Warn when DynamicUser is used without SYS_ADMIN

2021-05-26 16:59:50 +02:00 · 2021-05-26 16:59:50 +02:00 · 1a24fe9639
commit 1a24fe9639
parent 286d56a83c
2 changed files with 31 additions and 0 deletions
--- a/src/nix/modules/service/all-modules.nix
+++ b/src/nix/modules/service/all-modules.nix
@ -9,4 +9,5 @@
  ./nixos.nix
  ./nixos-init.nix
  ../lib/assert.nix
+  ./check-sys_admin.nix
 ]
--- a/src/nix/modules/service/check-sys_admin.nix
+++ b/src/nix/modules/service/check-sys_admin.nix
@ -0,0 +1,30 @@
+{ config, lib, name, ... }:
+let
+  inherit (lib)
+    concatStringsSep
+    optional
+    ;
+
+  dynamicUserServices = lib.attrNames (
+    lib.filterAttrs
+      (k: v:
+        v.enable &&
+        v.serviceConfig.DynamicUser or false)
+      config.nixos.evaluatedConfig.systemd.services
+    );
+
+  
+in
+{
+  config = {
+    warnings = 
+      optional (config.nixos.useSystemd && !(config.service.capabilities.SYS_ADMIN or false) && dynamicUserServices != []) (
+        ''In service ${name}, the following units require `SYS_ADMIN` capability
+          because of DynamicUser.
+          ${concatStringsSep "\n" (map (srv: "    - services.${name}.nixos.configuration.systemd.services.${srv}") dynamicUserServices)}
+          You can avoid DynamicUser or use
+              services.${name}.service.capabilities.SYS_ADMIN = true;
+        ''
+      );
+  };
+}