services: laminar: Add configuration option for supplementary groups.

* gnu/services/ci (<laminar-configuration>)[supplemental-groups]: New field.
(laminar-shepherd-service): Exec laminard with supplementary groups.
(laminar-account): Add supplementary groups to laminar user.
* doc/guix.texi (Laminar): Document new configuration field.

Change-Id: Iebfdbb58ea8c6dfa22bb8f64f6463e3ad133d2f9

doc/guix.texi

@@ -34163,6 +34163,9 @@ The Laminar package to use.
 @item @code{home-directory} (default: @code{"/var/lib/laminar"})
 The directory for job configurations and run directories.
 
+@item @code{supplementary-groups} (default: @code{()})
+Supplementary groups for the Laminar user account.
+
 @item @code{bind-http} (default: @code{"*:8080"})
 The interface/port or unix socket on which laminard should listen for
 incoming connections to the web frontend.

gnu/services/ci.scm

@@ -31,6 +31,7 @@
   #:export (laminar-configuration
             laminar-configuration?
             laminar-configuration-home-directory
+            laminar-configuration-supplementary-groups
             laminar-configuration-bind-http
             laminar-configuration-bind-rpc
             laminar-configuration-title
@@ -50,26 +51,28 @@
 (define-record-type* <laminar-configuration>
   laminar-configuration make-laminar-configuration
   laminar-configuration?
-  (laminar          laminars-configuration-laminar
+  (laminar              laminars-configuration-laminar
-                    (default laminar))
+                        (default laminar))
-  (home-directory   laminar-configuration-home-directory
+  (home-directory       laminar-configuration-home-directory
-                    (default "/var/lib/laminar"))
+                        (default "/var/lib/laminar"))
-  (bind-http        laminar-configuration-bind-http
+  (supplementary-groups laminar-configuration-supplementary-groups
-                    (default "*:8080"))
+                        (default '()))
-  (bind-rpc         laminar-configuration-bind-rpc
+  (bind-http            laminar-configuration-bind-http
-                    (default "unix-abstract:laminar"))
+                        (default "*:8080"))
-  (title            laminar-configuration-title
+  (bind-rpc             laminar-configuration-bind-rpc
-                    (default "Laminar"))
+                        (default "unix-abstract:laminar"))
-  (keep-rundirs     laminar-keep-rundirs
+  (title                laminar-configuration-title
-                    (default 0))
+                        (default "Laminar"))
-  (archive-url      laminar-archive-url
+  (keep-rundirs         laminar-keep-rundirs
-                    (default #f))
+                        (default 0))
-  (base-url         laminar-base-url
+  (archive-url          laminar-archive-url
-                    (default #f)))
+                        (default #f))
+  (base-url             laminar-base-url
+                        (default #f)))
 
 (define laminar-shepherd-service
   (match-lambda
-    (($ <laminar-configuration> laminar home-directory
+    (($ <laminar-configuration> laminar home-directory supplementary-groups
                                 bind-http bind-rpc
                                 title keep-rundirs archive-url
                                 base-url)
@@ -102,7 +105,8 @@
                                               #$base-url))
                               '()))
                       #:user "laminar"
-                      #:group "laminar"))
+                      #:group "laminar"
+                      #:supplementary-groups '#$supplementary-groups))
             (stop #~(make-kill-destructor)))))))
 
 (define (laminar-account config)
@@ -113,6 +117,8 @@
         (user-account
          (name "laminar")
          (group "laminar")
+         (supplementary-groups
+          (laminar-configuration-supplementary-groups config))
          (system? #t)
          (comment "Laminar privilege separation user")
          (home-directory (laminar-configuration-home-directory config))