summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2018-03-28 21:12:53 +0200
committerlassulus <lassulus@lassul.us>2018-03-28 21:29:57 +0200
commit92540f5cf1628cfaceee6c19f08b3c13b05cf6b4 (patch)
tree0f4c564e14a9f6fdcbcaeef605a27181bfc92242
parent28e1b8d3a51e2405ecc60b04e321f1f7dba364ad (diff)
l xjails: init
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/xjail.nix87
2 files changed, 88 insertions, 0 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index fd77b2262..0c10e1ec2 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -11,6 +11,7 @@ _:
./screenlock.nix
./umts.nix
./usershadow.nix
+ ./xjail.nix
./xserver
];
}
diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix
new file mode 100644
index 000000000..af851760b
--- /dev/null
+++ b/lass/3modules/xjail.nix
@@ -0,0 +1,87 @@
+{ config, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+ options.lass.xjail = mkOption {
+ type = types.attrsOf (types.submodule ({ config, ...}: {
+ options = {
+ user = mkOption {
+ type = types.string;
+ default = "nobody";
+ };
+ groups = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ };
+ name = mkOption {
+ type = types.string;
+ default = config._module.args.name;
+ };
+ display = mkOption {
+ type = types.string;
+ default = toString (genid_signed config._module.args.name);
+ };
+ script = mkOption {
+ type = types.path;
+ default = pkgs.writeScript "echo_lol" "echo lol";
+ };
+ from = mkOption {
+ type = types.string;
+ default = "lass";
+ };
+ };
+ }));
+ default = {};
+ };
+
+ options.lass.xjail-bins = mkOption {
+ type = types.attrsOf types.path;
+ };
+
+ # implementation
+ config = {
+
+ users.users = mapAttrs' (_: cfg:
+ nameValuePair cfg.name {
+ uid = genid cfg.name;
+ home = "/home/${cfg.name}";
+ useDefaultShell = true;
+ createHome = true;
+ extraGroups = cfg.groups;
+ }
+ ) config.lass.xjail;
+
+ users.groups = mapAttrs' (_: cfg:
+ nameValuePair cfg.name {
+ members = [
+ cfg.name
+ cfg.from
+ ];
+ }
+ ) config.lass.xjail;
+
+ security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg:
+ # TODO allow just the right script with sudo
+ "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL"
+ ) config.lass.xjail));
+
+ lass.xjail-bins = mapAttrs' (name: cfg:
+ let
+ sudo-wrapper = pkgs.writeScript name ''
+ /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@"
+ '';
+ in nameValuePair name (pkgs.writeScriptBin cfg.name ''
+ export NDISPLAY=${cfg.display}
+ DISPLAY=:$NDISPLAY ${pkgs.xorg.xrandr}/bin/xrandr
+ if test $? -eq 0; then
+ echo xephyr already running
+ export DISPLAY=:$NDISPLAY
+ ${sudo-wrapper} "$@"
+ else
+ echo xephyr not running
+ DROP_TO_USER=${cfg.name} ${pkgs.xephyrify}/bin/xephyrify ${sudo-wrapper} "$@"
+ fi
+ '')
+ ) config.lass.xjail;
+ };
+}