diff options
author | Ryan Lahfa <masterancpp@gmail.com> | 2023-07-13 22:35:45 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-13 22:35:45 +0200 |
commit | 7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf (patch) | |
tree | b61895c1e9cb23201021f2a645575cc17a920425 /nixos | |
parent | f2d061537bb47f3afa245f6ddce9d1db98e3e196 (diff) | |
parent | 9d6cd34766b6144db476cc3a94fd41d6a714122c (diff) | |
download | nixlib-7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf.tar nixlib-7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf.tar.gz nixlib-7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf.tar.bz2 nixlib-7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf.tar.lz nixlib-7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf.tar.xz nixlib-7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf.tar.zst nixlib-7bc11802ed276c2d651bd4bf0dc4b0b05434e0bf.zip |
Merge pull request #238777 from ORichterSec/esdm-upstream
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/esdm.nix | 102 |
2 files changed, 103 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1bdeb126fc36..48cbc404a815 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1108,6 +1108,7 @@ ./services/security/clamav.nix ./services/security/endlessh-go.nix ./services/security/endlessh.nix + ./services/security/esdm.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix ./services/security/haka.nix diff --git a/nixos/modules/services/security/esdm.nix b/nixos/modules/services/security/esdm.nix new file mode 100644 index 000000000000..2b246fff7e96 --- /dev/null +++ b/nixos/modules/services/security/esdm.nix @@ -0,0 +1,102 @@ +{ lib, config, pkgs, ... }: + +let + cfg = config.services.esdm; +in +{ + options.services.esdm = { + enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); + package = lib.mkPackageOptionMD pkgs "esdm" { }; + serverEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM server service. If serverEnable == false, then the esdm-server + will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom + and esdm-proc will not start as these have the entry Want=esdm-server.service. + ''; + }; + cuseRandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service + is started. + ''; + }; + cuseUrandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service + is started. + ''; + }; + procEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM proc service. Determines if the esdm-proc.service + is started. + ''; + }; + verbose = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart" + values of the 4 aforementioned services are overwritten with the option + for the highest verbosity. + ''; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + ({ + systemd.packages = [ cfg.package ]; + }) + # It is necessary to set those options for these services to be started by systemd in NixOS + (lib.mkIf cfg.serverEnable { + systemd.services."esdm-server".wantedBy = [ "basic.target" ]; + systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-server.service' + "${cfg.package}/bin/esdm-server -f -vvvvvv" + ]; + }; + }) + + (lib.mkIf cfg.cuseRandomEnable { + systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-random.service' + "${cfg.package}/bin/esdm-cuse-random -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.cuseUrandomEnable { + systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-urandom.service' + "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.procEnable { + systemd.services."esdm-proc".wantedBy = [ "basic.target" ]; + systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-proc.service' + "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6" + ]; + }; + }) + ]); + + meta.maintainers = with lib.maintainers; [ orichter thillux ]; +} |