From e15b9e5a44b69c7b2c81ab6d3d6c91edc6d69712 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Wed, 26 Oct 2016 15:12:52 +0200
Subject: Revert "l 2 websites domsen: remove obsolete code"

This reverts commit 0398342657a9548b9ada4524335b3ca864fd9c2e.
---
 lass/2configs/websites/domsen.nix | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'lass/2configs/websites/domsen.nix')

diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 18c771fa..0a53bc93 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -22,6 +22,25 @@ let
     exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
   '';
 
+  check-password = pkgs.writeDash "check-password" ''
+    read pw
+
+    file="/home/$PAM_USER/.shadow"
+
+    #check if shadow file exists
+    test -e "$file" || exit 123
+
+    hash="$(${pkgs.coreutils}/bin/head -1 $file)"
+    salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
+
+    calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
+    if [ "$calc_hash" == $hash ]; then
+      exit 0
+    else
+      exit 1
+    fi
+  '';
+
 in {
   imports = [
     ./sqlBackup.nix
@@ -145,6 +164,19 @@ in {
     { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
   ];
 
+  security.pam.services.exim.text = ''
+    auth        required      pam_env.so
+    auth        sufficient    pam_exec.so debug expose_authtok ${check-password}
+    auth        sufficient    pam_unix.so likeauth nullok
+    auth        required      pam_deny.so
+    account     required      pam_unix.so
+    password    required      pam_cracklib.so retry=3 type=
+    password    sufficient    pam_unix.so nullok use_authtok md5shadow
+    password    required      pam_deny.so
+    session     required      pam_limits.so
+    session     required      pam_unix.so
+  '';
+
   krebs.exim-smarthost = {
     authenticators.PLAIN = ''
       driver = plaintext
-- 
cgit v1.2.3