diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2022-08-29 13:48:40 +0200 |
---|---|---|
committer | Maximilian Bosch <maximilian@mbosch.me> | 2022-08-29 15:27:14 +0200 |
commit | 0178db0da3271cc04ad44de38997f405b19703fa (patch) | |
tree | e21c2ff1b4c370ba5124081593a1b87e921d3f66 /nixos | |
parent | 098951a03db7b5ecf33615353516092708384e7c (diff) |
nixos/rust-motd: init
Makes it easier to configure `rust-motd`. Currently, it takes care of the following things: * Creating a timer to regularly refresh the `motd`-text and a hardened service (which is still root to get access to e.g. fs-mounts, but read-only because of hardening flags). * Disabling `PrintLastLog` in `sshd.conf` if the last-login feature of `rust-motd` is supposed to be used. * Ensure that the banner is actually shown when connecting via `ssh(1)` to a remote server with this being enabled.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/programs/rust-motd.nix | 92 |
2 files changed, 93 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 308bd8cb717b0..cb3599589cfe4 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -204,6 +204,7 @@ ./programs/plotinus.nix ./programs/proxychains.nix ./programs/qt5ct.nix + ./programs/rust-motd.nix ./programs/screen.nix ./programs/sedutil.nix ./programs/seahorse.nix diff --git a/nixos/modules/programs/rust-motd.nix b/nixos/modules/programs/rust-motd.nix new file mode 100644 index 0000000000000..671e701cd1953 --- /dev/null +++ b/nixos/modules/programs/rust-motd.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.rust-motd; + format = pkgs.formats.toml { }; +in { + options.programs.rust-motd = { + enable = mkEnableOption "rust-motd"; + enableMotdInSSHD = mkOption { + default = true; + type = types.bool; + description = mdDoc '' + Whether to let `openssh` print the + result when entering a new `ssh`-session. + By default either nothing or a static file defined via + [](#opt-users.motd) is printed. Because of that, + the latter option is incompatible with this module. + ''; + }; + refreshInterval = mkOption { + default = "*:0/5"; + type = types.str; + description = mdDoc '' + Interval in which the {manpage}`motd(5)` file is refreshed. + For possible formats, please refer to {manpage}`systemd.time(7)`. + ''; + }; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + }; + description = mdDoc '' + Settings on what to generate. Please read the + [upstream documentation](https://github.com/rust-motd/rust-motd/blob/main/README.md#configuration) + for further information. + ''; + }; + }; + config = mkIf cfg.enable { + assertions = [ + { assertion = config.users.motd == null; + message = '' + `programs.rust-motd` is incompatible with `users.motd`! + ''; + } + ]; + systemd.services.rust-motd = { + path = with pkgs; [ bash ]; + documentation = [ "https://github.com/rust-motd/rust-motd/blob/v${pkgs.rust-motd.version}/README.md" ]; + description = "motd generator"; + serviceConfig = { + ExecStart = "${pkgs.writeShellScript "update-motd" '' + ${pkgs.rust-motd}/bin/rust-motd ${format.generate "motd.conf" cfg.settings} > motd + ''}"; + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectKernelTunables = true; + ProtectSystem = "full"; + StateDirectory = "rust-motd"; + RestrictAddressFamilies = "none"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + WorkingDirectory = "/var/lib/rust-motd"; + }; + }; + systemd.timers.rust-motd = { + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = cfg.refreshInterval; + }; + security.pam.services.sshd.text = mkIf cfg.enableMotdInSSHD (mkDefault (mkAfter '' + session optional ${pkgs.pam}/lib/security/pam_motd.so motd=/var/lib/rust-motd/motd + '')); + services.openssh.extraConfig = mkIf (cfg.settings ? last_login && cfg.settings.last_login != {}) '' + PrintLastLog no + ''; + }; + meta.maintainers = with maintainers; [ ma27 ]; +} |