krebs.setuid: init
This commit is contained in:
parent
c1a9a89c9a
commit
e890eb244a
@ -27,6 +27,7 @@ let
|
|||||||
./retiolum-bootstrap.nix
|
./retiolum-bootstrap.nix
|
||||||
./realwallpaper.nix
|
./realwallpaper.nix
|
||||||
./retiolum.nix
|
./retiolum.nix
|
||||||
|
./setuid.nix
|
||||||
./tinc_graphs.nix
|
./tinc_graphs.nix
|
||||||
./urlwatch.nix
|
./urlwatch.nix
|
||||||
];
|
];
|
||||||
|
75
krebs/3modules/setuid.nix
Normal file
75
krebs/3modules/setuid.nix
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.krebs.setuid;
|
||||||
|
|
||||||
|
out = {
|
||||||
|
options.krebs.setuid = api;
|
||||||
|
config = imp;
|
||||||
|
};
|
||||||
|
|
||||||
|
api = mkOption {
|
||||||
|
default = {};
|
||||||
|
type = let
|
||||||
|
# TODO make wrapperDir configurable
|
||||||
|
inherit (config.security) wrapperDir;
|
||||||
|
inherit (config.users) groups users;
|
||||||
|
in types.attrsOf (types.submodule ({ config, ... }: {
|
||||||
|
options = {
|
||||||
|
name = mkOption {
|
||||||
|
type = types.filename;
|
||||||
|
default = config._module.args.name;
|
||||||
|
};
|
||||||
|
filename = mkOption {
|
||||||
|
type = mkOptionType {
|
||||||
|
# TODO unyuck string and merge with toC
|
||||||
|
name = "derivation or string";
|
||||||
|
check = x:
|
||||||
|
isDerivation x ||
|
||||||
|
isString x;
|
||||||
|
};
|
||||||
|
apply = toString;
|
||||||
|
};
|
||||||
|
owner = mkOption {
|
||||||
|
default = "root";
|
||||||
|
type = types.enum (attrNames users);
|
||||||
|
};
|
||||||
|
group = mkOption {
|
||||||
|
default = "root";
|
||||||
|
type = types.enum (attrNames groups);
|
||||||
|
};
|
||||||
|
mode = mkOption {
|
||||||
|
default = "4710";
|
||||||
|
type = mkOptionType {
|
||||||
|
# TODO admit symbolic mode
|
||||||
|
name = "octal mode";
|
||||||
|
check = x:
|
||||||
|
isString x &&
|
||||||
|
match "[0-7][0-7][0-7][0-7]" x != null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
activate = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
visible = false;
|
||||||
|
readOnly = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config.activate = let
|
||||||
|
src = pkgs.execve config.name {
|
||||||
|
inherit (config) filename;
|
||||||
|
};
|
||||||
|
dst = "${wrapperDir}/${config.name}";
|
||||||
|
in ''
|
||||||
|
cp ${src} ${dst}
|
||||||
|
chown ${config.owner}.${config.group} ${dst}
|
||||||
|
chmod ${config.mode} ${dst}
|
||||||
|
'';
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
imp = {
|
||||||
|
system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
|
||||||
|
(concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
|
||||||
|
};
|
||||||
|
|
||||||
|
in out
|
@ -79,7 +79,7 @@ with lib;
|
|||||||
${pkgs.kvm}/bin/qemu-img create "$img" 10G
|
${pkgs.kvm}/bin/qemu-img create "$img" 10G
|
||||||
fi
|
fi
|
||||||
exec ${pkgs.kvm}/bin/qemu-kvm \
|
exec ${pkgs.kvm}/bin/qemu-kvm \
|
||||||
-monitor unix:$HOME/tmp/xu-qemu0.sock,server,nowait \
|
-monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \
|
||||||
-boot order=cd \
|
-boot order=cd \
|
||||||
-cdrom ${pkgs.fetchurl {
|
-cdrom ${pkgs.fetchurl {
|
||||||
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
|
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
|
||||||
@ -95,36 +95,20 @@ with lib;
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
system.activationScripts."krebs.setuid.xu-qemu0-monitor" = stringAfter [ "setuid" ] ''
|
krebs.setuid.xu-qemu0-monitor = {
|
||||||
src=${pkgs.execve "xu-qemu0-monitor" {
|
filename = pkgs.writeDash "xu-qemu0-monitor" ''
|
||||||
# TODO toC should handle derivation, then we don't have to "${...}" here
|
exec ${pkgs.socat}/bin/socat \
|
||||||
filename = "${pkgs.writeDash "xu-qemu0-monitor" ''
|
stdio \
|
||||||
exec ${pkgs.socat}/bin/socat \
|
UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \
|
||||||
stdio \
|
'';
|
||||||
UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0.sock \
|
owner = "xu-qemu0";
|
||||||
''}";
|
group = "tv";
|
||||||
}}
|
};
|
||||||
dst=${config.security.wrapperDir}/xu-qemu0-monitor
|
|
||||||
cp "$src" "$dst"
|
|
||||||
chown xu-qemu0.tv "$dst"
|
|
||||||
chmod 4710 "$dst"
|
|
||||||
'';
|
|
||||||
|
|
||||||
#TODO krebs.setuid.qemu-bridge-helper = {
|
krebs.setuid.qemu-bridge-helper = {
|
||||||
# filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
|
filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
|
||||||
# owner = "root";
|
group = "qemu-users";
|
||||||
# group = "qemu-users";
|
};
|
||||||
# mode = "4710";
|
|
||||||
#};
|
|
||||||
system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] ''
|
|
||||||
src=${pkgs.execve "qemu-bridge-helper" {
|
|
||||||
filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
|
|
||||||
}}
|
|
||||||
dst=${config.security.wrapperDir}/qemu-bridge-helper
|
|
||||||
cp "$src" "$dst"
|
|
||||||
chown root.qemu-users "$dst"
|
|
||||||
chmod 4710 "$dst"
|
|
||||||
'';
|
|
||||||
|
|
||||||
users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";
|
users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user