in</email>
+		<name>Anna</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/net-nds/kanidm/Manifest b/net-nds/kanidm/Manifest
diff --git a/net-nds/kanidm/files/kanidm-ipa-sync.service b/net-nds/kanidm/files/kanidm-ipa-sync.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=Kanidm IPA Sync Service
+After=time-sync.target network-online.target
+Wants=time-sync.target network-online.target
+
+[Service]
+Type=exec
+LoadCredential=config:/etc/kanidm/kanidm-ipa-sync
+Environment=KANIDM_IPA_SYNC_CONFIG=%d/config
+ExecStart=/usr/sbin/kanidm-ipa-sync --schedule
+User=kanidm
+
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-nds/kanidm/files/kanidm-unixd-tasks.initd b/net-nds/kanidm/files/kanidm-unixd-tasks.initd
@@ -0,0 +1,14 @@
+#!/sbin/openrc-run
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# shellcheck shell=sh
+
+command="/usr/sbin/kanidm_unixd_tasks"
+command_background=1
+pidfile="/var/run/kanidm/${RC_SVCNAME}.pid"
+
+depend() {
+	need kanidm-unixd net
+	use ntp-client ntpd
+}
diff --git a/net-nds/kanidm/files/kanidm-unixd-tasks.service b/net-nds/kanidm/files/kanidm-unixd-tasks.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=Kanidm Local Tasks
+After=chronyd.service ntpd.service network-online.target kanidm-unixd.service
+Requires=kanidm-unixd.service
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/kanidm_unixd_tasks
+User=root
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
+# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
+RestrictAddressFamilies=AF_UNIX
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateNetwork=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-nds/kanidm/files/kanidm-unixd.initd b/net-nds/kanidm/files/kanidm-unixd.initd
@@ -0,0 +1,20 @@
+#!/sbin/openrc-run
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# shellcheck shell=sh
+
+command="/usr/sbin/kanidm_unixd"
+command_user="kanidm:kanidm"
+command_background=1
+pidfile="/var/run/kanidm/${RC_SVCNAME}.pid"
+
+depend() {
+	need net nscd
+	use ntp-client ntpd
+	before sshd
+}
+
+start_pre() {
+	checkpath -do kanidm:kanidm /var/run/kanidm
+}
diff --git a/net-nds/kanidm/files/kanidm-unixd.service b/net-nds/kanidm/files/kanidm-unixd.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Kanidm Local Client Resolver
+After=chronyd.service nscd.service ntpd.service network-online.target
+Before=systemd-user-sessions.service sshd.service nss-user-lookup.target
+Wants=nss-user-lookup.target
+# While it seems confusing, we need to be after nscd.service so that the
+# Conflicts will triger and then automatically stop it.
+Conflicts=nscd.service
+
+[Service]
+Type=notify
+CacheDirectory=kanidm-unixd
+RuntimeDirectory=kanidm-unixd
+StateDirectory=kanidm-unixd
+UMask=0027
+ExecStart=/usr/sbin/kanidm_unixd
+User=kanidm
+
+## If you wish to setup an external HSM pin you should set:
+# LoadCredential=hsmpin:/etc/kanidm/kanidm-unixd-hsm-pin
+# Environment=KANIDM_HSM_PIN_PATH=%d/hsmpin
+
+# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
+NoNewPrivileges=true
+PrivateTmp=true
+# We have to disable this to allow tpmrm0 access for tpm binding.
+PrivateDevices=false
+# Older versions of systemd require this to be explicitly allowed.
+DeviceAllow=/dev/tpmrm0 rw
+
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-nds/kanidm/files/kanidmd.confd b/net-nds/kanidm/files/kanidmd.confd
@@ -0,0 +1,2 @@
+# Configuration file
+#KANIDMD_CONFIGFILE="/etc/kanidm/server.toml"
diff --git a/net-nds/kanidm/files/kanidmd.initd b/net-nds/kanidm/files/kanidmd.initd
@@ -0,0 +1,42 @@
+#!/sbin/openrc-run
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# shellcheck shell=sh
+
+extra_commands="configtest"
+description_configtest="Run kanidm's internal config check."
+
+: "${KANIDMD_CONFIGFILE:=/etc/kanidm/server.toml}"
+
+command="/usr/sbin/kanidmd"
+command_args="server -c \"${KANIDMD_CONFIGFILE}\""
+command_user="kanidm:kanidm"
+command_background=1
+pidfile="/var/run/kanidm/${RC_SVCNAME}.pid"
+
+depend() {
+	need net
+	use dns
+}
+
+start_pre() {
+	if [ "${RC_CMD}" != "restart" ]; then
+		configtest || return 1
+	fi
+
+	checkpath -do kanidm:kanidm /var/run/kanidm
+}
+
+stop_pre() {
+	if [ "${RC_CMD}" = "restart" ]; then
+		configtest || return 1
+	fi
+}
+
+configtest() {
+	ebegin "Checking kanidm's configuration"
+	${command} configtest -c "${KANIDMD_CONFIGFILE}"
+
+	eend $? "failed, please correct errors in the config file"
+}
diff --git a/net-nds/kanidm/files/kanidmd.service b/net-nds/kanidm/files/kanidmd.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=Kanidm Identity Server
+After=time-sync.target network-online.target
+Wants=time-sync.target network-online.target
+Before=radiusd.service
+
+[Service]
+Type=notify
+StateDirectory=kanidm
+StateDirectoryMode=0750
+CacheDirectory=kanidmd
+CacheDirectoryMode=0750
+RuntimeDirectory=kanidmd
+RuntimeDirectoryMode=0755
+ExecStart=/usr/sbin/kanidmd server -c /etc/kanidm/server.toml
+User=kanidm
+
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target