diff options
Diffstat (limited to 'lass/3modules')
| -rw-r--r-- | lass/3modules/default.nix | 1 | ||||
| -rw-r--r-- | lass/3modules/ensure-permissions.nix | 66 | ||||
| -rw-r--r-- | lass/3modules/usershadow.nix | 31 |
3 files changed, 22 insertions, 76 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 59043aeb1..613c7c8ac 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -3,7 +3,6 @@ _: imports = [ ./dnsmasq.nix ./ejabberd - ./ensure-permissions.nix ./folderPerms.nix ./hosts.nix ./mysql-backup.nix diff --git a/lass/3modules/ensure-permissions.nix b/lass/3modules/ensure-permissions.nix deleted file mode 100644 index 36edc1127..000000000 --- a/lass/3modules/ensure-permissions.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, pkgs, ... }: with import <stockholm/lib>; - -let - - cfg = config.lass.ensure-permissions; - -in - -{ - options.lass.ensure-permissions = mkOption { - default = []; - type = types.listOf (types.submodule ({ - options = { - - folder = mkOption { - type = types.absolute-pathname; - }; - - owner = mkOption { - # TODO user type - type = types.str; - default = "root"; - }; - - group = mkOption { - # TODO group type - type = types.str; - default = "root"; - }; - - permission = mkOption { - # TODO permission type - type = types.str; - default = "u+rw,g+rw"; - }; - - }; - })); - }; - - config = mkIf (cfg != []) { - - system.activationScripts.ensure-permissions = concatMapStringsSep "\n" (plan: '' - ${pkgs.coreutils}/bin/mkdir -p ${plan.folder} - ${pkgs.coreutils}/bin/chmod -R ${plan.permission} ${plan.folder} - ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} ${plan.folder} - '') cfg; - systemd.services = - listToAttrs (map (plan: nameValuePair "ensure-permisson.${replaceStrings ["/"] ["_"] plan.folder}" { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Restart = "always"; - RestartSec = 10; - ExecStart = pkgs.writeDash "ensure-perms" '' - ${pkgs.inotifyTools}/bin/inotifywait -mrq -e CREATE --format %w%f ${plan.folder} \ - | while IFS= read -r FILE; do - ${pkgs.coreutils}/bin/chmod -R ${plan.permission} "$FILE" 2>/dev/null - ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} "$FILE" 2>/dev/null - done - ''; - }; - }) cfg) - ; - - }; -} diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index cb2890969..51da2ec93 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -31,13 +31,24 @@ session required pam_loginuid.so ''; - security.pam.services.dovecot2.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - session required pam_env.so envfile=${config.system.build.pamEnvironment} - ''; + security.pam.services.dovecot2 = { + text = '' + auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + session required pam_env.so envfile=${config.system.build.pamEnvironment} + ''; + }; + + security.wrappers.shadow_verify_pam = { + source = "${usershadow}/bin/verify_pam"; + owner = "root"; + }; + security.wrappers.shadow_verify_arg = { + source = "${usershadow}/bin/verify_arg"; + owner = "root"; + }; }; usershadow = let { @@ -46,10 +57,13 @@ "bytestring" ]; body = pkgs.writeHaskellPackage "passwords" { + ghc-options = [ + "-rtsopts" + "-Wall" + ]; executables.verify_pam = { extra-depends = deps; text = '' - import Data.Monoid import System.IO import Data.Char (chr) import System.Environment (getEnv, getArgs) @@ -72,7 +86,6 @@ executables.verify_arg = { extra-depends = deps; text = '' - import Data.Monoid import System.Environment (getArgs) import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 |