generated from nix-community/nur-packages-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefault.nix
98 lines (93 loc) · 2.89 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
{ pkgs
, lib
, config
, ...
}:
let
cfg = config.security.google-authenticator-singlesecret;
escapeCLang = str: lib.strings.escapeC [ ''"'' ''\'' "\n" "\t" "\r" ] str;
in
{
options = {
security.google-authenticator-singlesecret = {
enable = lib.mkEnableOption "Enable Google Authenticator (single secret)";
user = lib.mkOption {
type = lib.types.str;
default = "totp-auth";
description = "User to run Google Authenticator as";
};
secret-dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/totp-auth";
description = "Secret to use for Google Authenticator";
};
echo = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Echo the code when typing it";
};
};
};
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(final: prev: {
google-authenticator = prev.google-authenticator.overrideAttrs (attrs: {
patches = [ ./singlesecret.patch ];
preBuild =
let
user = escapeCLang cfg.user;
secret = escapeCLang (cfg.secret-dir + "/secret");
echo =
if cfg.echo
then "1"
else "0";
in
''
sed -i -e 's|@TOTP_AUTH_USER@|"${user}"|' \
-e 's|@TOTP_AUTH_SECRET@|"${secret}"|' \
-e 's|@TOTP_AUTH_ECHO@|${echo}|' \
src/pam_google_authenticator.c
'';
});
})
];
users = {
users.${cfg.user} = {
isSystemUser = true;
description = "User to run Google Authenticator as";
home = cfg.secret-dir;
createHome = true;
homeMode = "0700";
group = cfg.user;
shell = "${pkgs.shadow}/bin/nologin";
hashedPassword = "!";
};
groups.${cfg.user} = { };
};
environment.systemPackages = with pkgs; [
google-authenticator
(writeScriptBin "setup-google-authenticator-singlesecret.sh" ''
#! /usr/bin/env bash
set -euo pipefail
if [[ $(id -u) -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
echo -e "\n\n\n\n\n"
${pkgs.toilet}/bin/toilet --termwidth -f smblock \
$' Now create your secret\nMake sure no one is watching!'
echo -e "\n\n\n\n\n"
echo -e "\033[31mIf you leave this root shell, you might not be able to easily get back in!"
echo -e "\033[0\n\n"
echo "Press any key to continue"
read -n 1 -s
# Setup Google Authenticator
${pkgs.google-authenticator}/bin/google-authenticator -s "${cfg.secret-dir}/secret"
# Set permissions
chown -R ${cfg.user}:${cfg.user} "${cfg.secret-dir}"
chmod 0700 "${cfg.secret-dir}"
chmod 0400 "${cfg.secret-dir}/secret"
'')
];
};
}