magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add login notify module

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2023-12-23 20:01:59 +01:00
parent b68fb6bf5a
commit 6331357b45
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
2 changed files with 132 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

121
nixos/modules/notify-login.nix Normal file
View file

@ -0,0 +1,121 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.services.notify-login;
inherit
(lib)
mkEnableOption
getExe
getExe'
mkIf
mkMerge
mkOption
types
error
optionalString
;
source = {
name,
pamService,
sessionName,
}: {
options = {
enable = mkEnableOption "Enable login notifications.";
method = mkOption {
type = with types; enum ["matrix"];
description = ''
What notification method to use.
'';
};
settings = let
methodSettings = {
"matrix" = {
secretsFile = mkOption {
type = with types; str;
description = ''
Path to the secrets file.
'';
};
stateDirectory = mkOption {
type = with types; str;
description = ''
Path to the state directory.
'';
};
markdown = mkOption {
type = with types; bool;
description = ''
Whether to parse input as markdown;
'';
};
};
};
in
methodSettings.${cfg.${name}.method} or (error "Invalid method");
};
config = mkIf cfg.${name}.enable {
security.pam.services.${pamService}.rules.session.pam_exec = let
methods = {
"matrix" = pkgs.writeShellScript "matrix-${name}-notify" ''
{
if [ "$PAM_TYPE" = "open_session" ] ; then
${getExe' pkgs.coreutils "cat"} <<EOF
**Opened** ${sessionName} session for user **$PAM_USER** from host **$PAM_RHOST**
EOF
elif [ "$PAM_TYPE" = "close_session" ] ; then
${getExe' pkgs.coreutils "cat"} <<EOF
**Closed** ${sessionName} session for user **$PAM_USER** from host **$PAM_RHOST**
EOF
else
${getExe' pkgs.coreutils "cat"} <<EOF
\`\`\`
Unknown PAM_TYPE: "$PAM_TYPE"
PAM_RHOST: "$PAM_RHOST"
PAM_RUSER: "$PAM_RUSER"
PAM_SERVICE: "$PAM_SERVICE"
PAM_TTY: "$PAM_TTY"
PAM_USER: "$PAM_USER"
EOF
\`\`\`
fi
} | ${getExe pkgs.matrix-commander-rs} \
-c ${cfg.${name}.settings.secretsFile} \
-s ${cfg.${name}.settings.stateDirectory} \
${optionalString cfg.${name}.settings.markdown "--markdown"} \
-m - &
disown %1
'';
};
sudoLogin = methods.${cfg.${name}.method} or (error "Invalid method");
in {
modulePath = "pam_exec.so";
args = [(toString sudoLogin)];
control = "optional";
order = config.security.pam.services.${pamService}.rules.session.limits.order + 10;
};
};
};
sshSource = source {
name = "ssh";
pamService = "sshd";
sessionName = "SSH";
};
sudoSource = source {
name = "sudo";
pamService = "sudo";
sessionName = "sudo";
};
in {
options.services.notify-login = {
ssh = sshSource.options;
sudo = sudoSource.options;
};
config = mkMerge [
sshSource.config
sudoSource.config
];
}

11
nixos/systems/blowhole/default.nix
View file

@ -48,6 +48,7 @@ in
./sol.nix ./sol.nix
../../common/remote_access.nix ../../common/remote_access.nix
./microvms.nix ./microvms.nix
../../modules/notify-login.nix
inputs.serokell-nix.nixosModules.acme-sh inputs.serokell-nix.nixosModules.acme-sh
inputs.notnft.nixosModules.default inputs.notnft.nixosModules.default
@ -61,6 +62,16 @@ in
config'.flake.nixosModules.grafana config'.flake.nixosModules.grafana
]; ];
services.notify-login.ssh = {
enable = true;
method = "matrix";
settings = {
secretsFile = "/var/secrets/matrix-notify-login-ssh.json";
stateDirectory = "/var/lib/matrix-commander/notify-login-ssh";
markdown = true;
};
};
_module.args.nixinate = { _module.args.nixinate = {
host = "blowhole.hosts.in.redalder.org"; host = "blowhole.hosts.in.redalder.org";
sshUser = "main"; sshUser = "main";