From 8c81dde1f3b3ce8edcad2ca42ff973c06c13d788 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 28 Jan 2022 23:34:21 +0100 Subject: l: add acl module --- lass/3modules/acl.nix | 64 +++++++++++++++++++++++++++++++++++++++++++++++ lass/3modules/default.nix | 1 + 2 files changed, 65 insertions(+) create mode 100644 lass/3modules/acl.nix (limited to 'lass/3modules') diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix new file mode 100644 index 000000000..b87ca2e08 --- /dev/null +++ b/lass/3modules/acl.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: let + generateACLs = attrs: + lib.mapAttrsToList (path: rules: pkgs.writeDash "acl-${builtins.baseNameOf path}" '' + mkdir -p "${path}" + ${generateRules rules path} + '') attrs; + + generateRules = rules: path: + lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + ); + + parents = dir: + if dir == "/" then + [ dir ] + else + [ dir ] ++ parents (builtins.dirOf dir) + ; +in { + options.lass.acl = lib.mkOption { + type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + rule = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + default = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + recursive = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + parents = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + apply ACL to every parent folder + ''; + }; + }; + }))); + default = {}; + }; + config = lib.mkIf (config.lass.acl != {}) { + systemd.services.set_acl = { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.acl + pkgs.coreutils + ]; + serviceConfig = { + ExecStart = generateACLs config.lass.acl; + RemainAfterExit = true; + Type = "oneshot"; + }; + }; + }; +} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 570bb45be..0373bd44c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,6 +1,7 @@ _: { imports = [ + ./acl.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix -- cgit v1.2.3