From 681d4e7a94a1d41e6de09a499a7272927129094e Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 27 Apr 2016 13:20:36 +0200
Subject: machine permissions

---
 custom/uucp.nix | 20 +++++++++++++++-----
 ymir.nix        |  4 +++-
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/custom/uucp.nix b/custom/uucp.nix
index 8490ca4f..afaf8508 100644
--- a/custom/uucp.nix
+++ b/custom/uucp.nix
@@ -17,6 +17,9 @@ let
     chat ""
     protocol e
   '';
+  permissions = set: name: let commands = set."${name}"; in ''
+    MACHINE=${name} COMMANDS=${concatStringsSep ":" commands}
+  '';
 in {
   options = {
     services.uucp = {
@@ -47,9 +50,13 @@ in {
       };
 
       remoteNodes = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "List of ports to set up. You will probably need to configure these in sshConfig";
+        type = types.attrsOf (types.listOf str);
+        default = {};
+        description = ''
+          Ports to set up
+          Names will probably need to be configured in sshConfig
+          Values are permitted commands
+        '';
       };
 
       spoolDir = mkOption {
@@ -146,10 +153,13 @@ in {
         port ssh
         type stdin
         protocol e
-      '' + concatStringsSep "\n" (map portSpec config.services.uucp.remoteNodes);
+      '' + concatStringsSep "\n" (map portSpec (builtins.attrNames config.services.uucp.remoteNodes));
     };
     environment.etc."uucp/sys" = {
-      text = concatStringsSep "\n" (map sysSpec config.services.uucp.remoteNodes);
+      text = concatStringsSep "\n" (map sysSpec (builtins.attrNames config.services.uucp.remoteNodes));
+    };
+    environment.etc."uucp/Permissions" = {
+      text = concatStringsSep "\n" (map (permissions config.services.uucp.remoteNodes) (builtins.attrNames config.services.uucp.remoteNodes));
     };
 
     security.setuidOwners = map (p: {program = p; owner = "root"; group = "root"; setuid = true; setgid = false;}) ["uucico" "uuxqt" "cu" "uucp" "uuname" "uustat" "uux"];
diff --git a/ymir.nix b/ymir.nix
index 755d0a2c..eb4bf546 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -341,7 +341,9 @@ in rec {
   services.uucp = {
     enable = true;
     nodeName = "ymir";
-    remoteNodes = ["isaac"]; # legacy name for odin
+    remoteNodes = {
+      "isaac" = ["pwd" "rmail"]; # legacy name for odin
+    };
     sshUser = {
       openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin''
                                     ];
-- 
cgit v1.2.3