lass: migrate away

author: lassulus <git@lassul.us> 2023-09-07 12:26:31 +0200
committer: lassulus <git@lassul.us> 2023-09-07 13:50:26 +0200
commit: f55307fd73af235069744dd5155fda0bc73fe613 (patch)
tree: f048d7750a50e48493505a08784c96d07d291f89 /lass/3modules/usershadow.nix
parent: 85ae348bf3f53125c8281669a32bf007dc0063be (diff)
1 files changed, 0 insertions, 139 deletions
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
deleted file mode 100644
index 094d37a3..00000000
--- a/lass/3modules/usershadow.nix
+++ /dev/null
@@ -1,139 +0,0 @@
-{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
-
-  cfg = config.lass.usershadow;
-
-  out = {
-    options.lass.usershadow = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
-    enable = mkEnableOption "usershadow";
-    pattern = mkOption {
-      type = types.str;
-      default = "/home/%/.shadow";
-    };
-    path = mkOption {
-      type = types.str;
-    };
-  };
-
-  imp = {
-    environment.systemPackages = [ usershadow ];
-    lass.usershadow.path = "${usershadow}";
-    security.pam.services.sshd.text = ''
-      auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
-      auth required pam_permit.so
-      account required pam_permit.so
-      session required pam_permit.so
-    '';
-
-    security.pam.services.dovecot2.text = ''
-      auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
-      auth required pam_permit.so
-      account required pam_permit.so
-      session required pam_permit.so
-    '';
-
-    security.wrappers.shadow_verify_pam = {
-      setuid = true;
-      source = "${usershadow}/bin/verify_pam";
-      owner = "root";
-      group = "root";
-    };
-    security.wrappers.shadow_verify_arg = {
-      setuid = true;
-      source = "${usershadow}/bin/verify_arg";
-      owner = "root";
-      group = "root";
-    };
-  };
-
-  usershadow = let {
-    deps = [
-      "pwstore-fast"
-      "bytestring"
-    ];
-    body = pkgs.writeHaskellPackage "passwords" {
-      ghc-options = [
-        "-rtsopts"
-        "-Wall"
-      ];
-      executables.verify_pam = {
-        extra-depends = deps;
-        text = ''
-          import System.IO
-          import Data.Char (chr)
-          import System.Environment (getEnv, getArgs)
-          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
-          import qualified Data.ByteString.Char8 as BS8
-          import System.Exit (exitFailure, exitSuccess)
-
-          main :: IO ()
-          main = do
-            user <- getEnv "PAM_USER"
-            shadowFilePattern <- head <$> getArgs
-            let shadowFile = lhs <> user <> tail rhs
-                (lhs, rhs) = span (/= '%') shadowFilePattern
-            hash <- readFile shadowFile
-            password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
-            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
-            if res then exitSuccess else exitFailure
-        '';
-      };
-      executables.verify_arg = {
-        extra-depends = deps;
-        text = ''
-          import System.Environment (getArgs)
-          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
-          import qualified Data.ByteString.Char8 as BS8
-          import System.Exit (exitFailure, exitSuccess)
-
-          main :: IO ()
-          main = do
-            argsList <- getArgs
-            let shadowFilePattern = argsList !! 0
-            let user = argsList !! 1
-            let password = argsList !! 2
-            let shadowFile = lhs <> user <> tail rhs
-                (lhs, rhs) = span (/= '%') shadowFilePattern
-            hash <- readFile shadowFile
-            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
-            if res then do (putStr "yes") else exitFailure
-        '';
-      };
-      executables.passwd = {
-        extra-depends = deps;
-        text = ''
-          import System.Environment (getEnv)
-          import Crypto.PasswordStore (makePasswordWith, pbkdf2)
-          import qualified Data.ByteString.Char8 as BS8
-          import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn)
-          import Control.Exception (bracket_)
-
-          main :: IO ()
-          main = do
-            home <- getEnv "HOME"
-            mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do
-              putStr "Enter new UNIX password: "
-              hFlush stdout
-              password <- BS8.hGetLine stdin
-              putStrLn ""
-              putStr "Retype new UNIX password: "
-              hFlush stdout
-              password2 <- BS8.hGetLine stdin
-              return $ if password == password2
-                then Just password
-                else Nothing
-            case mb_password of
-              Just password -> do
-                hash <- makePasswordWith pbkdf2 password 10
-                BS8.writeFile (home ++ "/.shadow") hash
-                putStrLn "passwd: all authentication tokens updated successfully."
-              Nothing -> putStrLn "Sorry, passwords do not match"
-        '';
-      };
-    };
-  };
-
-in out
author	lassulus <git@lassul.us>	2023-09-07 12:26:31 +0200
committer	lassulus <git@lassul.us>	2023-09-07 13:50:26 +0200
commit	f55307fd73af235069744dd5155fda0bc73fe613 (patch)
tree	f048d7750a50e48493505a08784c96d07d291f89 /lass/3modules/usershadow.nix
parent	85ae348bf3f53125c8281669a32bf007dc0063be (diff)