summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/setuid.nix75
2 files changed, 76 insertions, 0 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 3d51076cf..b2a02e9c7 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -27,6 +27,7 @@ let
./retiolum-bootstrap.nix
./realwallpaper.nix
./retiolum.nix
+ ./setuid.nix
./tinc_graphs.nix
./urlwatch.nix
];
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
new file mode 100644
index 000000000..22123c926
--- /dev/null
+++ b/krebs/3modules/setuid.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+ cfg = config.krebs.setuid;
+
+ out = {
+ options.krebs.setuid = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ default = {};
+ type = let
+ # TODO make wrapperDir configurable
+ inherit (config.security) wrapperDir;
+ inherit (config.users) groups users;
+ in types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ name = mkOption {
+ type = types.filename;
+ default = config._module.args.name;
+ };
+ filename = mkOption {
+ type = mkOptionType {
+ # TODO unyuck string and merge with toC
+ name = "derivation or string";
+ check = x:
+ isDerivation x ||
+ isString x;
+ };
+ apply = toString;
+ };
+ owner = mkOption {
+ default = "root";
+ type = types.enum (attrNames users);
+ };
+ group = mkOption {
+ default = "root";
+ type = types.enum (attrNames groups);
+ };
+ mode = mkOption {
+ default = "4710";
+ type = mkOptionType {
+ # TODO admit symbolic mode
+ name = "octal mode";
+ check = x:
+ isString x &&
+ match "[0-7][0-7][0-7][0-7]" x != null;
+ };
+ };
+ activate = mkOption {
+ type = types.str;
+ visible = false;
+ readOnly = true;
+ };
+ };
+ config.activate = let
+ src = pkgs.execve config.name {
+ inherit (config) filename;
+ };
+ dst = "${wrapperDir}/${config.name}";
+ in ''
+ cp ${src} ${dst}
+ chown ${config.owner}.${config.group} ${dst}
+ chmod ${config.mode} ${dst}
+ '';
+ }));
+ };
+
+ imp = {
+ system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
+ (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
+ };
+
+in out