From a8880f1647e6b8e83f1f9909bea17d4c0dbe8428 Mon Sep 17 00:00:00 2001 From: Peder Bergebakken Sundt Date: Wed, 31 Jan 2024 17:59:39 +0100 Subject: [PATCH] nixos/ttyd: add entrypoint option --- nixos/modules/services/web-servers/ttyd.nix | 32 ++++++++++++++++----- nixos/tests/web-servers/ttyd.nix | 3 +- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix index 1b7db0faff9f..14361df2bb66 100644 --- a/nixos/modules/services/web-servers/ttyd.nix +++ b/nixos/modules/services/web-servers/ttyd.nix @@ -62,7 +62,7 @@ in username = mkOption { type = types.nullOr types.str; default = null; - description = "Username for basic authentication."; + description = "Username for basic http authentication."; }; passwordFile = mkOption { @@ -70,7 +70,7 @@ in default = null; apply = value: if value == null then null else toString value; description = '' - File containing the password to use for basic authentication. + File containing the password to use for basic http authentication. For insecurely putting the password in the globally readable store use `pkgs.writeText "ttydpw" "MyPassword"`. ''; @@ -82,6 +82,26 @@ in description = "Signal to send to the command on session close."; }; + entrypoint = mkOption { + type = types.listOf types.str; + default = [ "${pkgs.shadow}/bin/login" ]; + defaultText = lib.literalExpression '' + [ "''${pkgs.shadow}/bin/login" ] + ''; + example = lib.literalExpression '' + [ (lib.getExe pkgs.htop) ] + ''; + description = "Which command ttyd runs."; + apply = lib.escapeShellArgs; + }; + + user = mkOption { + type = types.str; + # `login` needs to be run as root + default = "root"; + description = "Which unix user ttyd should run as."; + }; + writeable = mkOption { type = types.nullOr types.bool; default = null; # null causes an eval error, forcing the user to consider attack surface @@ -193,9 +213,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { - # Runs login which needs to be run as root - # login: Cannot possibly work without effective root - User = "root"; + User = cfg.user; LoadCredential = lib.optionalString (cfg.passwordFile != null) "TTYD_PASSWORD_FILE:${cfg.passwordFile}"; }; @@ -203,11 +221,11 @@ in PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/TTYD_PASSWORD_FILE") ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ --credential ${lib.escapeShellArg cfg.username}:"$PASSWORD" \ - ${pkgs.shadow}/bin/login + ${cfg.entrypoint} '' else '' ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ - ${pkgs.shadow}/bin/login + ${cfg.entrypoint} ''; }; }; diff --git a/nixos/tests/web-servers/ttyd.nix b/nixos/tests/web-servers/ttyd.nix index 739ebc3aac6e..b79a2032ec75 100644 --- a/nixos/tests/web-servers/ttyd.nix +++ b/nixos/tests/web-servers/ttyd.nix @@ -5,8 +5,7 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { nodes.readonly = { pkgs, ... }: { services.ttyd = { enable = true; - username = "foo"; - passwordFile = pkgs.writeText "password" "bar"; + entrypoint = [ (lib.getExe pkgs.htop) ]; writeable = false; }; };