diff --git a/system/nixos-security.nix b/system/nixos-security.nix
new file mode 100644
index 00000000000..10d523ee339
--- /dev/null
+++ b/system/nixos-security.nix
@@ -0,0 +1,49 @@
+{pkgs, config, ...}:
+let
+ inherit (pkgs.lib) mergeOneOption mkOption mkIf;
+in
+{
+ require = [
+ {
+ security = {
+ setuidPrograms = mkOption {
+ default = [
+ "passwd" "su" "crontab" "ping" "ping6"
+ "fusermount" "wodim" "cdrdao" "growisofs"
+ ];
+ description = "
+ Only the programs from system path listed her will be made setuid root
+ (through a wrapper program). It's better to set
+ .
+ ";
+ };
+
+ extraSetuidPrograms = mkOption {
+ default = [];
+ example = ["fusermount"];
+ description = "
+ This option lists additional programs that must be made setuid
+ root.
+ ";
+ };
+
+ setuidOwners = mkOption {
+ default = [];
+ example = [{
+ program = "sendmail";
+ owner = "nodody";
+ group = "postdrop";
+ setuid = false;
+ setgid = true;
+ }];
+ description = ''
+ List of non-trivial setuid programs from system path, like Postfix sendmail. Default
+ should probably be nobody:nogroup:false:false - if you are bothering
+ doing anything with a setuid program, "root.root u+s g-s" is not what
+ you are aiming at..
+ '';
+ };
+ };
+ }
+ ];
+}
diff --git a/system/options.nix b/system/options.nix
index d3caa8ea927..70555424fa5 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -1980,44 +1980,6 @@ in
security = {
- setuidPrograms = mkOption {
- default = [
- "passwd" "su" "crontab" "ping" "ping6"
- "fusermount" "wodim" "cdrdao" "growisofs"
- ];
- description = "
- Only the programs from system path listed her will be made setuid root
- (through a wrapper program). It's better to set
- .
- ";
- };
-
- extraSetuidPrograms = mkOption {
- default = [];
- example = ["fusermount"];
- description = "
- This option lists additional programs that must be made setuid
- root.
- ";
- };
-
- setuidOwners = mkOption {
- default = [];
- example = [{
- program = "sendmail";
- owner = "nodody";
- group = "postdrop";
- setuid = false;
- setgid = true;
- }];
- description = ''
- List of non-trivial setuid programs from system path, like Postfix sendmail. Default
- should probably be nobody:nogroup:false:false - if you are bothering
- doing anything with a setuid program, "root.root u+s g-s" is not what
- you are aiming at..
- '';
- };
-
seccureKeys = {
public = mkOption {
default = /var/elliptic-keys/public;
@@ -2098,6 +2060,9 @@ in
# hardware
(import ../upstart-jobs/pcmcia.nix)
+ # security
+ (import ../system/nixos-security.nix)
+
# services
(import ../upstart-jobs/avahi-daemon.nix)
(import ../upstart-jobs/atd.nix)