nixos/ttyd: add writable option

Co-authored-by: Carsten Rodin <19612711+carstoid@users.noreply.github.com>
2024-01-31 17:54:32 +01:00 · 2024-01-31 17:54:32 +01:00 · 4c70703931
commit 4c70703931
parent 19159ced3e
2 changed files with 26 additions and 5 deletions
--- a/nixos/modules/services/web-servers/ttyd.nix
+++ b/nixos/modules/services/web-servers/ttyd.nix
@ -14,6 +14,7 @@ let
         ++ (concatLists (mapAttrsToList (_k: _v: [ "--client-option" "${_k}=${_v}" ]) cfg.clientOptions))
         ++ [ "--terminal-type" cfg.terminalType ]
         ++ optionals cfg.checkOrigin [ "--check-origin" ]
+         ++ optionals cfg.writeable [ "--writable" ] # the typo is correct
         ++ [ "--max-clients" (toString cfg.maxClients) ]
         ++ optionals (cfg.indexFile != null) [ "--index" cfg.indexFile ]
         ++ optionals cfg.enableIPv6 [ "--ipv6" ]
@ -75,6 +76,13 @@ in
        description = lib.mdDoc "Signal to send to the command on session close.";
      };

+      writeable = mkOption {
+        type = types.nullOr types.bool;
+        default = null; # null causes an eval error, forcing the user to consider attack surface
+        example = true;
+        description = lib.mdDoc "Allow clients to write to the TTY.";
+      };
+
      clientOptions = mkOption {
        type = types.attrsOf types.str;
        default = {};
@ -165,6 +173,8 @@ in
      [ { assertion = cfg.enableSSL
            -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null;
          message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specified."; }
+        { assertion = cfg.writeable != null;
+          message = "services.ttyd.writeable must be set"; }
        { assertion = ! (cfg.interface != null && cfg.socket != null);
          message = "Cannot set both interface and socket for ttyd."; }
        { assertion = (cfg.username != null) == (cfg.passwordFile != null);
--- a/nixos/tests/web-servers/ttyd.nix
+++ b/nixos/tests/web-servers/ttyd.nix
@ -2,18 +2,29 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: {
  name = "ttyd";
  meta.maintainers = with lib.maintainers; [ stunkymonkey ];

-  nodes.machine = { pkgs, ... }: {
+  nodes.readonly = { pkgs, ... }: {
    services.ttyd = {
      enable = true;
      username = "foo";
      passwordFile = pkgs.writeText "password" "bar";
+      writeable = false;
+    };
+  };
+
+  nodes.writeable = { pkgs, ... }: {
+    services.ttyd = {
+      enable = true;
+      username = "foo";
+      passwordFile = pkgs.writeText "password" "bar";
+      writeable = true;
    };
  };

  testScript = ''
-    machine.wait_for_unit("ttyd.service")
-    machine.wait_for_open_port(7681)
-    response = machine.succeed("curl -vvv -u foo:bar -s -H 'Host: ttyd' http://127.0.0.1:7681/")
-    assert '<title>ttyd - Terminal</title>' in response, "Page didn't load successfully"
+    for machine in [readonly, writeable]:
+      machine.wait_for_unit("ttyd.service")
+      machine.wait_for_open_port(7681)
+      response = machine.succeed("curl -vvv -u foo:bar -s -H 'Host: ttyd' http://127.0.0.1:7681/")
+      assert '<title>ttyd - Terminal</title>' in response, "Page didn't load successfully"
  '';
 })