Merge remote-tracking branch 'prism/lassulus'
This commit is contained in:
commit
32fff8c80e
@ -246,12 +246,12 @@ let
|
|||||||
|
|
||||||
remote_smtp:
|
remote_smtp:
|
||||||
driver = smtp
|
driver = smtp
|
||||||
${optionalString (cfg.dkim != []) ''
|
${optionalString (cfg.dkim != []) (indent ''
|
||||||
dkim_canon = relaxed
|
dkim_canon = relaxed
|
||||||
dkim_domain = $sender_address_domain
|
dkim_domain = $sender_address_domain
|
||||||
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
|
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
|
||||||
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
|
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
|
||||||
''}
|
'')}
|
||||||
helo_data = ''${if eq{$acl_m_special_dom}{} \
|
helo_data = ''${if eq{$acl_m_special_dom}{} \
|
||||||
{$primary_hostname} \
|
{$primary_hostname} \
|
||||||
{$acl_m_special_dom} }
|
{$acl_m_special_dom} }
|
||||||
|
@ -41,7 +41,6 @@ with import <stockholm/lib>;
|
|||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
firefox
|
firefox
|
||||||
chromium
|
chromium
|
||||||
oraclejre8
|
|
||||||
maven
|
maven
|
||||||
arandr
|
arandr
|
||||||
libreoffice
|
libreoffice
|
||||||
|
@ -224,6 +224,11 @@ in {
|
|||||||
OnCalendar = "*:0/5";
|
OnCalendar = "*:0/5";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
lass.usershadow = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.prism;
|
krebs.build.host = config.krebs.hosts.prism;
|
||||||
|
@ -46,6 +46,13 @@ with import <stockholm/lib>;
|
|||||||
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
|
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
(let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
|
||||||
|
environment.variables = {
|
||||||
|
CURL_CA_BUNDLE = ca-bundle;
|
||||||
|
GIT_SSL_CAINFO = ca-bundle;
|
||||||
|
SSL_CERT_FILE = ca-bundle;
|
||||||
|
};
|
||||||
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = config.krebs.build.host.name;
|
networking.hostName = config.krebs.build.host.name;
|
||||||
|
@ -3,6 +3,6 @@
|
|||||||
{
|
{
|
||||||
krebs.build.source.nixpkgs.git = {
|
krebs.build.source.nixpkgs.git = {
|
||||||
url = https://github.com/nixos/nixpkgs;
|
url = https://github.com/nixos/nixpkgs;
|
||||||
ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d";
|
ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -93,6 +93,7 @@ in {
|
|||||||
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
|
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
|
||||||
(sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
|
(sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
|
||||||
(sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
|
(sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
|
||||||
|
(sync-remote "painload" "https://github.com/krebscode/painload")
|
||||||
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
|
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
|
||||||
(sync-retiolum "go")
|
(sync-retiolum "go")
|
||||||
(sync-retiolum "much")
|
(sync-retiolum "much")
|
||||||
|
@ -142,28 +142,26 @@ in {
|
|||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
|
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
|
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
|
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.exim-smarthost = {
|
krebs.exim-smarthost = {
|
||||||
authenticators.PLAIN = ''
|
authenticators.PLAIN = ''
|
||||||
driver = plaintext
|
driver = plaintext
|
||||||
server_prompts = :
|
public_name = PLAIN
|
||||||
server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
|
server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
|
||||||
server_set_id = $auth2
|
|
||||||
'';
|
'';
|
||||||
authenticators.LOGIN = ''
|
authenticators.LOGIN = ''
|
||||||
driver = plaintext
|
driver = plaintext
|
||||||
|
public_name = LOGIN
|
||||||
server_prompts = "Username:: : Password::"
|
server_prompts = "Username:: : Password::"
|
||||||
server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
|
server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
|
||||||
server_set_id = $auth1
|
|
||||||
'';
|
'';
|
||||||
internet-aliases = [
|
internet-aliases = [
|
||||||
{ from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
|
{ from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
|
||||||
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
||||||
{ from = "testuser@lassul.us"; to = "testuser"; }
|
|
||||||
];
|
];
|
||||||
system-aliases = [
|
sender_domains = [
|
||||||
|
"jla-trading.com"
|
||||||
];
|
];
|
||||||
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
|
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
|
||||||
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
||||||
|
@ -88,13 +88,7 @@ in {
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
|
services.phpfpm.phpOptions = ''
|
||||||
options = ''
|
sendmail_path = ${sendmail} -t
|
||||||
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
|
||||||
sendmail_path = "${sendmail} -t -i"
|
|
||||||
'';
|
|
||||||
} ''
|
|
||||||
cat ${pkgs.php}/etc/php-recommended.ini > $out
|
|
||||||
echo "$options" >> $out
|
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -13,22 +13,27 @@
|
|||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/home/%/.shadow";
|
default = "/home/%/.shadow";
|
||||||
};
|
};
|
||||||
|
path = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
environment.systemPackages = [ usershadow ];
|
environment.systemPackages = [ usershadow ];
|
||||||
|
lass.usershadow.path = "${usershadow}";
|
||||||
security.pam.services.sshd.text = ''
|
security.pam.services.sshd.text = ''
|
||||||
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
|
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
|
||||||
auth required pam_permit.so
|
auth required pam_permit.so
|
||||||
account required pam_permit.so
|
account required pam_permit.so
|
||||||
session required pam_permit.so
|
session required pam_permit.so
|
||||||
'';
|
'';
|
||||||
|
|
||||||
security.pam.services.exim.text = ''
|
security.pam.services.dovecot2.text = ''
|
||||||
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
|
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
|
||||||
auth required pam_permit.so
|
auth required pam_permit.so
|
||||||
account required pam_permit.so
|
account required pam_permit.so
|
||||||
session required pam_permit.so
|
session required pam_permit.so
|
||||||
|
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -38,7 +43,7 @@
|
|||||||
"bytestring"
|
"bytestring"
|
||||||
];
|
];
|
||||||
body = pkgs.writeHaskell "passwords" {
|
body = pkgs.writeHaskell "passwords" {
|
||||||
executables.verify = {
|
executables.verify_pam = {
|
||||||
extra-depends = deps;
|
extra-depends = deps;
|
||||||
text = ''
|
text = ''
|
||||||
import Data.Monoid
|
import Data.Monoid
|
||||||
@ -61,18 +66,42 @@
|
|||||||
if res then exitSuccess else exitFailure
|
if res then exitSuccess else exitFailure
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
executables.verify_arg = {
|
||||||
|
extra-depends = deps;
|
||||||
|
text = ''
|
||||||
|
import Data.Monoid
|
||||||
|
import System.IO
|
||||||
|
import Data.Char (chr)
|
||||||
|
import System.Environment (getEnv, getArgs)
|
||||||
|
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
|
||||||
|
import qualified Data.ByteString.Char8 as BS8
|
||||||
|
import System.Exit (exitFailure, exitSuccess)
|
||||||
|
|
||||||
|
main :: IO ()
|
||||||
|
main = do
|
||||||
|
argsList <- getArgs
|
||||||
|
let shadowFilePattern = argsList !! 0
|
||||||
|
let user = argsList !! 1
|
||||||
|
let password = argsList !! 2
|
||||||
|
let shadowFile = lhs <> user <> tail rhs
|
||||||
|
(lhs, rhs) = span (/= '%') shadowFilePattern
|
||||||
|
hash <- readFile shadowFile
|
||||||
|
let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
|
||||||
|
if res then do (putStr "yes") else exitFailure
|
||||||
|
'';
|
||||||
|
};
|
||||||
executables.passwd = {
|
executables.passwd = {
|
||||||
extra-depends = deps;
|
extra-depends = deps;
|
||||||
text = ''
|
text = ''
|
||||||
import System.Environment (getEnv)
|
import System.Environment (getEnv)
|
||||||
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
|
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
|
||||||
import qualified Data.ByteString.Char8 as BS8
|
import qualified Data.ByteString.Char8 as BS8
|
||||||
import System.IO (stdin, hSetEcho, putStr)
|
import System.IO (stdin, hSetEcho, putStrLn)
|
||||||
|
|
||||||
main :: IO ()
|
main :: IO ()
|
||||||
main = do
|
main = do
|
||||||
home <- getEnv "HOME"
|
home <- getEnv "HOME"
|
||||||
putStr "password:"
|
putStrLn "password:"
|
||||||
hSetEcho stdin False
|
hSetEcho stdin False
|
||||||
password <- BS8.hGetLine stdin
|
password <- BS8.hGetLine stdin
|
||||||
hash <- makePasswordWith pbkdf2 password 10
|
hash <- makePasswordWith pbkdf2 password 10
|
||||||
|
@ -129,6 +129,7 @@ myKeyMap =
|
|||||||
, ("M4-<Esc>", toggleWS)
|
, ("M4-<Esc>", toggleWS)
|
||||||
, ("M4-S-<Enter>", spawn urxvtcPath)
|
, ("M4-S-<Enter>", spawn urxvtcPath)
|
||||||
, ("M4-x", floatNext True >> spawn urxvtcPath)
|
, ("M4-x", floatNext True >> spawn urxvtcPath)
|
||||||
|
, ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite")
|
||||||
, ("M4-f", floatNext True)
|
, ("M4-f", floatNext True)
|
||||||
, ("M4-b", sendMessage ToggleStruts)
|
, ("M4-b", sendMessage ToggleStruts)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user