diff options
| author | lassulus <lassulus@lassul.us> | 2021-02-11 11:09:03 +0100 |
|---|---|---|
| committer | lassulus <lassulus@lassul.us> | 2021-02-11 11:09:03 +0100 |
| commit | 3054b326ef5e9d92ef8d26b50db5546691c24d59 (patch) | |
| tree | 26eeae9a61206a5fddba5690729e2ee2f7ab52e6 /krebs/3modules | |
| parent | f0e8399b81b911da6c88d7af442bc305a1827c66 (diff) | |
| parent | bda725bbfc4a4e1ecf8a8fd8d3dbff69b5cf4d60 (diff) | |
Merge remote-tracking branch 'ni/master'
Diffstat (limited to 'krebs/3modules')
| -rw-r--r-- | krebs/3modules/setuid.nix | 29 | ||||
| -rw-r--r-- | krebs/3modules/shadow.nix | 8 |
2 files changed, 20 insertions, 17 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 97cf21cd..64fedb91 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -1,24 +1,20 @@ -{ config, pkgs, lib, ... }: with import <stockholm/lib>; -let - cfg = config.krebs.setuid; +{ config, pkgs, ... }: let out = { options.krebs.setuid = api; - config = mkIf (cfg != {}) imp; + config = mkIf (config.krebs.setuid != {}) imp; }; api = mkOption { default = {}; type = let - # TODO make wrapperDir configurable - inherit (config.security) wrapperDir; inherit (config.users) groups users; - in types.attrsOf (types.submodule ({ config, ... }: { + in types.attrsOf (types.submodule (self: let cfg = self.config; in { options = { name = mkOption { type = types.filename; - default = config._module.args.name; + default = cfg._module.args.name; }; envp = mkOption { type = types.nullOr (types.attrsOf types.str); @@ -51,6 +47,10 @@ let merge = mergeOneOption; }; }; + wrapperDir = mkOption { + default = config.security.wrapperDir; + type = types.absolute-pathname; + }; activate = mkOption { type = types.str; visible = false; @@ -58,21 +58,22 @@ let }; }; config.activate = let - src = pkgs.exec config.name { - inherit (config) envp filename; + src = pkgs.exec cfg.name { + inherit (cfg) envp filename; }; - dst = "${wrapperDir}/${config.name}"; + dst = "${cfg.wrapperDir}/${cfg.name}"; in '' + mkdir -p ${cfg.wrapperDir} cp ${src} ${dst} - chown ${config.owner}.${config.group} ${dst} - chmod ${config.mode} ${dst} + chown ${cfg.owner}.${cfg.group} ${dst} + chmod ${cfg.mode} ${dst} ''; })); }; imp = { system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ] - (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg)); + (concatMapStringsSep "\n" (getAttr "activate") (attrValues config.krebs.setuid)); }; in out diff --git a/krebs/3modules/shadow.nix b/krebs/3modules/shadow.nix index cff66492..9505efb0 100644 --- a/krebs/3modules/shadow.nix +++ b/krebs/3modules/shadow.nix @@ -4,19 +4,21 @@ with import <stockholm/lib>; cfg = config.krebs.shadow; mergeShadowsJq = pkgs.writeJq "merge-shadows.jq" '' - def fields_3_to_9: ["1", "", "", "", "", "", ""]; + def is_int: . == (. | floor); + def fields_4_to_9: ["", "", "", "", "", ""]; + def check_fields_3_to_9: (.[2] | tonumber | is_int) and .[3:] == fields_4_to_9; def read_value: split(":") | if length == 9 then - if .[2:] == fields_3_to_9 then + if check_fields_3_to_9 then . else error("unrecognized field contents") end elif length == 2 then if .[1] | test("^\\$6\\$") then - . + fields_3_to_9 + . + ["1"] + fields_4_to_9 else error("unrecognized hashed password") end |