diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2016-04-27 13:20:36 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2016-04-27 13:20:36 +0200 |
commit | 681d4e7a94a1d41e6de09a499a7272927129094e (patch) | |
tree | da9b59d6ad8d478a6841cd38e640fe510a64e862 | |
parent | ebcef46a1b3e1007cbd87a8ffd49a55027a6f1d8 (diff) | |
download | nixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar nixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar.gz nixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar.bz2 nixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar.xz nixos-681d4e7a94a1d41e6de09a499a7272927129094e.zip |
machine permissions
-rw-r--r-- | custom/uucp.nix | 20 | ||||
-rw-r--r-- | ymir.nix | 4 |
2 files changed, 18 insertions, 6 deletions
diff --git a/custom/uucp.nix b/custom/uucp.nix index 8490ca4f..afaf8508 100644 --- a/custom/uucp.nix +++ b/custom/uucp.nix | |||
@@ -17,6 +17,9 @@ let | |||
17 | chat "" | 17 | chat "" |
18 | protocol e | 18 | protocol e |
19 | ''; | 19 | ''; |
20 | permissions = set: name: let commands = set."${name}"; in '' | ||
21 | MACHINE=${name} COMMANDS=${concatStringsSep ":" commands} | ||
22 | ''; | ||
20 | in { | 23 | in { |
21 | options = { | 24 | options = { |
22 | services.uucp = { | 25 | services.uucp = { |
@@ -47,9 +50,13 @@ in { | |||
47 | }; | 50 | }; |
48 | 51 | ||
49 | remoteNodes = mkOption { | 52 | remoteNodes = mkOption { |
50 | type = types.listOf types.str; | 53 | type = types.attrsOf (types.listOf str); |
51 | default = []; | 54 | default = {}; |
52 | description = "List of ports to set up. You will probably need to configure these in sshConfig"; | 55 | description = '' |
56 | Ports to set up | ||
57 | Names will probably need to be configured in sshConfig | ||
58 | Values are permitted commands | ||
59 | ''; | ||
53 | }; | 60 | }; |
54 | 61 | ||
55 | spoolDir = mkOption { | 62 | spoolDir = mkOption { |
@@ -146,10 +153,13 @@ in { | |||
146 | port ssh | 153 | port ssh |
147 | type stdin | 154 | type stdin |
148 | protocol e | 155 | protocol e |
149 | '' + concatStringsSep "\n" (map portSpec config.services.uucp.remoteNodes); | 156 | '' + concatStringsSep "\n" (map portSpec (builtins.attrNames config.services.uucp.remoteNodes)); |
150 | }; | 157 | }; |
151 | environment.etc."uucp/sys" = { | 158 | environment.etc."uucp/sys" = { |
152 | text = concatStringsSep "\n" (map sysSpec config.services.uucp.remoteNodes); | 159 | text = concatStringsSep "\n" (map sysSpec (builtins.attrNames config.services.uucp.remoteNodes)); |
160 | }; | ||
161 | environment.etc."uucp/Permissions" = { | ||
162 | text = concatStringsSep "\n" (map (permissions config.services.uucp.remoteNodes) (builtins.attrNames config.services.uucp.remoteNodes)); | ||
153 | }; | 163 | }; |
154 | 164 | ||
155 | security.setuidOwners = map (p: {program = p; owner = "root"; group = "root"; setuid = true; setgid = false;}) ["uucico" "uuxqt" "cu" "uucp" "uuname" "uustat" "uux"]; | 165 | security.setuidOwners = map (p: {program = p; owner = "root"; group = "root"; setuid = true; setgid = false;}) ["uucico" "uuxqt" "cu" "uucp" "uuname" "uustat" "uux"]; |
@@ -341,7 +341,9 @@ in rec { | |||
341 | services.uucp = { | 341 | services.uucp = { |
342 | enable = true; | 342 | enable = true; |
343 | nodeName = "ymir"; | 343 | nodeName = "ymir"; |
344 | remoteNodes = ["isaac"]; # legacy name for odin | 344 | remoteNodes = { |
345 | "isaac" = ["pwd" "rmail"]; # legacy name for odin | ||
346 | }; | ||
345 | sshUser = { | 347 | sshUser = { |
346 | openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin'' | 348 | openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin'' |
347 | ]; | 349 | ]; |