From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id uAtLMo8cGmQtYwAASxT56A
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 21 Mar 2023 22:07:27 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id yPxTMo8cGmS3HwAAauVa8A
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 21 Mar 2023 22:07:27 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 75F9E2E9F9
	for <larch@yhetil.org>; Tue, 21 Mar 2023 22:07:27 +0100 (CET)
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=spork.org header.s=dkim header.b=Hr8iP1Sh;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1679432847;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=aPqC8GElZtASYpSytu8stda4HJnyFtTbZBilz4+zvUw=;
	b=BM0I4KN3+4c6nZ8ycJfeJzPOAdAG8DpEZMs4rPGjjQ05BMU76ptm+S1KLDa331et6oBkj+
	UoXTySejg5beP5+d515WX1+VUuRcdOxyjbvPAVYsBF3UV68ZTSefoR93zIqjXfNaZ+zsXx
	Vef7Fq/Ai/Cg1lXC//0y3bLEll1v5dFi2ugapQAAMj8GPJFItPnij2rGAsgZ1IKfxC9RbK
	/A6Vj8Zc1iYNwP3TWYwcl9erDGln+yke+F5z/CsgADuAizaExm0hEqyXqwHXw+vpFkjMC9
	x4qpb2ZrXExqWMbS+aKp16QrrJp0hD5iKR0neSp/nIdVIz846V03j9VArvOq+A==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=spork.org header.s=dkim header.b=Hr8iP1Sh;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1679432847; a=rsa-sha256; cv=none;
	b=WguEY3yFSJnu9g9jXubAclBUOQXs7PV2hX5Oz+/CTiJp6hqwHy3+I2madPolR+IlKriyTQ
	gAA2w48ZVYzQt1DHW90JCbNIQyUi37X6jQtfEMKwDBFX9f9IxjmFElukfl2KjQIOurJxAK
	uTm7Y6kbHyo+KLzmh2q8RUF6dTMcMO+ZnHDwt9jfZTV25p5o7nOohBv0BdAWZmbaBa/b40
	k5imD7vlLMOqBXgTJ0ymWYKry1Dz4kWK+hLtVvJOeivnlHPoTlCOlclx2CLGCxYLT1cbKP
	gj6WxvQjqbQ3kgaKH1SDaUmVYh6kJmFyohdEe3VmzKC21B+w2+cUv2dOPJJR1Q==
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1pejCE-0005xx-MI; Tue, 21 Mar 2023 17:07:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pejCA-0005xT-FE
 for guix-patches@gnu.org; Tue, 21 Mar 2023 17:07:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pejC9-0006sG-S0; Tue, 21 Mar 2023 17:07:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pejC9-0002N5-NO; Tue, 21 Mar 2023 17:07:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#62357] [PATCH] services: base: add pam-mount-volume support for
 greetd
Resent-From: Brian Cully <bjc@spork.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: ludo@gnu.org, guix-patches@gnu.org
Resent-Date: Tue, 21 Mar 2023 21:07:01 +0000
Resent-Message-ID: <handler.62357.B.16794328159100@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 62357
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 62357@debbugs.gnu.org
Cc: Brian Cully <bjc@spork.org>, ludo@gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
X-Debbugs-Original-Xcc: ludo@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.16794328159100
 (code B ref -1); Tue, 21 Mar 2023 21:07:01 +0000
Received: (at submit) by debbugs.gnu.org; 21 Mar 2023 21:06:55 +0000
Received: from localhost ([127.0.0.1]:60976 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pejC2-0002Mh-Gd
 for submit@debbugs.gnu.org; Tue, 21 Mar 2023 17:06:55 -0400
Received: from lists.gnu.org ([209.51.188.17]:45492)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bjc@spork.org>) id 1pejC0-0002MZ-HK
 for submit@debbugs.gnu.org; Tue, 21 Mar 2023 17:06:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bjc@spork.org>) id 1pejBv-0005sm-34
 for guix-patches@gnu.org; Tue, 21 Mar 2023 17:06:48 -0400
Received: from coleridge.kublai.com ([166.84.7.167] helo=mail.spork.org)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bjc@spork.org>) id 1pejBs-0006nk-9K
 for guix-patches@gnu.org; Tue, 21 Mar 2023 17:06:46 -0400
Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net
 [24.184.233.231])
 by mail.spork.org (Postfix) with ESMTPSA id 1671094F2;
 Tue, 21 Mar 2023 17:06:28 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim;
 t=1679432788; bh=33K/anoJjVzHj0mYkJCBwe0/nTBePwhIfPUY0igiX1A=;
 h=From:To:Cc:Subject:Date;
 b=Hr8iP1ShM3rxsKigKZAhivgLUoK5I5WvdXTVRRwdBfZE52dSz98yFopkifJYdc9lu
 1GPmu7C/FQx2OA/+iNAVW4AOoyaTvacOCUr/NsoBKn0inBXyIVIwJ/Ie2Sz/0ntvXn
 BehgxYoDPg37Yc5RgmGeS5Og4PuGwfe+3tBIT4Jk=
Date: Tue, 21 Mar 2023 17:06:22 -0400
Message-Id: <3dc92c40bf6940f2453d1912af08c47771dfa42b.1679432782.git.bjc@spork.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=166.84.7.167; envelope-from=bjc@spork.org;
 helo=mail.spork.org
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, 
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Reply-to:  Brian Cully <bjc@spork.org>
X-Migadu-Queue-Id: 75F9E2E9F9
X-Spam-Score: -4.25
X-Migadu-Spam-Score: -4.25
X-Migadu-Scanner: scn0.migadu.com
X-ACL-Warn: ,  Brian Cully via Guix-patches <guix-patches@gnu.org>
From:  Brian Cully via Guix-patches via <guix-patches@gnu.org>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-TUID: 890ExfeRLEsa

