···
1
+
{ config, lib, pkgs, ... }:
7
+
cfg = config.services.shellinabox;
9
+
# If a certificate file is specified, shellinaboxd requires
10
+
# a file descriptor to retrieve it
12
+
createFd = optionalString (cfg.certFile != null) "${fd}<${cfg.certFile}";
14
+
# Command line arguments for the shellinabox daemon
15
+
args = [ "--background" ]
16
+
++ optional (! cfg.enableSSL) "--disable-ssl"
17
+
++ optional (cfg.certFile != null) "--cert-fd=${fd}"
18
+
++ optional (cfg.certDirectory != null) "--cert=${cfg.certDirectory}"
19
+
++ cfg.extraOptions;
21
+
# Command to start shellinaboxd
22
+
cmd = "${pkgs.shellinabox}/bin/shellinaboxd ${concatStringsSep " " args}";
24
+
# Command to start shellinaboxd if certFile is specified
25
+
wrappedCmd = "${pkgs.bash}/bin/bash -c 'exec ${createFd} && ${cmd}'";
34
+
services.shellinabox = {
35
+
enable = mkEnableOption "shellinabox daemon";
41
+
User to run shellinaboxd as. If started as root, the server drops
42
+
privileges by changing to nobody, unless overridden by the
43
+
<literal>--user</literal> option.
47
+
enableSSL = mkOption {
51
+
Whether or not to enable SSL (https) support.
55
+
certDirectory = mkOption {
56
+
type = types.nullOr types.path;
58
+
example = "/var/certs";
60
+
The daemon will look in this directory far any certificates.
61
+
If the browser negotiated a Server Name Identification the daemon
62
+
will look for a matching certificate-SERVERNAME.pem file. If no SNI
63
+
handshake takes place, it will fall back on using the certificate in the
64
+
certificate.pem file.
66
+
If no suitable certificate is installed, shellinaboxd will attempt to
67
+
create a new self-signed certificate. This will only succeed if, after
68
+
dropping privileges, shellinaboxd has write permissions for this
73
+
certFile = mkOption {
74
+
type = types.nullOr types.path;
76
+
example = "/var/certificate.pem";
77
+
description = "Path to server SSL certificate.";
80
+
extraOptions = mkOption {
81
+
type = types.listOf types.str;
83
+
example = [ "--port=443" "--service /:LOGIN" ];
85
+
A list of strings to be appended to the command line arguments
86
+
for shellinaboxd. Please see the manual page
87
+
<link xlink:href="https://code.google.com/p/shellinabox/wiki/shellinaboxd_man"/>
88
+
for a full list of available arguments.
95
+
###### implementation
97
+
config = mkIf cfg.enable {
100
+
[ { assertion = cfg.enableSSL == true
101
+
-> cfg.certDirectory != null || cfg.certFile != null;
102
+
message = "SSL is enabled for shellinabox, but no certDirectory or certFile has been specefied."; }
103
+
{ assertion = ! (cfg.certDirectory != null && cfg.certFile != null);
104
+
message = "Cannot set both certDirectory and certFile for shellinabox."; }
107
+
systemd.services.shellinaboxd = {
108
+
description = "Shellinabox Web Server Daemon";
110
+
wantedBy = [ "multi-user.target" ];
111
+
requires = [ "sshd.service" ];
112
+
after = [ "sshd.service" ];
116
+
User = "${cfg.user}";
117
+
ExecStart = "${if cfg.certFile == null then "${cmd}" else "${wrappedCmd}"}";
118
+
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
pyrox.dev