Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

krebs.setuid: init

Browse Source
This commit is contained in:
tv 2016-02-14 13:26:37 +01:00
parent c1a9a89c9a
commit e890eb244a
3 changed files with 90 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
krebs/3modules/default.nix
View File

@ -27,6 +27,7 @@ let
./retiolum-bootstrap.nix
./realwallpaper.nix
./retiolum.nix
./setuid.nix
./tinc_graphs.nix
./urlwatch.nix
];

75
krebs/3modules/setuid.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.krebs.setuid;
out = {
options.krebs.setuid = api;
config = imp;
};
api = mkOption {
default = {};
type = let
# TODO make wrapperDir configurable
inherit (config.security) wrapperDir;
inherit (config.users) groups users;
in types.attrsOf (types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.filename;
default = config._module.args.name;
};
filename = mkOption {
type = mkOptionType {
# TODO unyuck string and merge with toC
name = "derivation or string";
check = x:
isDerivation x ||
isString x;
};
apply = toString;
};
owner = mkOption {
default = "root";
type = types.enum (attrNames users);
};
group = mkOption {
default = "root";
type = types.enum (attrNames groups);
};
mode = mkOption {
default = "4710";
type = mkOptionType {
# TODO admit symbolic mode
name = "octal mode";
check = x:
isString x &&
match "[0-7][0-7][0-7][0-7]" x != null;
};
};
activate = mkOption {
type = types.str;
visible = false;
readOnly = true;
};
};
config.activate = let
src = pkgs.execve config.name {
inherit (config) filename;
};
dst = "${wrapperDir}/${config.name}";
in ''
cp ${src} ${dst}
chown ${config.owner}.${config.group} ${dst}
chmod ${config.mode} ${dst}
'';
}));
};
imp = {
system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
(concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
};
in out

44
tv/2configs/xu-qemu0.nix
View File

@ -79,7 +79,7 @@ with lib;
${pkgs.kvm}/bin/qemu-img create "$img" 10G
fi
exec ${pkgs.kvm}/bin/qemu-kvm \
-monitor unix:$HOME/tmp/xu-qemu0.sock,server,nowait \
-monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \
-boot order=cd \
-cdrom ${pkgs.fetchurl {
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
@ -95,36 +95,20 @@ with lib;
};
};
system.activationScripts."krebs.setuid.xu-qemu0-monitor" = stringAfter [ "setuid" ] ''
src=${pkgs.execve "xu-qemu0-monitor" {
# TODO toC should handle derivation, then we don't have to "${...}" here
filename = "${pkgs.writeDash "xu-qemu0-monitor" ''
exec ${pkgs.socat}/bin/socat \
stdio \
UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0.sock \
''}";
}}
dst=${config.security.wrapperDir}/xu-qemu0-monitor
cp "$src" "$dst"
chown xu-qemu0.tv "$dst"
chmod 4710 "$dst"
'';
krebs.setuid.xu-qemu0-monitor = {
filename = pkgs.writeDash "xu-qemu0-monitor" ''
exec ${pkgs.socat}/bin/socat \
stdio \
UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \
'';
owner = "xu-qemu0";
group = "tv";
};
#TODO krebs.setuid.qemu-bridge-helper = {
# filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
# owner = "root";
# group = "qemu-users";
# mode = "4710";
#};
system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] ''
src=${pkgs.execve "qemu-bridge-helper" {
filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
}}
dst=${config.security.wrapperDir}/qemu-bridge-helper
cp "$src" "$dst"
chown root.qemu-users "$dst"
chmod 4710 "$dst"
'';
krebs.setuid.qemu-bridge-helper = {
filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
group = "qemu-users";
};
users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";