diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2018-04-06 13:14:59 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2018-04-06 13:14:59 +0200 |
| commit | e1b0869fde7c084961fb11c80afc8e6fbe7c7afa (patch) | |
| tree | 2d7f5ac4f6af66312ff5ee10b926eb59b318656b /custom/uucp.nix | |
| parent | 3c0f7675064548b9f1c95f1034cb31d517f5dc9c (diff) | |
| download | nixos-e1b0869fde7c084961fb11c80afc8e6fbe7c7afa.tar nixos-e1b0869fde7c084961fb11c80afc8e6fbe7c7afa.tar.gz nixos-e1b0869fde7c084961fb11c80afc8e6fbe7c7afa.tar.bz2 nixos-e1b0869fde7c084961fb11c80afc8e6fbe7c7afa.tar.xz nixos-e1b0869fde7c084961fb11c80afc8e6fbe7c7afa.zip | |
Overhaul uucp
Diffstat (limited to 'custom/uucp.nix')
| -rw-r--r-- | custom/uucp.nix | 114 |
1 files changed, 87 insertions, 27 deletions
diff --git a/custom/uucp.nix b/custom/uucp.nix index f5b89bfe..61e42119 100644 --- a/custom/uucp.nix +++ b/custom/uucp.nix | |||
| @@ -3,23 +3,72 @@ | |||
| 3 | with lib; | 3 | with lib; |
| 4 | 4 | ||
| 5 | let | 5 | let |
| 6 | portSpec = name: '' | 6 | portSpec = name: node: concatStringsSep "\n" (mapAttrsToList (portName: port: '' |
| 7 | port ${name} | 7 | port ${name}.${portName} |
| 8 | type pipe | 8 | type pipe |
| 9 | protocol ${if builtins.hasAttr name cfg.protocols then cfg.protocols."${name}" else cfg.defaultProtocol} | 9 | protocol ${node.protocols} |
| 10 | reliable true | 10 | reliable true |
| 11 | command ${pkgs.openssh}/bin/ssh -x -o batchmode=yes ${name} | 11 | command ${pkgs.openssh}/bin/ssh -x -o batchmode=yes ${name}.${portName} |
| 12 | ''; | 12 | '') node.hostnames); |
| 13 | sysSpec = name: '' | 13 | sysSpec = name: '' |
| 14 | system ${name} | 14 | system ${name} |
| 15 | time Any | 15 | time Any |
| 16 | port ${name} | ||
| 17 | chat "" | 16 | chat "" |
| 18 | protocol ${if builtins.hasAttr name cfg.protocols then cfg.protocols."${name}" else cfg.defaultProtocol} | ||
| 19 | command-path ${concatStringsSep " " cfg.commandPath} | 17 | command-path ${concatStringsSep " " cfg.commandPath} |
| 20 | commands ${concatStringsSep " " (if builtins.hasAttr name cfg.commands then unique (cfg.defaultCommands ++ cfg.commands."${name}") else cfg.defaultCommands)} | 18 | commands ${concatStringsSep " " node.commands} |
| 19 | ${concatStringsSep "\nalternate\n" (mapAttrsToList (portName: port: '' | ||
| 20 | port ${name}.${portName} | ||
| 21 | '') node.hostnames)} | ||
| 22 | ''; | ||
| 23 | sshConfig = name: node: concatStringsSep "\n" (mapAttrsToList (portName: port: '' | ||
| 24 | Host ${name}.${portName} | ||
| 25 | Hostname ${port} | ||
| 26 | IdentitiesOnly Yes | ||
| 27 | IdentityFile ${cfg.sshKeyDir}/${name}.pub | ||
| 28 | '') node.hostnames); | ||
| 29 | sshKeyGen = name: node: '' | ||
| 30 | if [[ ! -e ${cfg.sshKeyDir}/${name} ]]; then | ||
| 31 | ssh-keygen ${escapeShellArgs node.generateKey} -f ${cfg.sshKeyDir}/${name} | ||
| 32 | fi | ||
| 33 | ''; | ||
| 34 | restrictKey = key: '' | ||
| 35 | restrict,command="${config.security.wrapperDir}/uucico" ${key} | ||
| 21 | ''; | 36 | ''; |
| 22 | 37 | ||
| 38 | nodeCfg = { | ||
| 39 | options = { | ||
| 40 | commands = mkOption { | ||
| 41 | type = types.listOf types.string; | ||
| 42 | default = cfg.defaultCommands; | ||
