stockholm/krebs/3modules/setuid.nix

79 lines
2 KiB
Nix
Raw Normal View History

2016-02-14 13:26:37 +01:00
{ config, pkgs, lib, ... }:
2016-10-20 20:54:38 +02:00
with import <stockholm/lib>;
2016-02-14 13:26:37 +01:00
let
cfg = config.krebs.setuid;
out = {
options.krebs.setuid = api;
config = mkIf (cfg != {}) imp;
2016-02-14 13:26:37 +01:00
};
api = mkOption {
default = {};
type = let
# TODO make wrapperDir configurable
inherit (config.security) wrapperDir;
inherit (config.users) groups users;
in types.attrsOf (types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.filename;
default = config._module.args.name;
};
2016-06-05 00:31:36 +02:00
envp = mkOption {
2019-04-13 13:44:39 +02:00
type = types.nullOr (types.attrsOf types.str);
default = null;
2016-06-05 00:31:36 +02:00
};
2016-02-14 13:26:37 +01:00
filename = mkOption {
type = mkOptionType {
# TODO unyuck string and merge with toC
name = "derivation or string";
check = x:
isDerivation x ||
isString x;
};
apply = toString;
};
owner = mkOption {
default = "root";
type = types.enum (attrNames users);
};
group = mkOption {
default = "root";
type = types.enum (attrNames groups);
};
mode = mkOption {
default = "4710";
type = mkOptionType {
# TODO admit symbolic mode
name = "octal mode";
2017-06-18 15:36:18 +02:00
check = test "[0-7][0-7][0-7][0-7]";
merge = mergeOneOption;
2016-02-14 13:26:37 +01:00
};
};
activate = mkOption {
type = types.str;
visible = false;
readOnly = true;
};
};
config.activate = let
2018-09-16 01:46:46 +02:00
src = pkgs.exec config.name {
2016-06-05 00:31:36 +02:00
inherit (config) envp filename;
2016-02-14 13:26:37 +01:00
};
dst = "${wrapperDir}/${config.name}";
in ''
cp ${src} ${dst}
chown ${config.owner}.${config.group} ${dst}
chmod ${config.mode} ${dst}
'';
}));
};
imp = {
system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ]
2016-02-14 13:26:37 +01:00
(concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
};
in out