diff options
author | Oliver Richter <oliver.richter@secunet.com> | 2023-06-01 15:24:01 +0200 |
---|---|---|
committer | Oliver Richter <oliver.richter@secunet.com> | 2023-07-13 16:08:12 +0200 |
commit | 9d6cd34766b6144db476cc3a94fd41d6a714122c (patch) | |
tree | b4e189376ff395d19798641337923bfb9c28af42 /nixos/modules | |
parent | 4d06b4373c62596f7bfad6cc037ebe3cf52e6d65 (diff) | |
download | nixlib-9d6cd34766b6144db476cc3a94fd41d6a714122c.tar nixlib-9d6cd34766b6144db476cc3a94fd41d6a714122c.tar.gz nixlib-9d6cd34766b6144db476cc3a94fd41d6a714122c.tar.bz2 nixlib-9d6cd34766b6144db476cc3a94fd41d6a714122c.tar.lz nixlib-9d6cd34766b6144db476cc3a94fd41d6a714122c.tar.xz nixlib-9d6cd34766b6144db476cc3a94fd41d6a714122c.tar.zst nixlib-9d6cd34766b6144db476cc3a94fd41d6a714122c.zip |
esdm: init at 0.6.0
Signed-off-by: Oliver Richter <richter-oliver@gmx.net>
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/esdm.nix | 102 |
2 files changed, 103 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1bdeb126fc36..48cbc404a815 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1108,6 +1108,7 @@ ./services/security/clamav.nix ./services/security/endlessh-go.nix ./services/security/endlessh.nix + ./services/security/esdm.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix ./services/security/haka.nix diff --git a/nixos/modules/services/security/esdm.nix b/nixos/modules/services/security/esdm.nix new file mode 100644 index 000000000000..2b246fff7e96 --- /dev/null +++ b/nixos/modules/services/security/esdm.nix @@ -0,0 +1,102 @@ +{ lib, config, pkgs, ... }: + +let + cfg = config.services.esdm; +in +{ + options.services.esdm = { + enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); + package = lib.mkPackageOptionMD pkgs "esdm" { }; + serverEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM server service. If serverEnable == false, then the esdm-server + will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom + and esdm-proc will not start as these have the entry Want=esdm-server.service. + ''; + }; + cuseRandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service + is started. + ''; + }; + cuseUrandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service + is started. + ''; + }; + procEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM proc service. Determines if the esdm-proc.service + is started. + ''; + }; + verbose = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart" + values of the 4 aforementioned services are overwritten with the option + for the highest verbosity. + ''; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + ({ + systemd.packages = [ cfg.package ]; + }) + # It is necessary to set those options for these services to be started by systemd in NixOS + (lib.mkIf cfg.serverEnable { + systemd.services."esdm-server".wantedBy = [ "basic.target" ]; + systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-server.service' + "${cfg.package}/bin/esdm-server -f -vvvvvv" + ]; + }; + }) + + (lib.mkIf cfg.cuseRandomEnable { + systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-random.service' + "${cfg.package}/bin/esdm-cuse-random -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.cuseUrandomEnable { + systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-urandom.service' + "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.procEnable { + systemd.services."esdm-proc".wantedBy = [ "basic.target" ]; + systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-proc.service' + "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6" + ]; + }; + }) + ]); + + meta.maintainers = with lib.maintainers; [ orichter thillux ]; +} |