| 43 | description = "Commands to allow for this remote"; | ||
| 44 | }; | ||
| 45 | |||
| 46 | protocols = mkOption { | ||
| 47 | type = types.string; | ||
| 48 | default = cfg.defaultProtocols; | ||
| 49 | description = "UUCP protocols to use for this remote"; | ||
| 50 | }; | ||
| 51 | |||
| 52 | publicKeys = mkOption { | ||
| 53 | type = types.listOf types.string; | ||
| 54 | default = []; | ||
| 55 | description = "SSH public keys for this node"; | ||
| 56 | }; | ||
| 57 | |||
| 58 | generateKey = mkOption { | ||
| 59 | type = types.listOf types.string; | ||
| 60 | default = [ "-t ed25519" ]; | ||
| 61 | description = "Arguments to pass to `ssh-keygen` to generate a keypair for communication with this host"; | ||
| 62 | }; | ||
| 63 | |||
| 64 | hostnames = mkOption { | ||
| 65 | type = types.attrsOf types.string; | ||
| 66 | default = {}; | ||
| 67 | description = ""; | ||
| 68 | }; | ||
| 69 | }; | ||
| 70 | }; | ||
| 71 | |||
| 23 | cfg = config.services.uucp; | 72 | cfg = config.services.uucp; |
| 24 | in { | 73 | in { |
| 25 | options = { | 74 | options = { |
| @@ -44,14 +93,14 @@ in { | |||
| 44 | description = "Overrides for the local uucp linux-user"; | 93 | description = "Overrides for the local uucp linux-user"; |
| 45 | }; | 94 | }; |
| 46 | 95 | ||
| 47 | sshConfig = mkOption { | 96 | extraSSHConfig = mkOption { |
| 48 | type = types.str; | 97 | type = types.str; |
| 49 | default = ""; | 98 | default = ""; |
| 50 | description = "~uucp/.ssh/config"; | 99 | description = "Extra SSH config"; |
| 51 | }; | 100 | }; |
| 52 | 101 | ||
| 53 | remoteNodes = mkOption { | 102 | remoteNodes = mkOption { |
| 54 | type = types.listOf types.str; | 103 | type = types.attrsOf (types.submodule nodeCfg); |
| 55 | default = {}; | 104 | default = {}; |
| 56 | description = '' | 105 | description = '' |
| 57 | Ports to set up | 106 | Ports to set up |
| @@ -73,22 +122,22 @@ in { | |||
| 73 | description = "Commands allowed for remotes without explicit override"; | 122 | description = "Commands allowed for remotes without explicit override"; |
| 74 | }; | 123 | }; |
| 75 | 124 | ||
| 76 | commands = mkOption { | 125 | defaultProtocols = mkOption { |
| 77 | type = types.attrsOf (types.listOf types.string); | ||
| 78 | default = {}; | ||
| 79 | description = "Override commands for specific remotes"; | ||
| 80 | }; | ||
| 81 | |||
| 82 | defaultProtocol = mkOption { | ||
| 83 | type = types.string; | 126 | type = types.string; |
| 84 | default = "e"; | 127 | default = "e"; |
| 85 | description = "UUCP protocol to use within ssh unless overriden"; | 128 | description = "UUCP protocol to use within ssh unless overriden"; |
| 86 | }; | 129 | }; |
| 87 | 130 | ||
| 88 | protocols = mkOption { | 131 | homeDir = mkOption { |
| 89 | type = types.attrsOf types.string; | 132 | type = types.path; |
| 90 | default = {}; | 133 | default = "/var/uucp"; |
| 91 | description = "UUCP protocols to use for specific remotes"; | 134 | description = "Home of the uucp user"; |
| 135 | }; | ||
| 136 | |||
| 137 | sshKeyDir = mkOption { | ||
| 138 | type = types.path; | ||
| 139 | default = "${cfg.homeDir}/.ssh/"; | ||
| 140 | description = "Directory to store ssh keypairs"; | ||
| 92 | }; | 141 | }; |
