3 files changed, 80 insertions, 4 deletions

diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix
index 27d1f8485..0743f2b49 100644
--- a/krebs/2configs/security-workarounds.nix
+++ b/krebs/2configs/security-workarounds.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 with import <stockholm/lib>;
 {
-  # https://github.com/berdav/CVE-2021-4034
+  # https://github.com/Lassulus/CVE-2021-4034
   security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" "");
 }
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index cd11fb2c5..27a2beed6 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -805,10 +805,16 @@ in {
     mickey = {
       owner = config.krebs.users.mic92;
       nets = rec {
+        internet = {
+          # mickey.dse.in.tum.de
+          ip4.addr = "131.159.102.10";
+          ip6.addr = "2a09:80c0:102::10";
+          aliases = [ "mickey.i" ];
+        };
         retiolum = {
+          via = internet;
           aliases = [ "mickey.r" ];
           tinc.pubkey = ''
-            Ed25519PublicKey = cE450gYxzp9kAzV5ytU9N7aV+WdnD7wQMjkPWV7r/bC
             -----BEGIN RSA PUBLIC KEY-----
             MIICCgKCAgEA7TwI3/tyl3z46Enr6p/0bpl5CpG6DZLxjAhsMcWBM+4xTL9s18IZ
             2FGbyS3EyOBprMBQULrik1u0rfZ0AL8XdO6h+r1BD6XmlZtUu3FJaVeXrLBPGtC0
@@ -823,6 +829,64 @@ in {
             RA8gQM/P3j1EmDvemlskWOoCLVELR40BtKdM9MFiGqxGMoNh3DvGWTECAwEAAQ==
             -----END RSA PUBLIC KEY-----
           '';
+          tinc.pubkey_ed25519 = "cE450gYxzp9kAzV5ytU9N7aV+WdnD7wQMjkPWV7r/bC";
+        };
+      };
+    };
+
+    astrid = {
+      owner = config.krebs.users.mic92;
+      nets = rec {
+        internet = {
+          # astrid.dse.in.tum.de
+          ip4.addr = "131.159.102.11";
+          ip6.addr = "2a09:80c0:102::11";
+          aliases = [ "astrid.i" ];
+        };
+        retiolum = {
+          aliases = [ "astrid.r" ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEArYO78+rLxDYBxt1MZ4VDjdSvoxJ8/De5R+/Yo0Uh1vJJtlkQUfAK
+            o2uOQvX76Y1EByAu1hMKsquDJrmnEQKyaBVUv1xkU9kQPxDoUkHdQaMoyjjCLKHV
+            7OjRRQ+PCAjCVfaIR4P0pXGXShBYVqITdr8R/fH7f+M6I+s/H4KTo9zpRY9YUzXV
+            V6t3PCTMBXWxa2kNTSTe1zpGHccOd3FWs6r+0DZ2bPg/6Qh/VszQI7NXRqgSLNgi
+            J1+PaO0h9IfICNYYaWg1r9gh6nd52U9S2B6eipizrdWdyHuufWzn52liNztSEe9g
+            5VC0PPAZFIxEkhoAP/HGTnNvXLOo960IXwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+          tinc.pubkey_ed25519 = "I0rk5Co9QEuyramaxNSI2Rq43qgRF2tJr5Lf8nlBjUO";
+        };
+      };
+    };
+    dan = {
+      owner = config.krebs.users.mic92;
+      nets = rec {
+        internet = {
+          # dan.dse.in.tum.de
+          ip4.addr = "131.159.102.12";
+          ip6.addr = "2a09:80c0:102::12";
+          aliases = [ "dan.i" ];
+        };
+        retiolum = {
+          via = internet;
+          aliases = [ "dan.r" ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIICCgKCAgEAoZq+Nt1H+tcLRVE5LiJXyAItRIcIJNVeFenN54era7Yr0+OE7s14
+            r19N7g8cb3ytgbxb1P0t8Dd2ziKUdEoOdVK7/dqx6oM1lwjOBy4rtcGmy6hHGRhT
+            +Si6NxHnQVkswzL2/4DcBxg+D40GDIz0QlNhT7TC3TW6gtKbTopHMZoC3cyw1iXF
+            iZB8HEv22Daq+/gFt9rcV2cRhdsDIX3TEAu+wXhDMtB9V78CzgOHV7IBrlnQHTeq
+            3TmcQ+AHKZB3nY5cUDvbSUWHOrG4CQ0w2pf034s7l3AMLClXcr0IORZtCgEhCmE5
+            tgg9Y6vKH2S0a25naf5rOFCvEXt8TZF9lCc42hfKCJo/LE2LoqKluAMUWgXUtv6s
+            Od6AcV5RW3QkgRiDi6niPVVAnDGSUfqUNaJhmBzlfD6PzwBpPlcODf5dk/H/FhzZ
+            nGpG4lptvknrBZxz9Vdyv3a/CE9VA5FbgDdOJMk5fbNG6XH4BoESjKQ/tHwvDRwO
+            Xz11V5MQYk4aYq++AgkoyCgw37rWqgR2WE/X9tV63qUAiBHJoZ48QPmqrZwEt8LC
+            92eTKbxfl2iroqs5vBqKiXcRAWgXwO25rb+4CJUfD8b9AdAlm4unoCcoYluJ9rO1
+            5xs2x/b09U3YXkMgO67cju+Vg68ROnihokH+5pyfuMMsHSAANC+uWD8CAwEAAQ==
+            -----END RSA PUBLIC KEY-----
+          '';
+          tinc.pubkey_ed25519 = "bEWH72WNDGtn6uGy1h1m3T8rH2pHoL8zNU1ADq4TW+L";
         };
       };
     };
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 64fedb911..b141c7de4 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -30,6 +30,10 @@ with import <stockholm/lib>;
           };
           apply = toString;
         };
+        capabilities = mkOption {
+          default = [];
+          type = types.listOf types.str;
+        };
         owner = mkOption {
           default = "root";
           type = types.enum (attrNames users);
@@ -62,18 +66,26 @@ with import <stockholm/lib>;
           inherit (cfg) envp filename;
         };
         dst = "${cfg.wrapperDir}/${cfg.name}";
-      in ''
+      in /* sh */ ''
         mkdir -p ${cfg.wrapperDir}
         cp ${src} ${dst}
         chown ${cfg.owner}.${cfg.group} ${dst}
         chmod ${cfg.mode} ${dst}
+        ${optionalString (cfg.capabilities != []) /* sh */ ''
+          ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
+        ''}
       '';
     }));
   };
 
   imp = {
     system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ]
-      (concatMapStringsSep "\n" (getAttr "activate") (attrValues config.krebs.setuid));
+      (concatMapStringsSep "\n"
+        (cfg: /* sh */ ''
+          ${cfg.activate}
+          rm -f ${cfg.wrapperDir}/${cfg.name}.real
+        '')
+        (attrValues config.krebs.setuid));
   };
 
 in out