6 files changed, 99 insertions, 6 deletions

diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 60370b230..6588ca0d3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -3,9 +3,11 @@ _:
   imports = [
     ./ejabberd
     ./folderPerms.nix
+    ./hosts.nix
     ./mysql-backup.nix
     ./umts.nix
     ./urxvtd.nix
+    ./usershadow.nix
     ./wordpress_nginx.nix
     ./xresources.nix
   ];
diff --git a/lass/3modules/hosts.nix b/lass/3modules/hosts.nix
new file mode 100644
index 000000000..f2ff10c06
--- /dev/null
+++ b/lass/3modules/hosts.nix
@@ -0,0 +1,12 @@
+{ config, ... }:
+
+with config.krebs.lib;
+
+{
+  options.lass.hosts = mkOption {
+    type = types.attrsOf types.host;
+    default =
+      filterAttrs (_: host: host.owner.name == "lass")
+      config.krebs.hosts;
+  };
+}
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix
index 35d8d04a5..4a79311a4 100644
--- a/lass/3modules/owncloud_nginx.nix
+++ b/lass/3modules/owncloud_nginx.nix
@@ -111,7 +111,6 @@ let
       pm.max_spare_servers = 3
       listen.owner = ${user}
       listen.group = ${group}
-      # errors to journal
       php_admin_value[error_log] = 'stderr'
       php_admin_flag[log_errors] = on
       catch_workers_output = yes
diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix
index 01adc0409..7daaba89e 100644
--- a/lass/3modules/umts.nix
+++ b/lass/3modules/umts.nix
@@ -41,10 +41,6 @@ let
 
   wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
 
-  #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
-  modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
-
-  # TODO: currently it is only netzclub
   umts-bin = pkgs.writeScriptBin "umts" ''
     #!/bin/sh
     set -euf
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
new file mode 100644
index 000000000..0e7e718a4
--- /dev/null
+++ b/lass/3modules/usershadow.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+  cfg = config.lass.usershadow;
+
+  out = {
+    options.lass.usershadow = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "usershadow";
+    pattern = mkOption {
+      type = types.str;
+      default = "/home/%/.shadow";
+    };
+  };
+
+  imp = {
+    environment.systemPackages = [ usershadow ];
+    security.pam.services.sshd.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_permit.so
+      account required pam_permit.so
+      session required pam_permit.so
+    '';
+
+    security.pam.services.exim.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_permit.so
+      account required pam_permit.so
+      session required pam_permit.so
+    '';
+  };
+
+  usershadow = let {
+    deps = [
+      "pwstore-fast"
+      "bytestring"
+    ];
+    body = pkgs.writeHaskell "passwords" {
+      executables.verify = {
+        extra-depends = deps;
+        text = ''
+          import Data.Monoid
+          import System.IO
+          import Data.Char (chr)
+          import System.Environment (getEnv, getArgs)
+          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.Exit (exitFailure, exitSuccess)
+
+          main :: IO ()
+          main = do
+            user <- getEnv "PAM_USER"
+            shadowFilePattern <- head <$> getArgs
+            let shadowFile = lhs <> user <> tail rhs
+                (lhs, rhs) = span (/= '%') shadowFilePattern
+            hash <- readFile shadowFile
+            password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+            if res then exitSuccess else exitFailure
+        '';
+      };
+      executables.passwd = {
+        extra-depends = deps;
+        text = ''
+          import System.Environment (getEnv)
+          import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.IO (stdin, hSetEcho, putStr)
+
+          main :: IO ()
+          main = do
+            home <- getEnv "HOME"
+            putStr "password:"
+            hSetEcho stdin False
+            password <- BS8.hGetLine stdin
+            hash <- makePasswordWith pbkdf2 password 10
+            BS8.writeFile (home ++ "/.shadow") hash
+        '';
+      };
+    };
+  };
+
+in out
diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix
index 108054cb6..4305a121b 100644
--- a/lass/3modules/wordpress_nginx.nix
+++ b/lass/3modules/wordpress_nginx.nix
@@ -154,7 +154,6 @@ let
       pm.max_spare_servers = 3
       listen.owner = ${user}
       listen.group = ${group}
-      # errors to journal
       php_admin_value[error_log] = 'stderr'
       php_admin_flag[log_errors] = on
       catch_workers_output = yes