{ config, lib, pkgs, ... }: with lib; { options = with lib; { services.authentricity = { package = mkOption { type = with types; package; default = pkgs.authentricity; description = "Enable the Authentricity hostagent on this machine"; }; hostagent = { enable = mkOption { type = with types; bool; default = false; description = "Enable the Authentricity hostagent on this machine"; }; socketPath = mkOption { type = with types; str; description = "Location at which to create the hostagent socket"; default = "/run/authentricity/hostagent.sock"; }; }; webui = { enable = mkOption { type = with types; bool; default = false; description = "Enable the Authentricity web UI"; }; listenAddress = mkOption { type = with types; str; description = "Address on which to listen for network connections"; default = "127.0.0.1:8700"; }; adminGroupID = mkOption { type = with types; str; description = "UUID of admin group"; example = "8769561d-0f3a-4749-9ae0-56ba8d4ec7c6"; }; cookieDomain = mkOption { type = with types; str; description = "Domain for which to set cookies"; example = "example.com"; default = ""; }; noHTTPS = mkOption { type = with types; bool; description = "Disable SecureOnly cookie flag"; default = false; }; webauthnOrigin = mkOption { type = with types; str; description = "Domain to use as WebAuthn RPID"; default = config.services.authentricity.webui.cookieDomain; defaultText = "config.services.authentricity.webui.cookieDomain"; example = "example.com"; }; }; }; }; config = let cfg = config.services.authentricity; in { nixpkgs.overlays = [ (self: super: { authentricity = super.callPackage ./default.nix {}; }) ]; systemd.sockets.authentricity-hostagent = mkIf cfg.hostagent.enable { listenStreams = [ cfg.hostagent.socketPath ]; wantedBy = [ "sockets.target" ]; socketConfig = { FileDescriptorName = "varlink"; Symlinks = "/run/systemd/userdb/eu.e43.authentricity"; }; }; systemd.sockets.authentricity-webui = mkIf cfg.webui.enable { listenStreams = [ cfg.webui.listenAddress ]; wantedBy = [ "sockets.target" ]; }; systemd.services.authentricity-hostagent = mkIf cfg.hostagent.enable { description = "Authentricity Host Agent"; environment = { AUTHENTRICITY_HOSTAGENT_SOCKET_PATH = cfg.hostagent.socketPath; }; serviceConfig = { Type = "exec"; User = "authentricity-hostagent"; Group = "authentricity-hostagent"; ExecStart = "${cfg.package}/bin/authentricity-hostagent"; ProtectSystem = "strict"; ProtectHome = mkDefault true; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; PrivateMounts = true; StateDirectory = "authentricity/hostagent"; }; }; systemd.services.authentricity-webui = mkIf cfg.webui.enable { description = "Authentricity Web UI"; environment = { AUTHENTRICITY_WEBUI_ADMIN_GROUP_ID = cfg.webui.adminGroupID; AUTHENTRICITY_WEBUI_COOKIE_DOMAIN = cfg.webui.cookieDomain; AUTHENTRICITY_WEBUI_WEBAUTHN_ORIGIN = cfg.webui.webauthnOrigin; AUTHENTRICITY_WEBUI_NO_HTTPS = mkIf cfg.webui.noHTTPS "true"; }; serviceConfig = { Type = "exec"; User = "authentricity-webui"; Group = "authentricity-webui"; ExecStart = "${cfg.package}/bin/authentricity-webui"; ProtectSystem = "strict"; ProtectHome = mkDefault true; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; PrivateMounts = true; StateDirectory = "authentricity/webui"; }; }; users.users.authentricity-hostagent = mkIf cfg.hostagent.enable { group = "authentricity-hostagent"; isSystemUser = true; }; users.groups.authentricity-hostagent = mkIf cfg.hostagent.enable {}; users.users.authentricity-webui = mkIf cfg.webui.enable { group = "authentricity-webui"; isSystemUser = true; }; users.groups.authentricity-webui = mkIf cfg.webui.enable {}; }; }