This patch lets users create mounts automatically on login with the greetd
service by adding `pam-mount-volume' records via the `extra-pam-mount-volumes'
field of `greetd-configuration'.

The existing rules for XDG_RUNTIME_DIR have been migrated to
`%base-pam-mount-volumes' and are installed by default.

* gnu/services/base.scm (<pam-mount-volume>): new record
(pam-mount-volume->sxml): new procedure
(%base-pam-mount-volumes): new variable
(greetd-pam-mount-rules): new function
(%greetd-pam-mount-rules): removed variable
(<greetd-configuration>): new field `extra-pam-mount-volumes'
---
 gnu/services/base.scm | 114 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 107 insertions(+), 7 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 2c984a0747..4da2090141 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -248,6 +248,27 @@ (define-module (gnu services base)
             pam-limits-service-type
             pam-limits-service
 
+            pam-mount-volume
+            pam-mount-volume-user
+            pam-mount-volume-uid
+            pam-mount-volume-pgrp
+            pam-mount-volume-gid
+            pam-mount-volume-sgrp
+            pam-mount-volume-fstype
+            pam-mount-volume-noroot
+            pam-mount-volume-server
+            pam-mount-volume-path
+            pam-mount-volume-path
+            pam-mount-volume-mountpoint
+            pam-mount-volume-header
+            pam-mount-volume-options
+            pam-mount-volume-ssh
+            pam-mount-volume-cipher
+            pam-mount-volume-fskeycipher
+            pam-mount-volume-fskeyhash
+            pam-mount-volume-fskeypath
+            %base-pam-mount-volumes
+
             greetd-service-type
             greetd-configuration
             greetd-terminal-configuration
@@ -3170,6 +3191,82 @@ (define (make-greetd-terminal-configuration-file config)
      "user = " default-session-user "\n"
      "command = " default-session-command "\n")))
 