| 93 | 142 | ||
| 94 | spoolDir = mkOption { | 143 | spoolDir = mkOption { |
| @@ -184,16 +233,27 @@ in { | |||
| 184 | isSystemUser = true; | 233 | isSystemUser = true; |
| 185 | isNormalUser = false; | 234 | isNormalUser = false; |
| 186 | createHome = true; | 235 | createHome = true; |
| 187 | home = cfg.spoolDir; | 236 | home = cfg.homeDir; |
| 188 | description = "User for uucp over ssh"; | 237 | description = "User for uucp over ssh"; |
| 189 | useDefaultShell = true; | 238 | useDefaultShell = true; |
| 239 | openssh.authorizedKeys.keys = map restrictKey (concat (mapAttrsToList (name: node: node.publicKeys) cfg.remoteNodes)); | ||
| 190 | } // cfg.sshUser; | 240 | } // cfg.sshUser; |
| 191 | 241 | ||
| 192 | system.activationScripts."uucp-sshconfig" = '' | 242 | system.activationScripts."uucp-sshconfig" = '' |
| 193 | mkdir -p ${config.users.users."uucp".home}/.ssh | 243 | mkdir -p ${config.users.users."uucp".home}/.ssh |
| 194 | chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${config.users.users."uucp".home}/.ssh | 244 | chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${config.users.users."uucp".home}/.ssh |
| 195 | chmod 700 ${config.users.users."uucp".home}/.ssh | 245 | chmod 700 ${config.users.users."uucp".home}/.ssh |
| 196 | ln -fs ${builtins.toFile "ssh-config" cfg.sshConfig} ${config.users.users."uucp".home}/.ssh/config | 246 | ln -fs ${builtins.toFile "ssh-config" '' |
| 247 | ${concatStringsSpec "\n" (mapAttrsToList sshConfig cfg.remoteNodes)} | ||
| 248 | |||
| 249 | ${cfg.extraSSHConfig} | ||
| 250 | ''} ${config.users.users."uucp".home}/.ssh/config | ||
| 251 | |||
| 252 | mkdir -p ${cfg.sshKeyDir} | ||
| 253 | chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.sshKeyDir} | ||
| 254 | chmod 700 ${config.sshKeyDir} | ||
| 255 | |||
| 256 | ${concatStringsSep "\n" (mapAttrsToList sshKeyGen cfg.remoteNodes)} | ||
| 197 | ''; | 257 | ''; |
| 198 | 258 | ||
| 199 | system.activationScripts."uucp-logs" = '' | 259 | system.activationScripts."uucp-logs" = '' |
| @@ -213,10 +273,10 @@ in { | |||
| 213 | port ssh | 273 | port ssh |
| 214 | type stdin | 274 | type stdin |
| 215 | protocol e | 275 | protocol e |
| 216 | '' + concatStringsSep "\n" (map portSpec cfg.remoteNodes); | 276 | '' + concatStringsSep "\n" (mapAttrsToList portSpec cfg.remoteNodes); |
| 217 | }; | 277 | }; |
| 218 | environment.etc."uucp/sys" = { | 278 | environment.etc."uucp/sys" = { |
| 219 | text = cfg.extraSys + "\n" + concatStringsSep "\n" (map sysSpec cfg.remoteNodes); | 279 | text = cfg.extraSys + "\n" + concatStringsSep "\n" (mapAttrsToList sysSpec cfg.remoteNodes); |
| 220 | }; | 280 | }; |
| 221 | 281 | ||
| 222 | security.wrappers = let | 282 | security.wrappers = let |
| @@ -301,7 +361,7 @@ in { | |||
| 301 | 361 | ||
| 302 | case "''${2}" in | 362 | case "''${2}" in |
| 303 | (?(vpn-)up) | 363 | (?(vpn-)up) |
| 304 | ${concatMapStringsSep "\n " (name: "${pkgs.systemd}/bin/systemctl start uucico@${name}.service") cfg.remoteNodes} | 364 | ${concatStringsSep "\n " (mapAttrsToList (name: node: "${pkgs.systemd}/bin/systemctl start uucico@${name}.service") cfg.remoteNodes)} |
| 305 | ;; | 365 | ;; |
| 306 | esac | 366 | esac |
| 307 | ''; | 367 | ''; |