diff options
author | makefu <github@syntax-fehler.de> | 2016-10-19 12:32:12 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2016-10-19 12:32:12 +0200 |
commit | 0868101f2adc00f4e13a4ea242dc3bd23070917f (patch) | |
tree | a155571c2c448e51e5b1461228d7b46dda64a07f /lass/3modules | |
parent | ccd89b19f3fbbb6acb94be8f9f54d4e673ee33dc (diff) | |
parent | ce58a50de30fd49d4c000a81f9b7ce9baf0ccd66 (diff) |
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'lass/3modules')
-rw-r--r-- | lass/3modules/default.nix | 2 | ||||
-rw-r--r-- | lass/3modules/hosts.nix | 12 | ||||
-rw-r--r-- | lass/3modules/owncloud_nginx.nix | 1 | ||||
-rw-r--r-- | lass/3modules/umts.nix | 4 | ||||
-rw-r--r-- | lass/3modules/usershadow.nix | 85 | ||||
-rw-r--r-- | lass/3modules/wordpress_nginx.nix | 1 |
6 files changed, 99 insertions, 6 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 60370b230..6588ca0d3 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -3,9 +3,11 @@ _: imports = [ ./ejabberd ./folderPerms.nix + ./hosts.nix ./mysql-backup.nix ./umts.nix ./urxvtd.nix + ./usershadow.nix ./wordpress_nginx.nix ./xresources.nix ]; diff --git a/lass/3modules/hosts.nix b/lass/3modules/hosts.nix new file mode 100644 index 000000000..f2ff10c06 --- /dev/null +++ b/lass/3modules/hosts.nix @@ -0,0 +1,12 @@ +{ config, ... }: + +with config.krebs.lib; + +{ + options.lass.hosts = mkOption { + type = types.attrsOf types.host; + default = + filterAttrs (_: host: host.owner.name == "lass") + config.krebs.hosts; + }; +} diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix index 35d8d04a5..4a79311a4 100644 --- a/lass/3modules/owncloud_nginx.nix +++ b/lass/3modules/owncloud_nginx.nix @@ -111,7 +111,6 @@ let pm.max_spare_servers = 3 listen.owner = ${user} listen.group = ${group} - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix index 01adc0409..7daaba89e 100644 --- a/lass/3modules/umts.nix +++ b/lass/3modules/umts.nix @@ -41,10 +41,6 @@ let wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113 - #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09"; - modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0"; - - # TODO: currently it is only netzclub umts-bin = pkgs.writeScriptBin "umts" '' #!/bin/sh set -euf diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix new file mode 100644 index 000000000..0e7e718a4 --- /dev/null +++ b/lass/3modules/usershadow.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + + cfg = config.lass.usershadow; + + out = { + options.lass.usershadow = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "usershadow"; + pattern = mkOption { + type = types.str; + default = "/home/%/.shadow"; + }; + }; + + imp = { + environment.systemPackages = [ usershadow ]; + security.pam.services.sshd.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; + + security.pam.services.exim.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; + }; + + usershadow = let { + deps = [ + "pwstore-fast" + "bytestring" + ]; + body = pkgs.writeHaskell "passwords" { + executables.verify = { + extra-depends = deps; + text = '' + import Data.Monoid + import System.IO + import Data.Char (chr) + import System.Environment (getEnv, getArgs) + import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.Exit (exitFailure, exitSuccess) + + main :: IO () + main = do + user <- getEnv "PAM_USER" + shadowFilePattern <- head <$> getArgs + let shadowFile = lhs <> user <> tail rhs + (lhs, rhs) = span (/= '%') shadowFilePattern + hash <- readFile shadowFile + password <- takeWhile (/= (chr 0)) <$> hGetLine stdin + let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) + if res then exitSuccess else exitFailure + ''; + }; + executables.passwd = { + extra-depends = deps; + text = '' + import System.Environment (getEnv) + import Crypto.PasswordStore (makePasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.IO (stdin, hSetEcho, putStr) + + main :: IO () + main = do + home <- getEnv "HOME" + putStr "password:" + hSetEcho stdin False + password <- BS8.hGetLine stdin + hash <- makePasswordWith pbkdf2 password 10 + BS8.writeFile (home ++ "/.shadow") hash + ''; + }; + }; + }; + +in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix index 108054cb6..4305a121b 100644 --- a/lass/3modules/wordpress_nginx.nix +++ b/lass/3modules/wordpress_nginx.nix @@ -154,7 +154,6 @@ let pm.max_spare_servers = 3 listen.owner = ${user} listen.group = ${group} - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes |