summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2016-04-27 13:20:36 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2016-04-27 13:20:36 +0200
commit681d4e7a94a1d41e6de09a499a7272927129094e (patch)
treeda9b59d6ad8d478a6841cd38e640fe510a64e862
parentebcef46a1b3e1007cbd87a8ffd49a55027a6f1d8 (diff)
downloadnixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar
nixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar.gz
nixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar.bz2
nixos-681d4e7a94a1d41e6de09a499a7272927129094e.tar.xz
nixos-681d4e7a94a1d41e6de09a499a7272927129094e.zip
machine permissions
-rw-r--r--custom/uucp.nix20
-rw-r--r--ymir.nix4
2 files changed, 18 insertions, 6 deletions
diff --git a/custom/uucp.nix b/custom/uucp.nix
index 8490ca4f..afaf8508 100644
--- a/custom/uucp.nix
+++ b/custom/uucp.nix
@@ -17,6 +17,9 @@ let
17 chat "" 17 chat ""
18 protocol e 18 protocol e
19 ''; 19 '';
20 permissions = set: name: let commands = set."${name}"; in ''
21 MACHINE=${name} COMMANDS=${concatStringsSep ":" commands}
22 '';
20in { 23in {
21 options = { 24 options = {
22 services.uucp = { 25 services.uucp = {
@@ -47,9 +50,13 @@ in {
47 }; 50 };
48 51
49 remoteNodes = mkOption { 52 remoteNodes = mkOption {
50 type = types.listOf types.str; 53 type = types.attrsOf (types.listOf str);
51 default = []; 54 default = {};
52 description = "List of ports to set up. You will probably need to configure these in sshConfig"; 55 description = ''
56 Ports to set up
57 Names will probably need to be configured in sshConfig
58 Values are permitted commands
59 '';
53 }; 60 };
54 61
55 spoolDir = mkOption { 62 spoolDir = mkOption {
@@ -146,10 +153,13 @@ in {
146 port ssh 153 port ssh
147 type stdin 154 type stdin
148 protocol e 155 protocol e
149 '' + concatStringsSep "\n" (map portSpec config.services.uucp.remoteNodes); 156 '' + concatStringsSep "\n" (map portSpec (builtins.attrNames config.services.uucp.remoteNodes));
150 }; 157 };
151 environment.etc."uucp/sys" = { 158 environment.etc."uucp/sys" = {
152 text = concatStringsSep "\n" (map sysSpec config.services.uucp.remoteNodes); 159 text = concatStringsSep "\n" (map sysSpec (builtins.attrNames config.services.uucp.remoteNodes));
160 };
161 environment.etc."uucp/Permissions" = {
162 text = concatStringsSep "\n" (map (permissions config.services.uucp.remoteNodes) (builtins.attrNames config.services.uucp.remoteNodes));
153 }; 163 };
154 164
155 security.setuidOwners = map (p: {program = p; owner = "root"; group = "root"; setuid = true; setgid = false;}) ["uucico" "uuxqt" "cu" "uucp" "uuname" "uustat" "uux"]; 165 security.setuidOwners = map (p: {program = p; owner = "root"; group = "root"; setuid = true; setgid = false;}) ["uucico" "uuxqt" "cu" "uucp" "uuname" "uustat" "uux"];
diff --git a/ymir.nix b/ymir.nix
index 755d0a2c..eb4bf546 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -341,7 +341,9 @@ in rec {
341 services.uucp = { 341 services.uucp = {
342 enable = true; 342 enable = true;
343 nodeName = "ymir"; 343 nodeName = "ymir";
344 remoteNodes = ["isaac"]; # legacy name for odin 344 remoteNodes = {
345 "isaac" = ["pwd" "rmail"]; # legacy name for odin
346 };
345 sshUser = { 347 sshUser = {
346 openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin'' 348 openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin''
347 ]; 349 ];