forked from authentricity/authentricity
174 lines
4.8 KiB
Nix
174 lines
4.8 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
with lib;
|
|
{
|
|
options = with lib; {
|
|
services.authentricity = {
|
|
package = mkOption {
|
|
type = with types; package;
|
|
default = pkgs.authentricity;
|
|
description = "Enable the Authentricity hostagent on this machine";
|
|
};
|
|
|
|
hostagent = {
|
|
enable = mkOption {
|
|
type = with types; bool;
|
|
default = false;
|
|
description = "Enable the Authentricity hostagent on this machine";
|
|
};
|
|
|
|
socketPath = mkOption {
|
|
type = with types; str;
|
|
description = "Location at which to create the hostagent socket";
|
|
default = "/run/authentricity/hostagent.sock";
|
|
};
|
|
};
|
|
|
|
webui = {
|
|
enable = mkOption {
|
|
type = with types; bool;
|
|
default = false;
|
|
description = "Enable the Authentricity web UI";
|
|
};
|
|
|
|
listenAddress = mkOption {
|
|
type = with types; str;
|
|
description = "Address on which to listen for network connections";
|
|
default = "127.0.0.1:8700";
|
|
};
|
|
|
|
adminGroupID = mkOption {
|
|
type = with types; str;
|
|
description = "UUID of admin group";
|
|
example = "8769561d-0f3a-4749-9ae0-56ba8d4ec7c6";
|
|
};
|
|
|
|
cookieDomain = mkOption {
|
|
type = with types; str;
|
|
description = "Domain for which to set cookies";
|
|
example = "example.com";
|
|
default = "";
|
|
};
|
|
|
|
noHTTPS = mkOption {
|
|
type = with types; bool;
|
|
description = "Disable SecureOnly cookie flag";
|
|
default = false;
|
|
};
|
|
|
|
webauthnOrigin = mkOption {
|
|
type = with types; str;
|
|
description = "Domain to use as WebAuthn RPID";
|
|
default = config.services.authentricity.webui.cookieDomain;
|
|
defaultText = "config.services.authentricity.webui.cookieDomain";
|
|
example = "example.com";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config = let cfg = config.services.authentricity; in {
|
|
nixpkgs.overlays = [ (self: super: {
|
|
authentricity = super.callPackage ./default.nix {};
|
|
}) ];
|
|
|
|
systemd.sockets.authentricity-hostagent = mkIf cfg.hostagent.enable {
|
|
listenStreams = [ cfg.hostagent.socketPath ];
|
|
wantedBy = [ "sockets.target" ];
|
|
socketConfig = {
|
|
FileDescriptorName = "varlink";
|
|
Symlinks = "/run/systemd/userdb/eu.e43.authentricity";
|
|
};
|
|
};
|
|
|
|
systemd.sockets.authentricity-webui = mkIf cfg.webui.enable {
|
|
listenStreams = [ cfg.webui.listenAddress ];
|
|
wantedBy = [ "sockets.target" ];
|
|
};
|
|
|
|
systemd.services.authentricity-hostagent = mkIf cfg.hostagent.enable {
|
|
description = "Authentricity Host Agent";
|
|
|
|
environment = {
|
|
AUTHENTRICITY_HOSTAGENT_SOCKET_PATH = cfg.hostagent.socketPath;
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "exec";
|
|
User = "authentricity-hostagent";
|
|
Group = "authentricity-hostagent";
|
|
ExecStart = "${cfg.package}/bin/authentricity-hostagent";
|
|
|
|
ProtectSystem = "strict";
|
|
ProtectHome = mkDefault true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RemoveIPC = true;
|
|
PrivateMounts = true;
|
|
StateDirectory = "authentricity/hostagent";
|
|
};
|
|
};
|
|
|
|
systemd.services.authentricity-webui = mkIf cfg.webui.enable {
|
|
description = "Authentricity Web UI";
|
|
|
|
environment = {
|
|
AUTHENTRICITY_WEBUI_ADMIN_GROUP_ID = cfg.webui.adminGroupID;
|
|
AUTHENTRICITY_WEBUI_COOKIE_DOMAIN = cfg.webui.cookieDomain;
|
|
AUTHENTRICITY_WEBUI_WEBAUTHN_ORIGIN = cfg.webui.webauthnOrigin;
|
|
AUTHENTRICITY_WEBUI_NO_HTTPS = mkIf cfg.webui.noHTTPS "true";
|
|
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "exec";
|
|
User = "authentricity-webui";
|
|
Group = "authentricity-webui";
|
|
ExecStart = "${cfg.package}/bin/authentricity-webui";
|
|
|
|
ProtectSystem = "strict";
|
|
ProtectHome = mkDefault true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RemoveIPC = true;
|
|
PrivateMounts = true;
|
|
StateDirectory = "authentricity/webui";
|
|
};
|
|
};
|
|
users.users.authentricity-hostagent = mkIf cfg.hostagent.enable {
|
|
group = "authentricity-hostagent";
|
|
isSystemUser = true;
|
|
};
|
|
users.groups.authentricity-hostagent = mkIf cfg.hostagent.enable {};
|
|
|
|
users.users.authentricity-webui = mkIf cfg.webui.enable {
|
|
group = "authentricity-webui";
|
|
isSystemUser = true;
|
|
};
|
|
users.groups.authentricity-webui = mkIf cfg.webui.enable {};
|
|
};
|
|
}
|