Rename openssh service to sshd, add ability to configure dysnomia properties and container configurations

example-deployments/disnix/processes.nix

@@ -16,8 +16,8 @@ let
   };
 in
 rec {
-  openssh = rec {
-    pkg = constructors.openssh {
+  sshd = rec {
+    pkg = constructors.sshd {
       extraSSHDConfig = ''
         UsePAM yes
       '';

example-deployments/services/ids.nix

@@ -6,8 +6,8 @@
       "influxdb" = 2002;
       "mongodb" = 2003;
       "mysql" = 2004;
-      "openssh" = 2005;
-      "postgresql" = 2006;
+      "postgresql" = 2005;
+      "sshd" = 2006;
       "tomcat" = 2007;
     };
     "httpPorts" = {
@@ -33,7 +33,7 @@
       "postgresql" = 5432;
     };
     "sshPorts" = {
-      "openssh" = 1222;
+      "sshd" = 1222;
     };
     "svnPorts" = {
       "svnserve" = 3690;
@@ -50,8 +50,8 @@
       "influxdb" = 2002;
       "mongodb" = 2003;
       "mysql" = 2004;
-      "openssh" = 2005;
-      "postgresql" = 2006;
+      "postgresql" = 2005;
+      "sshd" = 2006;
       "tomcat" = 2007;
     };
   };

example-deployments/services/processes.nix

@@ -105,10 +105,10 @@ rec {
     requiresUniqueIdsFor = [ "influxdbPorts" "uids" "gids" ];
   };
 
-  openssh = rec {
-    port = ids.sshPorts.openssh or 0;
+  sshd = rec {
+    port = ids.sshPorts.sshd or 0;
 
-    pkg = constructors.openssh {
+    pkg = constructors.sshd {
       inherit port;
       extraSSHDConfig = ''
         UsePAM yes

services-agnostic/constructors.nix

@@ -52,8 +52,8 @@ in
   };
 
   disnix-service = import ./disnix-service {
-    inherit createManagedProcess;
-    inherit (pkgs) lib nix disnix dysnomia;
+    inherit createManagedProcess processManager nix-processmgmt;
+    inherit (pkgs) stdenv lib writeTextFile nix disnix dysnomia inetutils;
   };
 
   docker = import ./docker {
@@ -128,7 +128,7 @@ in
     inherit (pkgs) nix;
   };
 
-  openssh = import ./openssh {
+  sshd = import ./sshd {
     inherit createManagedProcess stateDir runtimeDir tmpDir forceDisableUserChange;
     inherit (pkgs) writeTextFile openssh;
   };

services-agnostic/disnix-service/default.nix

@@ -1,13 +1,28 @@
-{createManagedProcess, lib, nix, disnix, dysnomia}:
-{dbus-daemon ? null}:
+{createManagedProcess, stdenv, lib, writeTextFile, nix, disnix, dysnomia, inetutils, processManager, nix-processmgmt}:
+
+{ dbus-daemon ? null
+, dysnomiaProperties ? {}
+, dysnomiaContainers ? {}
+, processManagerContainerSettings ? {}
+}:
 
 let
   group = "disnix";
+
+  dysnomiaFlags =
+    if processManager == "supervisord" then {
+      enableSupervisordProgram = true;
+    } else {};
+
+  dysnomiaPkg = dysnomia.override dysnomiaFlags;
 in
 createManagedProcess {
   name = "disnix-service";
   process = "${disnix}/bin/disnix-service";
-  path = [ nix dysnomia disnix ];
+  path = [ nix dysnomiaPkg disnix inetutils ];
+  environment = import ./dysnomia-env.nix {
+    inherit stdenv lib writeTextFile nix-processmgmt processManager dysnomiaProperties dysnomiaContainers processManagerContainerSettings;
+  };
   daemonExtraArgs = [ "--daemon" ];
   dependencies = lib.optional (dbus-daemon != null) dbus-daemon.pkg;
 

services-agnostic/disnix-service/dysnomia-env.nix

@@ -0,0 +1,70 @@
+{stdenv, lib, writeTextFile, nix-processmgmt, processManager, dysnomiaProperties, dysnomiaContainers, processManagerContainerSettings}:
+
+let
+  # Take some default system properties, override them with the specified Dysnomia properties
+  _dysnomiaProperties = {
+    hostname = "$(hostname)";
+    system = stdenv.system;
+  } // dysnomiaProperties;
+
+  printProperties = properties:
+    lib.concatMapStrings (propertyName:
+      let
+        property = properties.${propertyName};
+      in
+      if builtins.isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties.${propertyName})})\n"
+      else "${propertyName}=\"${toString property}\"\n"
+    ) (builtins.attrNames properties);
+
+
+  dysnomiaPropertiesFile = writeTextFile {
+    name = "dysnomia-properties";
+    text = printProperties _dysnomiaProperties;
+  };
+
+  # For process manager that manages the disnix-serivce, expose it as a container
+  processManagerDysnomiaModule = import "${nix-processmgmt}/nixproc/derive-dysnomia-process-type.nix" {
+    inherit processManager;
+  };
+
+  processManagerContainer = lib.recursiveUpdate (stdenv.lib.optionalAttrs (processManager == "supervisord") {
+    supervisord-program = {
+      supervisordTargetDir = "/etc/supervisor/conf.d";
+    };
+  }) {
+    "${processManagerDysnomiaModule}" = processManagerContainerSettings.${processManager} or {};
+  };
+
+  _dysnomiaContainers = lib.recursiveUpdate ({
+    # Expose the standard Dysnomia modules as a container
+    echo = {};
+    fileset = {};
+    process = {};
+    wrapper = {};
+  } // processManagerContainer) dysnomiaContainers;
+
+  # Generate container configuration files
+  containersDir = stdenv.mkDerivation {
+    name = "dysnomia-containers";
+    buildCommand = ''
+      mkdir -p $out
+      cd $out
+
+      ${lib.concatMapStrings (containerName:
+        let
+          containerProperties = _dysnomiaContainers.${containerName};
+        in
+        ''
+          cat > ${containerName} <<EOF
+          ${printProperties containerProperties}
+          type=${containerName}
+          EOF
+        ''
+      ) (builtins.attrNames _dysnomiaContainers)}
+    '';
+  };
+in
+{
+  DYSNOMIA_PROPERTIES = dysnomiaPropertiesFile;
+  DYSNOMIA_CONTAINERS_PATH = containersDir;
+}

services-agnostic/sshd/default.nix

@@ -1,7 +1,8 @@
 {createManagedProcess, writeTextFile, openssh, stateDir, runtimeDir, tmpDir, forceDisableUserChange}:
 
 { instanceSuffix ? ""
-, instanceName ? "openssh${instanceSuffix}"
+# The service is called sshd, and not openssh, because it relies on a hardcoded assumption that the privilege separation user is named sshd
+, instanceName ? "sshd${instanceSuffix}"
 , port ? 22
 , extraSSHDConfig ? ""
 }: