From f55307fd73af235069744dd5155fda0bc73fe613 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 12:26:31 +0200 Subject: lass: migrate away --- lass/3modules/autowifi.nix | 38 ---------- lass/3modules/default.nix | 18 ----- lass/3modules/dnsmasq.nix | 48 ------------ lass/3modules/drbd.nix | 159 --------------------------------------- lass/3modules/folderPerms.nix | 104 -------------------------- lass/3modules/hosts.nix | 12 --- lass/3modules/klem.nix | 75 ------------------- lass/3modules/mysql-backup.nix | 86 --------------------- lass/3modules/news.nix | 76 ------------------- lass/3modules/nichtparasoup.nix | 161 ---------------------------------------- lass/3modules/pyload.nix | 55 -------------- lass/3modules/screenlock.nix | 40 ---------- lass/3modules/usershadow.nix | 139 ---------------------------------- 13 files changed, 1011 deletions(-) delete mode 100644 lass/3modules/autowifi.nix delete mode 100644 lass/3modules/default.nix delete mode 100644 lass/3modules/dnsmasq.nix delete mode 100644 lass/3modules/drbd.nix delete mode 100644 lass/3modules/folderPerms.nix delete mode 100644 lass/3modules/hosts.nix delete mode 100644 lass/3modules/klem.nix delete mode 100644 lass/3modules/mysql-backup.nix delete mode 100644 lass/3modules/news.nix delete mode 100644 lass/3modules/nichtparasoup.nix delete mode 100644 lass/3modules/pyload.nix delete mode 100644 lass/3modules/screenlock.nix delete mode 100644 lass/3modules/usershadow.nix (limited to 'lass/3modules') diff --git a/lass/3modules/autowifi.nix b/lass/3modules/autowifi.nix deleted file mode 100644 index 9aa1a2d28..000000000 --- a/lass/3modules/autowifi.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; -let - - cfg = config.lass.autowifi; - -in { - options.lass.autowifi = { - enable = mkEnableOption "automatic wifi connector"; - knownWifisFile = mkOption { - type = types.str; - default = "/etc/wifis"; - }; - enablePrisonBreak = mkOption { - type = types.bool; - default = false; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.autowifi = { - description = "Automatic wifi connector"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.networkmanager ]; - serviceConfig = { - Type = "simple"; - Restart = "always"; - RestartSec = "10s"; - ExecStart = "${autowifi}/bin/autowifi"; - }; - }; - - networking.networkmanager.dispatcherScripts = mkIf cfg.enablePrisonBreak [ - { source = "${pkgs.callPackage ; -in { - options = { - lass.drbd = lib.mkOption { - default = {}; - type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = config._module.args.name; - }; - blockMinor = lib.mkOption { - type = lib.types.int; - default = lib.mod (slib.genid config.name) 16000; # TODO get max_id fron drbd - }; - port = lib.mkOption { - type = lib.types.int; - default = 20000 + config.blockMinor; - }; - peers = lib.mkOption { - type = lib.types.listOf slib.types.host; - }; - disk = lib.mkOption { - type = lib.types.str; - default = "/dev/loop${toString config.blockMinor}"; - }; - drbdConfig = lib.mkOption { - type = lib.types.path; - internal = true; - default = pkgs.writeText "drbd-${config.name}.conf" '' - resource ${config.name} { - net { - protocol a; - ping-int 10; - csums-alg crc32c; - connect-int 3; - after-sb-0pri discard-older-primary; - after-sb-1pri discard-secondary; - - # seems to be drbd-proxy premium feature - on-congestion pull-ahead; - congestion-fill 1G; - congestion-extents 500; - - sndbuf-size 10M; - max-epoch-size 20000; - } - device minor ${toString config.blockMinor}; - disk ${config.disk}; - meta-disk internal; - ${slib.indent (lib.concatStrings (lib.imap1 (i: peer: /* shell */ '' - on ${peer.name} { - address ${peer.nets.retiolum.ip4.addr}:${toString config.port}; - node-id ${toString i}; - } - '') config.peers))} - connection-mesh { - hosts ${lib.concatMapStringsSep " " (peer: peer.name) config.peers}; - } - } - ''; - }; - }; - })); - }; - }; - config = lib.mkIf (cfg != {}) { - boot.extraModulePackages = [ - (pkgs.linuxPackages.callPackage ../5pkgs/drbd9/default.nix {}) - ]; - boot.extraModprobeConfig = '' - options drbd usermode_helper=/run/current-system/sw/bin/drbdadm - ''; - services.udev.packages = [ pkgs.drbd ]; - boot.kernelModules = [ "drbd" ]; - - environment.systemPackages = [ - pkgs.drbd - (pkgs.writers.writeDashBin "drbd-change-nodeid" '' - # https://linbit.com/drbd-user-guide/drbd-guide-9_0-en/#s-using-truck-based-replication - set -efux - - if [ "$#" -ne 2 ]; then - echo '$1 needs to be drbd volume name' - echo '$2 needs to be new node id' - exit 1 - fi - - - TMPDIR=$(mktemp -d) - trap 'rm -rf $TMPDIR' EXIT - - V=$1 - NODE_TO=$2 - META_DATA_LOCATION=internal - - ${pkgs.drbd}/bin/drbdadm -- --force dump-md $V > "$TMPDIR"/md_orig.txt - NODE_FROM=$(cat "$TMPDIR"/md_orig.txt | ${pkgs.gnused}/bin/sed -n 's/^node-id \(.*\);$/\1/p') - ${pkgs.gnused}/bin/sed -e "s/node-id $NODE_FROM/node-id $NODE_TO/" \ - -e "s/^peer.$NODE_FROM. /peer-NEW /" \ - -e "s/^peer.$NODE_TO. /peer[$NODE_FROM] /" \ - -e "s/^peer-NEW /peer[$NODE_TO] /" \ - < "$TMPDIR"/md_orig.txt > "$TMPDIR"/md.txt - - drbdmeta --force $(drbdadm sh-minor $V) v09 $(drbdadm sh-md-dev $V) $META_DATA_LOCATION restore-md "$TMPDIR"/md.txt - '') - ]; - - networking.firewall.allowedTCPPorts = map (device: device.port) (lib.attrValues cfg); - systemd.services = lib.mapAttrs' (_: device: - lib.nameValuePair "drbd-${device.name}" { - after = [ "systemd-udev.settle.service" "network.target" "retiolum.service" ]; - wants = [ "systemd-udev.settle.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - RemainAfterExit = true; - ExecStart = pkgs.writers.writeDash "start-drbd-${device.name}" '' - set -efux - mkdir -p /var/lib/sync-containers2 - ${lib.optionalString (device.disk == "/dev/loop${toString device.blockMinor}") '' - if ! test -e /var/lib/sync-containers2/${device.name}.disk; then - truncate -s 10G /var/lib/sync-containers2/${device.name}.disk - fi - if ! ${pkgs.util-linux}/bin/losetup /dev/loop${toString device.blockMinor}; then - ${pkgs.util-linux}/bin/losetup /dev/loop${toString device.blockMinor} /var/lib/sync-containers2/${device.name}.disk - fi - ''} - if ! ${pkgs.drbd}/bin/drbdadm adjust ${device.name}; then - ${pkgs.drbd}/bin/drbdadm down ${device.name} - ${pkgs.drbd}/bin/drbdadm create-md ${device.name}/0 --max-peers 31 - ${pkgs.drbd}/bin/drbdadm up ${device.name} - fi - ''; - ExecStop = pkgs.writers.writeDash "stop-drbd-${device.name}" '' - set -efux - ${pkgs.drbd}/bin/drbdadm -c ${device.drbdConfig} down ${device.name} - ${lib.optionalString (device.disk == "/dev/loop${toString device.blockMinor}") '' - ${pkgs.util-linux}/bin/losetup -d /dev/loop${toString device.blockMinor} - ''} - ''; - }; - } - ) cfg; - - - environment.etc."drbd.conf".text = '' - global { - usage-count yes; - } - - ${lib.concatMapStrings (device: /* shell */ '' - include ${device.drbdConfig}; - '') (lib.attrValues cfg)} - ''; - }; -} - diff --git a/lass/3modules/folderPerms.nix b/lass/3modules/folderPerms.nix deleted file mode 100644 index bb0320327..000000000 --- a/lass/3modules/folderPerms.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ config, lib, pkgs, ... }: - -#TODO: implement recursive mode maybe? -# enable different mods for files and folders - -let - inherit (pkgs) - writeScript - ; - - inherit (lib) - concatMapStringsSep - concatStringsSep - mkEnableOption - mkIf - mkOption - types - ; - - cfg = config.lass.folderPerms; - - out = { - options.lass.folderPerms = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "folder permissions"; - permissions = mkOption { - type = with types; listOf (submodule ({ - options = { - path = mkOption { - type = str; - }; - permission = mkOption { - type = nullOr str; - example = "755"; - description = '' - basically anything that chmod takes as permission - ''; - default = null; - }; - owner = mkOption { - type = nullOr str; - example = "root:root"; - description = '' - basically anything that chown takes as owner - ''; - default = null; - }; - }; - })); - }; - }; - - imp = { - systemd.services.lass-folderPerms = { - description = "lass-folderPerms"; - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ - coreutils - ]; - - restartIfChanged = true; - - serviceConfig = { - type = "simple"; - RemainAfterExit = true; - Restart = "always"; - ExecStart = "@${startScript}"; - }; - }; - }; - - startScript = writeScript "lass-folderPerms" '' - ${concatMapStringsSep "\n" writeCommand cfg.permissions} - ''; - - writeCommand = fperm: - concatStringsSep "\n" [ - (buildPermission fperm) - (buildOwner fperm) - ]; - - buildPermission = perm: - #TODO: create folder maybe - #TODO: check if permission is valid - if (perm.permission == null) then - "" - else - "chmod ${perm.permission} ${perm.path}" - ; - - buildOwner = perm: - #TODO: create folder maybe - #TODO: check if owner/group valid - if (perm.owner == null) then - "" - else - "chown ${perm.owner} ${perm.path}" - ; - -in out diff --git a/lass/3modules/hosts.nix b/lass/3modules/hosts.nix deleted file mode 100644 index 37cbf3ed3..000000000 --- a/lass/3modules/hosts.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: - -with import ; - -{ - options.lass.hosts = mkOption { - type = types.attrsOf types.host; - default = - filterAttrs (_: host: host.owner.name == "lass" && host.ci) - config.krebs.hosts; - }; -} diff --git a/lass/3modules/klem.nix b/lass/3modules/klem.nix deleted file mode 100644 index 8536d967d..000000000 --- a/lass/3modules/klem.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ config, pkgs, ... }: with import ; let - cfg = config.lass.klem; -in { - options.lass.klem = mkOption { - default = {}; - type = types.attrsOf (types.submodule ({ config, ...}: { - options = { - target = mkOption { - default = ".*"; - description = '' - regex of valid targets - can be shown with xclip -selection clipboard -t TARGETS - the first hit is taken as target argument - ''; - type = types.str; - }; - script = mkOption { - description = '' - file to run if entry is selected - ''; - type = types.path; - }; - label = mkOption { - default = config._module.args.name; - description = '' - label to show in dmenu for this script - ''; - type = types.str; - }; - }; - })); - }; - config = let - klem = pkgs.writers.writeDashBin "klem" '' - set -x - - labels="" - # match filetype against patterns - ${concatMapStringsSep "\n" (script: '' - ${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \ - | ${pkgs.gnugrep}/bin/grep -q '${script.target}' - if [ $? -eq 0 ]; then - labels="$labels:${script.label}" - fi - '') (attrValues cfg)} - - #remove empty line, feed into dmenu - script=$(echo "$labels" \ - | ${pkgs.gnused}/bin/sed 's/^://;s/:/\n/g' \ - | ${pkgs.dmenu}/bin/dmenu) - - #run the chosen script - case $script in - ${concatMapStringsSep "\n" (script: indent '' - ${script.label}) - target=$(${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \ - | ${pkgs.gnugrep}/bin/grep '${script.target}' \ - | ${pkgs.gnugrep}/bin/grep -v TARGETS \ - | ${pkgs.coreutils}/bin/head -1) - ${pkgs.xclip}/bin/xclip -selection clipboard -target "$target" -out \ - | ${script.script} \ - | ${pkgs.xclip}/bin/xclip -selection clipboard -in - ;; - '') (attrValues cfg)} - esac - ''; - in mkIf (cfg != {}) { - environment.systemPackages = [ klem ]; - nixpkgs.overlays = [ - (self: super: { - klem = klem; - }) - ]; - }; -} diff --git a/lass/3modules/mysql-backup.nix b/lass/3modules/mysql-backup.nix deleted file mode 100644 index 516f96c34..000000000 --- a/lass/3modules/mysql-backup.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.lass.mysqlBackup; - - out = { - options.lass.mysqlBackup = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "mysqlBackup"; - config = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - name = mkOption { - type = types.str; - default = config._module.args.name; - }; - startAt = mkOption { - type = with types; nullOr str; # TODO systemd.time(7)'s calendar event - default = "*-*-* 01:15:00"; - }; - user = mkOption { - type = str; - default = "root"; - }; - password = mkOption { - type = nullOr str; - default = null; - description = '' - path to a file containing the mysqlPassword for the specified user. - ''; - }; - databases = mkOption { - type = listOf str; - default = []; - }; - location = mkOption { - type = str; - default = "/backups/sql_dumps"; - }; - }; - })); - description = "configuration for mysqlBackup"; - }; - }; - - imp = { - - services.mysql.ensureUsers = [ - { ensurePermissions = { "*.*" = "ALL"; }; name = "root"; } - ]; - - systemd.services = - mapAttrs' (_: plan: nameValuePair "mysqlBackup-${plan.name}" { - path = with pkgs; [ - mysql - gzip - ]; - serviceConfig = rec { - ExecStart = start plan; - SyslogIdentifier = ExecStart.name; - Type = "oneshot"; - User = plan.user; - }; - startAt = plan.startAt; - }) cfg.config; - }; - - - start = plan: let - backupScript = plan: db: '' - mkdir -p ${plan.location} - mysqldump -u ${plan.user} ${optionalString (plan.password != null) "-p$(cat ${plan.password})"} ${db} | gzip -c > ${plan.location}/${db}.gz - ''; - - in pkgs.pkgs.writeDash "mysqlBackup.${plan.name}" '' - ${concatMapStringsSep "\n" (backupScript plan) plan.databases} - ''; - - -in out diff --git a/lass/3modules/news.nix b/lass/3modules/news.nix deleted file mode 100644 index b6061736c..000000000 --- a/lass/3modules/news.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -let - cfg = config.lass.news; - - out = { - options.lass.news = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "news"; - feeds = mkOption { - type = types.listOf (types.submodule { options = { - nick = mkOption { - type = types.str; - }; - feedurl = mkOption { - type = types.str; - }; - interval = mkOption { - type = types.int; - default = 1000; - }; - channels = mkOption { - type = types.listOf types.str; - }; - };}); - }; - user = mkOption { - type = types.user; - default = { - name = "news"; - home = "/var/lib/news"; - }; - }; - ircServer = mkOption { - type = types.str; - default = "localhost"; - description = "to which server the bot should connect"; - }; - }; - - imp = { - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - }; - - systemd.services = listToAttrs (map (feed: - nameValuePair "news-${feed.nick}" { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - SyslogIdentifier = "news-${feed.nick}"; - User = cfg.user.name; - PrivateTmp = true; - Restart = "always"; - ExecStart = pkgs.writeDash "news-${feed.nick}" '' - ${pkgs.haskellPackages.news}/bin/news '${feed.feedurl}' '${toString feed.interval}' \ - | ${pkgs.goify}/bin/goify \ - | while :; do - ${pkgs.haskellPackages.kirk}/bin/ircout --nick '${feed.nick}' --host '${cfg.ircServer}' \ - \${concatStringsSep " \\" feed.channels} - done - ''; - }; - } - ) cfg.feeds); - - }; - -in out diff --git a/lass/3modules/nichtparasoup.nix b/lass/3modules/nichtparasoup.nix deleted file mode 100644 index a28c2a159..000000000 --- a/lass/3modules/nichtparasoup.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -{ - options.lass.nichtparasoup = { - enable = mkEnableOption "nichtparasoup funny image page"; - config = mkOption { - type = types.str; - default = '' - [General] - Port: 5001 - IP: 0.0.0.0 - Useragent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25 - - [Cache] - Images_min_limit: 15 - - [Logging] - ;; possible destinations: file syslog - Destination: syslog - Verbosity: ERROR - - [Sites] - SoupIO: everyone - Pr0gramm: new,top - Reddit: ${lib.concatStringsSep "," [ - "2healthbars" - "abandonedporn" - "animalsbeingderps" - "ANormalDayInRussia" - "assholedesign" - "AwesomeOffBrands" - "bizarrebuildings" - "bonehurtingjuice" - "boottoobig" - "bossfight" - "bravofotogeschichten" - "breathinginformation" - "buddhistmemes" - "cablefail" - "cableporn" - "catastrophicfailure" - "chairsunderwater" - "clevercomebacks" - "confusingperspective" - "conni" - "crappydesign" - "cursedcomments" - "desirepath" - "doenerverbrechen" - "dontdeadopeninside" - "educationalgifs" - "EngineeringPorn" - "eyebleach" - "forbiddensnacks" - "funnyanimals" - "gifs" - "Gittertiere" - "goodboomerhumor" - "grssk" - "halthoch" - "hmm" - "hmmm" - "holdmybeer" - "holup" - "iamatotalpieceofshit" - "ichbin40undlustig" - "idiotsincars" - "illegallysmolcats" - "infokriegerkutschen" - "instagramreality" - "instant_regret" - "itrunsdoom" - "itsaunixsystem" - "kamikazebywords" - "keming" - "kidsarefuckingstupid" - "kitchenconfidential" - "laughingbuddha" - "LiminalSpace" - "loadingicon" - "MachinePorn" - "mallninjashit" - "michaelbaygifs" - "mildlyinfuriating" - "miscatculations" - "natureisfuckinglit" - "nononoyesno" - "notinteresting" - "notliketheothergirls" - "oddlysatisfying" - "ofcoursethatsathing" - "okbuddylinux" - "OSHA" - "PeopleFuckingDying" - "Perfectfit" - "perfectloops" - "PerfectTiming" - "picsofunusualbirds" - "PixelArt" - "pizzacrimes" - "prequelmemes" - "Prisonwallet" - "reactiongifs" - "RealFakeDoors" - "reallifedoodles" - "RetroFuturism" - "robotsbeingjerks" - "SchizophreniaRides" - "scriptedasiangifs" - "shitposting" - "shittyfoodporn" - "shittyrobots" - "softwaregore" - "specializedtools" - "spicypillows" - "StallmanWasRight" - "startledcats" - "startrekstabilized" - "stupidfood" - "techsupportgore" - "thathappened" - "ThingsCutInHalfPorn" - "totallynotrobots" - "trippinthroughtime" - "Unexpected" - "urbanexploration" - "wasletztepreis" - "wellthatsucks" - "wertekinder" - "wewantplates" - "whatcouldgowrong" - "whatsthisbug" - "whatsthisplant" - "whatswrongwithyourdog" - "whenthe" - "yesyesyesyesno" - "youseeingthisshit" - ]} - NineGag: geeky,wtf,hot,trending - Instagram: nature,wtf - Fourchan: sci - ''; - }; - }; - - config = mkIf config.lass.nichtparasoup.enable { - systemd.services.nichtparasoup = { - description = "nichtparasoup"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = true; - serviceConfig = { - Restart = "always"; - ExecStart = "${pkgs.nichtparasoup}/bin/nichtparasoup -c ${pkgs.writeText "config.ini" config.lass.nichtparasoup.config}"; - }; - }; - }; -} diff --git a/lass/3modules/pyload.nix b/lass/3modules/pyload.nix deleted file mode 100644 index 6f29ffb17..000000000 --- a/lass/3modules/pyload.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -let - cfg = config.lass.pyload; - - out = { - options.lass.pyload = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "pyload"; - user = mkOption { - type = types.str; - default = "download"; - }; - }; - - imp = { - - krebs.per-user.${cfg.user}.packages = [ - pkgs.pyload - pkgs.spidermonkey - pkgs.tesseract - ]; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 9099"; target = "ACCEPT"; } - ]; - systemd.services.pyload = { - description = "pyload"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ - pyload - spidermonkey - tesseract - dnsmasq - ]; - - restartIfChanged = true; - - serviceConfig = { - Restart = "always"; - ExecStart = "${pkgs.pyload}/bin/pyLoadCore"; - User = cfg.user; - }; - }; - - }; - -in out diff --git a/lass/3modules/screenlock.nix b/lass/3modules/screenlock.nix deleted file mode 100644 index b5c69b65a..000000000 --- a/lass/3modules/screenlock.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ pkgs, config, ... }: - -with import ; - -let - cfg = config.lass.screenlock; - - out = { - options.lass.screenlock = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "screenlock"; - command = mkOption { - type = types.path; - default = pkgs.writeDash "screenlock" '' - ${pkgs.xlockmore}/bin/xlock -mode life1d -size 1 - sleep 3 - ''; - }; - }; - - imp = { - systemd.services.screenlock = { - before = [ "sleep.target" ]; - requiredBy = [ "sleep.target" ]; - environment = { - DISPLAY = ":${toString config.services.xserver.display}"; - }; - serviceConfig = { - SyslogIdentifier = "screenlock"; - ExecStart = cfg.command; - Type = "simple"; - User = "lass"; - }; - }; - }; - -in out diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix deleted file mode 100644 index 094d37a36..000000000 --- a/lass/3modules/usershadow.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ config, lib, pkgs, ... }@args: with import ; let - - cfg = config.lass.usershadow; - - out = { - options.lass.usershadow = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "usershadow"; - pattern = mkOption { - type = types.str; - default = "/home/%/.shadow"; - }; - path = mkOption { - type = types.str; - }; - }; - - imp = { - environment.systemPackages = [ usershadow ]; - lass.usershadow.path = "${usershadow}"; - security.pam.services.sshd.text = '' - auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - ''; - - security.pam.services.dovecot2.text = '' - auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - ''; - - security.wrappers.shadow_verify_pam = { - setuid = true; - source = "${usershadow}/bin/verify_pam"; - owner = "root"; - group = "root"; - }; - security.wrappers.shadow_verify_arg = { - setuid = true; - source = "${usershadow}/bin/verify_arg"; - owner = "root"; - group = "root"; - }; - }; - - usershadow = let { - deps = [ - "pwstore-fast" - "bytestring" - ]; - body = pkgs.writeHaskellPackage "passwords" { - ghc-options = [ - "-rtsopts" - "-Wall" - ]; - executables.verify_pam = { - extra-depends = deps; - text = '' - import System.IO - import Data.Char (chr) - import System.Environment (getEnv, getArgs) - import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) - import qualified Data.ByteString.Char8 as BS8 - import System.Exit (exitFailure, exitSuccess) - - main :: IO () - main = do - user <- getEnv "PAM_USER" - shadowFilePattern <- head <$> getArgs - let shadowFile = lhs <> user <> tail rhs - (lhs, rhs) = span (/= '%') shadowFilePattern - hash <- readFile shadowFile - password <- takeWhile (/= (chr 0)) <$> hGetLine stdin - let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) - if res then exitSuccess else exitFailure - ''; - }; - executables.verify_arg = { - extra-depends = deps; - text = '' - import System.Environment (getArgs) - import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) - import qualified Data.ByteString.Char8 as BS8 - import System.Exit (exitFailure, exitSuccess) - - main :: IO () - main = do - argsList <- getArgs - let shadowFilePattern = argsList !! 0 - let user = argsList !! 1 - let password = argsList !! 2 - let shadowFile = lhs <> user <> tail rhs - (lhs, rhs) = span (/= '%') shadowFilePattern - hash <- readFile shadowFile - let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) - if res then do (putStr "yes") else exitFailure - ''; - }; - executables.passwd = { - extra-depends = deps; - text = '' - import System.Environment (getEnv) - import Crypto.PasswordStore (makePasswordWith, pbkdf2) - import qualified Data.ByteString.Char8 as BS8 - import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn) - import Control.Exception (bracket_) - - main :: IO () - main = do - home <- getEnv "HOME" - mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do - putStr "Enter new UNIX password: " - hFlush stdout - password <- BS8.hGetLine stdin - putStrLn "" - putStr "Retype new UNIX password: " - hFlush stdout - password2 <- BS8.hGetLine stdin - return $ if password == password2 - then Just password - else Nothing - case mb_password of - Just password -> do - hash <- makePasswordWith pbkdf2 password 10 - BS8.writeFile (home ++ "/.shadow") hash - putStrLn "passwd: all authentication tokens updated successfully." - Nothing -> putStrLn "Sorry, passwords do not match" - ''; - }; - }; - }; - -in out -- cgit v1.2.3