mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-25 09:36:14 +01:00
Add login notify module
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
parent
b68fb6bf5a
commit
6331357b45
121
nixos/modules/notify-login.nix
Normal file
121
nixos/modules/notify-login.nix
Normal file
|
@ -0,0 +1,121 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
cfg = config.services.notify-login;
|
||||
inherit
|
||||
(lib)
|
||||
mkEnableOption
|
||||
getExe
|
||||
getExe'
|
||||
mkIf
|
||||
mkMerge
|
||||
mkOption
|
||||
types
|
||||
error
|
||||
optionalString
|
||||
;
|
||||
source = {
|
||||
name,
|
||||
pamService,
|
||||
sessionName,
|
||||
}: {
|
||||
options = {
|
||||
enable = mkEnableOption "Enable login notifications.";
|
||||
method = mkOption {
|
||||
type = with types; enum ["matrix"];
|
||||
description = ''
|
||||
What notification method to use.
|
||||
'';
|
||||
};
|
||||
settings = let
|
||||
methodSettings = {
|
||||
"matrix" = {
|
||||
secretsFile = mkOption {
|
||||
type = with types; str;
|
||||
description = ''
|
||||
Path to the secrets file.
|
||||
'';
|
||||
};
|
||||
stateDirectory = mkOption {
|
||||
type = with types; str;
|
||||
description = ''
|
||||
Path to the state directory.
|
||||
'';
|
||||
};
|
||||
markdown = mkOption {
|
||||
type = with types; bool;
|
||||
description = ''
|
||||
Whether to parse input as markdown;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
methodSettings.${cfg.${name}.method} or (error "Invalid method");
|
||||
};
|
||||
config = mkIf cfg.${name}.enable {
|
||||
security.pam.services.${pamService}.rules.session.pam_exec = let
|
||||
methods = {
|
||||
"matrix" = pkgs.writeShellScript "matrix-${name}-notify" ''
|
||||
{
|
||||
if [ "$PAM_TYPE" = "open_session" ] ; then
|
||||
${getExe' pkgs.coreutils "cat"} <<EOF
|
||||
**Opened** ${sessionName} session for user **$PAM_USER** from host **$PAM_RHOST**
|
||||
EOF
|
||||
elif [ "$PAM_TYPE" = "close_session" ] ; then
|
||||
${getExe' pkgs.coreutils "cat"} <<EOF
|
||||
**Closed** ${sessionName} session for user **$PAM_USER** from host **$PAM_RHOST**
|
||||
EOF
|
||||
else
|
||||
${getExe' pkgs.coreutils "cat"} <<EOF
|
||||
\`\`\`
|
||||
Unknown PAM_TYPE: "$PAM_TYPE"
|
||||
PAM_RHOST: "$PAM_RHOST"
|
||||
PAM_RUSER: "$PAM_RUSER"
|
||||
PAM_SERVICE: "$PAM_SERVICE"
|
||||
PAM_TTY: "$PAM_TTY"
|
||||
PAM_USER: "$PAM_USER"
|
||||
EOF
|
||||
\`\`\`
|
||||
fi
|
||||
} | ${getExe pkgs.matrix-commander-rs} \
|
||||
-c ${cfg.${name}.settings.secretsFile} \
|
||||
-s ${cfg.${name}.settings.stateDirectory} \
|
||||
${optionalString cfg.${name}.settings.markdown "--markdown"} \
|
||||
-m - &
|
||||
disown %1
|
||||
'';
|
||||
};
|
||||
sudoLogin = methods.${cfg.${name}.method} or (error "Invalid method");
|
||||
in {
|
||||
modulePath = "pam_exec.so";
|
||||
args = [(toString sudoLogin)];
|
||||
control = "optional";
|
||||
order = config.security.pam.services.${pamService}.rules.session.limits.order + 10;
|
||||
};
|
||||
};
|
||||
};
|
||||
sshSource = source {
|
||||
name = "ssh";
|
||||
pamService = "sshd";
|
||||
sessionName = "SSH";
|
||||
};
|
||||
sudoSource = source {
|
||||
name = "sudo";
|
||||
pamService = "sudo";
|
||||
sessionName = "sudo";
|
||||
};
|
||||
in {
|
||||
options.services.notify-login = {
|
||||
ssh = sshSource.options;
|
||||
sudo = sudoSource.options;
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
sshSource.config
|
||||
sudoSource.config
|
||||
];
|
||||
}
|
|
@ -48,6 +48,7 @@ in
|
|||
./sol.nix
|
||||
../../common/remote_access.nix
|
||||
./microvms.nix
|
||||
../../modules/notify-login.nix
|
||||
inputs.serokell-nix.nixosModules.acme-sh
|
||||
|
||||
inputs.notnft.nixosModules.default
|
||||
|
@ -61,6 +62,16 @@ in
|
|||
config'.flake.nixosModules.grafana
|
||||
];
|
||||
|
||||
services.notify-login.ssh = {
|
||||
enable = true;
|
||||
method = "matrix";
|
||||
settings = {
|
||||
secretsFile = "/var/secrets/matrix-notify-login-ssh.json";
|
||||
stateDirectory = "/var/lib/matrix-commander/notify-login-ssh";
|
||||
markdown = true;
|
||||
};
|
||||
};
|
||||
|
||||
_module.args.nixinate = {
|
||||
host = "blowhole.hosts.in.redalder.org";
|
||||
sshUser = "main";
|
||||
|
|
Loading…
Reference in a new issue