Add NixOS adornments

This commit is contained in:
Erin Shepherd 2022-07-14 19:48:55 +00:00
parent 5f68fa9d67
commit 4191566281
3 changed files with 179 additions and 1 deletions

15
default.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, buildGoModule }:
buildGoModule rec {
pname = "authentricity";
version = "0.0.1";
src = ./.;
vendorSha256 = "sha256-fskmRb9zXLGkL0sJ4P1/sNjzZkUZhAguOCSN1etQ2tU=";
meta = with lib; {
description = "Simple distributed authentication system";
homepage = "https://git.shinra.systems/erin/authentricity/";
license = licenses.isc;
};
}

View file

@ -17,7 +17,7 @@ type Config struct {
Debug bool `default:"false" description:"Enable debug logging"`
ListenType string `envconfig:"listen_type" default:"tcp" description:"Type of socket to listen on (Go 'net.Listen()' network)"`
ListenAddress string `envconfig:"listen_address" default:":8700" description:"Address to listen on (Go 'net.Listen()' address)"`
SecretsDir string `envconfig:"secrets_dir" default:"/var/lib/authentricity/secrets" description:"Directory in which to store secrets"`
SecretsDir string `envconfig:"secrets_dir" default:"/var/lib/authentricity/webui/secrets" description:"Directory in which to store secrets"`
TokenCookie string `envconfig:"token_cookie" default:"authentricity_token" description:"Cookie in which to store authentication token"`
AdminGroupID uuid.UUID `envconfig:"admin_group_id" required:"true" description:"UUID of administrator group"`
CookieDomain string `envconfig:"cookie_domain" default:"" description:"Domain to use when setting token cookie - customize to do cross-domain cookie based SSO"`

163
module.nix Normal file
View file

@ -0,0 +1,163 @@
{ config, lib, pkgs, ... }:
with lib;
{
options = with lib; {
services.authentricity = {
package = mkOption {
type = with types; package;
default = pkgs.authentricity;
description = "Enable the Authentricity hostagent on this machine";
};
hostagent = {
enable = mkOption {
type = with types; bool;
default = false;
description = "Enable the Authentricity hostagent on this machine";
};
socketPath = mkOption {
type = with types; str;
description = "Location at which to create the hostagent socket";
default = "/run/authentricity/hostagent.sock";
};
};
webui = {
enable = mkOption {
type = with types; bool;
default = false;
description = "Enable the Authentricity web UI";
};
listenAddress = mkOption {
type = with types; str;
description = "Address on which to listen for network connections";
default = "127.0.0.1:8700";
};
adminGroupID = mkOption {
type = with types; str;
description = "UUID of admin group";
example = "8769561d-0f3a-4749-9ae0-56ba8d4ec7c6";
};
cookieDomain = mkOption {
type = with types; str;
description = "Domain for which to set cookies";
example = "example.com";
default = "";
};
noHTTPS = mkOption {
type = with types; bool;
description = "Disable SecureOnly cookie flag";
default = false;
};
};
};
};
config = let cfg = config.services.authentricity; in {
nixpkgs.overlays = [ (self: super: {
authentricity = super.callPackage ./default.nix {};
}) ];
systemd.sockets.authentricity-hostagent = mkIf cfg.hostagent.enable {
listenStreams = [ cfg.hostagent.socketPath ];
wantedBy = [ "sockets.target" ];
socketConfig = {
FileDescriptorName = "varlink";
Symlinks = "/run/systemd/userdb/eu.e43.authentricity";
};
};
systemd.sockets.authentricity-webui = mkIf cfg.webui.enable {
listenStreams = [ cfg.webui.listenAddress ];
wantedBy = [ "sockets.target" ];
};
systemd.services.authentricity-hostagent = mkIf cfg.hostagent.enable {
description = "Authentricity Host Agent";
environment = {
AUTHENTRICITY_HOSTAGENT_SOCKET_PATH = cfg.hostagent.socketPath;
};
serviceConfig = {
Type = "exec";
User = "authentricity-hostagent";
Group = "authentricity-hostagent";
ExecStart = "${cfg.package}/bin/authentricity-hostagent";
ProtectSystem = "strict";
ProtectHome = mkDefault true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
StateDirectory = "authentricity/hostagent";
};
};
systemd.services.authentricity-webui = mkIf cfg.webui.enable {
description = "Authentricity Web UI";
environment = {
AUTHENTRICITY_WEBUI_ADMIN_GROUP_ID = cfg.webui.adminGroupID;
AUTHENTRICITY_WEBUI_COOKIE_DOMAIN = cfg.webui.cookieDomain;
AUTHENTRICITY_WEBUI_NO_HTTPS = mkIf cfg.webui.noHTTPS "true";
};
serviceConfig = {
Type = "exec";
User = "authentricity-webui";
Group = "authentricity-webui";
ExecStart = "${cfg.package}/bin/authentricity-webui";
ProtectSystem = "strict";
ProtectHome = mkDefault true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
StateDirectory = "authentricity/webui";
};
};
users.users.authentricity-hostagent = mkIf cfg.hostagent.enable {
group = "authentricity-hostagent";
isSystemUser = true;
};
users.groups.authentricity-hostagent = mkIf cfg.hostagent.enable {};
users.users.authentricity-webui = mkIf cfg.webui.enable {
group = "authentricity-webui";
isSystemUser = true;
};
users.groups.authentricity-webui = mkIf cfg.webui.enable {};
};
}