summaryrefslogtreecommitdiffstats
path: root/lass/3modules
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-10-19 12:32:12 +0200
committermakefu <github@syntax-fehler.de>2016-10-19 12:32:12 +0200
commit0868101f2adc00f4e13a4ea242dc3bd23070917f (patch)
treea155571c2c448e51e5b1461228d7b46dda64a07f /lass/3modules
parentccd89b19f3fbbb6acb94be8f9f54d4e673ee33dc (diff)
parentce58a50de30fd49d4c000a81f9b7ce9baf0ccd66 (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'lass/3modules')
-rw-r--r--lass/3modules/default.nix2
-rw-r--r--lass/3modules/hosts.nix12
-rw-r--r--lass/3modules/owncloud_nginx.nix1
-rw-r--r--lass/3modules/umts.nix4
-rw-r--r--lass/3modules/usershadow.nix85
-rw-r--r--lass/3modules/wordpress_nginx.nix1
6 files changed, 99 insertions, 6 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 60370b230..6588ca0d3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -3,9 +3,11 @@ _:
imports = [
./ejabberd
./folderPerms.nix
+ ./hosts.nix
./mysql-backup.nix
./umts.nix
./urxvtd.nix
+ ./usershadow.nix
./wordpress_nginx.nix
./xresources.nix
];
diff --git a/lass/3modules/hosts.nix b/lass/3modules/hosts.nix
new file mode 100644
index 000000000..f2ff10c06
--- /dev/null
+++ b/lass/3modules/hosts.nix
@@ -0,0 +1,12 @@
+{ config, ... }:
+
+with config.krebs.lib;
+
+{
+ options.lass.hosts = mkOption {
+ type = types.attrsOf types.host;
+ default =
+ filterAttrs (_: host: host.owner.name == "lass")
+ config.krebs.hosts;
+ };
+}
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix
index 35d8d04a5..4a79311a4 100644
--- a/lass/3modules/owncloud_nginx.nix
+++ b/lass/3modules/owncloud_nginx.nix
@@ -111,7 +111,6 @@ let
pm.max_spare_servers = 3
listen.owner = ${user}
listen.group = ${group}
- # errors to journal
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix
index 01adc0409..7daaba89e 100644
--- a/lass/3modules/umts.nix
+++ b/lass/3modules/umts.nix
@@ -41,10 +41,6 @@ let
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
- #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
- modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
-
- # TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
new file mode 100644
index 000000000..0e7e718a4
--- /dev/null
+++ b/lass/3modules/usershadow.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+ cfg = config.lass.usershadow;
+
+ out = {
+ options.lass.usershadow = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "usershadow";
+ pattern = mkOption {
+ type = types.str;
+ default = "/home/%/.shadow";
+ };
+ };
+
+ imp = {
+ environment.systemPackages = [ usershadow ];
+ security.pam.services.sshd.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+
+ security.pam.services.exim.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+ };
+
+ usershadow = let {
+ deps = [
+ "pwstore-fast"
+ "bytestring"
+ ];
+ body = pkgs.writeHaskell "passwords" {
+ executables.verify = {
+ extra-depends = deps;
+ text = ''
+ import Data.Monoid
+ import System.IO
+ import Data.Char (chr)
+ import System.Environment (getEnv, getArgs)
+ import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.Exit (exitFailure, exitSuccess)
+
+ main :: IO ()
+ main = do
+ user <- getEnv "PAM_USER"
+ shadowFilePattern <- head <$> getArgs
+ let shadowFile = lhs <> user <> tail rhs
+ (lhs, rhs) = span (/= '%') shadowFilePattern
+ hash <- readFile shadowFile
+ password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+ let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+ if res then exitSuccess else exitFailure
+ '';
+ };
+ executables.passwd = {
+ extra-depends = deps;
+ text = ''
+ import System.Environment (getEnv)
+ import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.IO (stdin, hSetEcho, putStr)
+
+ main :: IO ()
+ main = do
+ home <- getEnv "HOME"
+ putStr "password:"
+ hSetEcho stdin False
+ password <- BS8.hGetLine stdin
+ hash <- makePasswordWith pbkdf2 password 10
+ BS8.writeFile (home ++ "/.shadow") hash
+ '';
+ };
+ };
+ };
+
+in out
diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix
index 108054cb6..4305a121b 100644
--- a/lass/3modules/wordpress_nginx.nix
+++ b/lass/3modules/wordpress_nginx.nix
@@ -154,7 +154,6 @@ let
pm.max_spare_servers = 3
listen.owner = ${user}
listen.group = ${group}
- # errors to journal
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes