From f889d6215e29375275494f692dc2566c4bcb79fb Mon Sep 17 00:00:00 2001
From: Marc Weber <marco-oweber@gmx.de>
Date: Fri, 6 Mar 2009 12:25:46 +0000
Subject: [PATCH] Convert "nixos security options"

svn path=/nixos/branches/fix-style/; revision=14363
---
 system/nixos-security.nix | 49 +++++++++++++++++++++++++++++++++++++++
 system/options.nix        | 41 +++-----------------------------
 2 files changed, 52 insertions(+), 38 deletions(-)
 create mode 100644 system/nixos-security.nix

diff --git a/system/nixos-security.nix b/system/nixos-security.nix
new file mode 100644
index 000000000000..10d523ee339a
--- /dev/null
+++ b/system/nixos-security.nix
@@ -0,0 +1,49 @@
+{pkgs, config, ...}:
+let
+  inherit (pkgs.lib) mergeOneOption mkOption mkIf;
+in
+{
+  require = [
+    {
+      security = {
+        setuidPrograms = mkOption {
+          default = [
+            "passwd" "su" "crontab" "ping" "ping6"
+            "fusermount" "wodim" "cdrdao" "growisofs"
+          ];
+          description = "
+            Only the programs from system path listed her will be made setuid root
+            (through a wrapper program).  It's better to set
+            <option>security.extraSetuidPrograms</option>.
+          ";
+        };
+
+        extraSetuidPrograms = mkOption {
+          default = [];
+          example = ["fusermount"];
+          description = "
+            This option lists additional programs that must be made setuid
+            root.
+          ";
+        };
+
+        setuidOwners = mkOption {
+          default = [];
+          example = [{
+            program = "sendmail";
+            owner = "nodody";
+            group = "postdrop";
+            setuid = false;
+            setgid = true;
+          }];
+          description = ''
+            List of non-trivial setuid programs from system path, like Postfix sendmail. Default 
+            should probably be nobody:nogroup:false:false - if you are bothering
+            doing anything with a setuid program, "root.root u+s g-s" is not what
+            you are aiming at..
+          '';
+        };
+      };
+    }
+  ];
+}
diff --git a/system/options.nix b/system/options.nix
index d3caa8ea927b..70555424fa59 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -1980,44 +1980,6 @@ in
 
   security = {
 
-    setuidPrograms = mkOption {
-      default = [
-        "passwd" "su" "crontab" "ping" "ping6"
-        "fusermount" "wodim" "cdrdao" "growisofs"
-      ];
-      description = "
-        Only the programs from system path listed her will be made setuid root
-        (through a wrapper program).  It's better to set
-        <option>security.extraSetuidPrograms</option>.
-      ";
-    };
-
-    extraSetuidPrograms = mkOption {
-      default = [];
-      example = ["fusermount"];
-      description = "
-        This option lists additional programs that must be made setuid
-        root.
-      ";
-    };
-
-    setuidOwners = mkOption {
-      default = [];
-      example = [{
-        program = "sendmail";
-        owner = "nodody";
-        group = "postdrop";
-        setuid = false;
-        setgid = true;
-      }];
-      description = ''
-        List of non-trivial setuid programs from system path, like Postfix sendmail. Default 
-        should probably be nobody:nogroup:false:false - if you are bothering
-        doing anything with a setuid program, "root.root u+s g-s" is not what
-        you are aiming at..
-      '';
-    };
-
     seccureKeys = {
       public = mkOption {
         default = /var/elliptic-keys/public;
@@ -2098,6 +2060,9 @@ in
     # hardware
     (import ../upstart-jobs/pcmcia.nix)
 
+    # security
+    (import ../system/nixos-security.nix)
+
     # services
     (import ../upstart-jobs/avahi-daemon.nix)
     (import ../upstart-jobs/atd.nix)