+(define-record-type* <pam-mount-volume>
+  pam-mount-volume make-pam-mount-volume
+  pam-mount-volume?
+  (user pam-mount-volume-user (default #f)) ; string
+  (uid pam-mount-volume-uid (default #f)) ; number or (number . number)
+  (pgrp pam-mount-volume-pgrp (default #f)) ; string
+  (gid pam-mount-volume-gid (default #f)) ; number or (number . number)
+  (sgrp pam-mount-volume-sgrp (default #f)) ; string
+  (fstype pam-mount-volume-fstype (default #f)) ; string
+  (noroot pam-mount-volume-noroot (default #f)) ; bool
+  (server pam-mount-volume-server (default #f)) ; string
+  (path pam-mount-volume-path (default #f)) ; string
+  (mountpoint pam-mount-volume-mountpoint (default #f)) ; string
+  (header pam-mount-volume-header (default #f)) ; string
+  (options pam-mount-volume-options (default #f)) ; string
+  (ssh pam-mount-volume-ssh (default #f)) ; bool
+  (cipher pam-mount-volume-cipher (default #f)) ; string
+  (fskeycipher pam-mount-volume-fskeycipher (default #f)) ; string
+  (fskeyhash pam-mount-volume-fskeyhash (default #f)) ; string
+  (fskeypath pam-mount-volume-fskeypath (default #f))) ; string
+
+(define (pam-mount-volume->sxml volume)
+  "Return SXML formatted VOLUME, suitable for pam_mount configuration."
+  (define (string-for value)
+    (and value (format #f "~a" value)))
+
+  (define (bool-for value)
+    (if value
+        "1"
+        "0"))
+
+  (define (number-or-range-for value)
+    (match value
+      (#f #f)
+      ((start . end)
+       (format #f "~a-~a" start end))
+      (number
+       (format #f "~a" number))))
+
+  (define attrs
+    (filter
+     (cut cadr <>)
+     (map (lambda (field-desc)
+            (let* ((field-name (car field-desc))
+                   (field-formatter (cdr field-desc))
+                   (field-accessor (record-accessor <pam-mount-volume> field-name)))
+              (list field-name (field-formatter (field-accessor volume)))))
+          `((user . ,string-for)
+            (uid . ,number-or-range-for)
+            (pgrp . ,string-for)
+            (gid . ,number-or-range-for)
+            (sgrp . ,string-for)
+            (fstype . ,string-for)
+            (noroot . ,bool-for)
+            (server . ,string-for)
+            (path . ,string-for)
+            (mountpoint . ,string-for)
+            (header . ,string-for)
+            (options . ,string-for)
+            (ssh . ,bool-for)
+            (cipher . ,string-for)
+            (fskeycipher . ,string-for)
+            (fskeyhash . ,string-for)
+            (fskeypath . ,string-for)))))
+
+  `(volume (@ ,@attrs)))
+
+(define %base-pam-mount-volumes
+  (list
+   (pam-mount-volume->sxml
+    (pam-mount-volume
+     (sgrp "users")
+     (fstype "tmpfs")
+     (mountpoint "/run/user/%(USERUID)")
+     (options "noexec,nosuid,nodev,size=1g,mode=0700,uid=%(USERUID),gid=%(USERGID)")))))
+
 (define %greetd-file-systems
   (list (file-system
           (device "none")
@@ -3180,12 +3277,14 @@ (define %greetd-file-systems
           (options "mode=0755")
           (create-mount-point? #t))))
 
-(define %greetd-pam-mount-rules
+(define (greetd-pam-mount-rules config)
+  (define volumes
+    (append (map pam-mount-volume->sxml
+                 (greetd-extra-pam-mount-volumes config))
+            %base-pam-mount-volumes))
+
   `((debug (@ (enable "0")))
-    (volume (@ (sgrp "users")
-               (fstype "tmpfs")
-               (mountpoint "/run/user/%(USERUID)")
-               (options "noexec,nosuid,nodev,size=1g,mode=0700,uid=%(USERUID),gid=%(USERGID)")))
+    ,@volumes
     (logout (@ (wait "0")
                (hup "0")
                (term "yes")
@@ -3198,7 +3297,8 @@ (define-record-type* <greetd-configuration>
   (motd greetd-motd (default %default-motd))
   (allow-empty-passwords? greetd-allow-empty-passwords? (default #t))
   (terminals greetd-terminals (default '()))
-  (greeter-supplementary-groups greetd-greeter-supplementary-groups (default '())))
+  (greeter-supplementary-groups greetd-greeter-supplementary-groups (default '()))
+  (extra-pam-mount-volumes greetd-extra-pam-mount-volumes (default '())))
 
 (define (greetd-accounts config)
   (list (user-group (name "greeter") (system? #t))
@@ -3219,7 +3319,7 @@ (define (make-greetd-pam-mount-conf-file config)
             '(*TOP*
               (*PI* xml "version='1.0' encoding='utf-8'")
               (pam_mount
-               #$@%greetd-pam-mount-rules
+               #$@(greetd-pam-mount-rules config)
                (pmvarrun
                 #$(file-append greetd-pam-mount
                                "/sbin/pmvarrun -u '%(USER)' -o '%(OPERATION)'"))))

base-commit: 306bd7b8b952b1e721fd36a9d69b3373862e8087
-- 
2.39.2