From bbbd3d6cd89cc797fab9245decca62e05eb994b7 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 5 Feb 2021 17:43:24 +0100
Subject: krebs.setuid: disambiguate `config`

---
 krebs/3modules/setuid.nix | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 97cf21cd..3e068736 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -1,11 +1,9 @@
-{ config, pkgs, lib, ... }:
 with import <stockholm/lib>;
-let
-  cfg = config.krebs.setuid;
+{ config, pkgs, ... }: let
 
   out = {
     options.krebs.setuid = api;
-    config = mkIf (cfg != {}) imp;
+    config = mkIf (config.krebs.setuid != {}) imp;
   };
 
   api = mkOption {
@@ -14,11 +12,11 @@ let
       # TODO make wrapperDir configurable
       inherit (config.security) wrapperDir;
       inherit (config.users) groups users;
-    in types.attrsOf (types.submodule ({ config, ... }: {
+    in types.attrsOf (types.submodule (self: let cfg = self.config; in {
       options = {
         name = mkOption {
           type = types.filename;
-          default = config._module.args.name;
+          default = cfg._module.args.name;
         };
         envp = mkOption {
           type = types.nullOr (types.attrsOf types.str);
@@ -58,21 +56,21 @@ let
         };
       };
       config.activate = let
-        src = pkgs.exec config.name {
-          inherit (config) envp filename;
+        src = pkgs.exec cfg.name {
+          inherit (cfg) envp filename;
         };
-        dst = "${wrapperDir}/${config.name}";
+        dst = "${wrapperDir}/${cfg.name}";
       in ''
         cp ${src} ${dst}
-        chown ${config.owner}.${config.group} ${dst}
-        chmod ${config.mode} ${dst}
+        chown ${cfg.owner}.${cfg.group} ${dst}
+        chmod ${cfg.mode} ${dst}
       '';
     }));
   };
 
   imp = {
     system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ]
-      (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
+      (concatMapStringsSep "\n" (getAttr "activate") (attrValues config.krebs.setuid));
   };
 
 in out
-- 
cgit v1.2.3


From 315dcf3cbff0980495c0899a38ecdf538651dabc Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 5 Feb 2021 17:48:54 +0100
Subject: krebs.setuid: make wrapperDir configurable

---
 krebs/3modules/setuid.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 3e068736..64fedb91 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -9,8 +9,6 @@ with import <stockholm/lib>;
   api = mkOption {
     default = {};
     type = let
-      # TODO make wrapperDir configurable
-      inherit (config.security) wrapperDir;
       inherit (config.users) groups users;
     in types.attrsOf (types.submodule (self: let cfg = self.config; in {
       options = {
@@ -49,6 +47,10 @@ with import <stockholm/lib>;
             merge = mergeOneOption;
           };
         };
+        wrapperDir = mkOption {
+          default = config.security.wrapperDir;
+          type = types.absolute-pathname;
+        };
         activate = mkOption {
           type = types.str;
           visible = false;
@@ -59,8 +61,9 @@ with import <stockholm/lib>;
         src = pkgs.exec cfg.name {
           inherit (cfg) envp filename;
         };
-        dst = "${wrapperDir}/${cfg.name}";
+        dst = "${cfg.wrapperDir}/${cfg.name}";
       in ''
+        mkdir -p ${cfg.wrapperDir}
         cp ${src} ${dst}
         chown ${cfg.owner}.${cfg.group} ${dst}
         chmod ${cfg.mode} ${dst}
-- 
cgit v1.2.3


From 1ff4a60b8d241230c580fc5e9a705335c9c415a6 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 5 Feb 2021 19:52:07 +0100
Subject: krebs.shadow: admit password changes

---
 krebs/3modules/shadow.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/shadow.nix b/krebs/3modules/shadow.nix
index cff66492..9505efb0 100644
--- a/krebs/3modules/shadow.nix
+++ b/krebs/3modules/shadow.nix
@@ -4,19 +4,21 @@ with import <stockholm/lib>;
   cfg = config.krebs.shadow;
 
   mergeShadowsJq = pkgs.writeJq "merge-shadows.jq" ''
-    def fields_3_to_9: ["1", "", "", "", "", "", ""];
+    def is_int: . == (. | floor);
+    def fields_4_to_9: ["", "", "", "", "", ""];
+    def check_fields_3_to_9: (.[2] | tonumber | is_int) and .[3:] == fields_4_to_9;
 
     def read_value:
       split(":") |
       if length == 9 then
-        if .[2:] == fields_3_to_9 then
+        if check_fields_3_to_9 then
           .
         else
           error("unrecognized field contents")
         end
       elif length == 2 then
         if .[1] | test("^\\$6\\$") then
-          . + fields_3_to_9
+          . + ["1"] + fields_4_to_9
         else
           error("unrecognized hashed password")
         end
-- 
cgit v1.2.3