Merge remote-tracking branch 'prism/lassulus'

This commit is contained in:
makefu 2016-10-27 14:54:32 +02:00
commit 32fff8c80e
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
10 changed files with 60 additions and 26 deletions

View File

@ -246,12 +246,12 @@ let
remote_smtp: remote_smtp:
driver = smtp driver = smtp
${optionalString (cfg.dkim != []) '' ${optionalString (cfg.dkim != []) (indent ''
dkim_canon = relaxed dkim_canon = relaxed
dkim_domain = $sender_address_domain dkim_domain = $sender_address_domain
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
''} '')}
helo_data = ''${if eq{$acl_m_special_dom}{} \ helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \ {$primary_hostname} \
{$acl_m_special_dom} } {$acl_m_special_dom} }

View File

@ -41,7 +41,6 @@ with import <stockholm/lib>;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
firefox firefox
chromium chromium
oraclejre8
maven maven
arandr arandr
libreoffice libreoffice

View File

@ -224,6 +224,11 @@ in {
OnCalendar = "*:0/5"; OnCalendar = "*:0/5";
}; };
} }
{
lass.usershadow = {
enable = true;
};
}
]; ];
krebs.build.host = config.krebs.hosts.prism; krebs.build.host = config.krebs.hosts.prism;

View File

@ -46,6 +46,13 @@ with import <stockholm/lib>;
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
}; };
} }
(let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
environment.variables = {
CURL_CA_BUNDLE = ca-bundle;
GIT_SSL_CAINFO = ca-bundle;
SSL_CERT_FILE = ca-bundle;
};
})
]; ];
networking.hostName = config.krebs.build.host.name; networking.hostName = config.krebs.build.host.name;

View File

@ -3,6 +3,6 @@
{ {
krebs.build.source.nixpkgs.git = { krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs; url = https://github.com/nixos/nixpkgs;
ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d"; ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
}; };
} }

View File

@ -93,6 +93,7 @@ in {
(sync-remote "xintmap" "https://github.com/4z3/xintmap") (sync-remote "xintmap" "https://github.com/4z3/xintmap")
(sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper") (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
(sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog") (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
(sync-remote "painload" "https://github.com/krebscode/painload")
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs") (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
(sync-retiolum "go") (sync-retiolum "go")
(sync-retiolum "much") (sync-retiolum "much")

View File

@ -142,28 +142,26 @@ in {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
]; ];
krebs.exim-smarthost = { krebs.exim-smarthost = {
authenticators.PLAIN = '' authenticators.PLAIN = ''
driver = plaintext driver = plaintext
server_prompts = : public_name = PLAIN
server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
server_set_id = $auth2
''; '';
authenticators.LOGIN = '' authenticators.LOGIN = ''
driver = plaintext driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::" server_prompts = "Username:: : Password::"
server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
server_set_id = $auth1
''; '';
internet-aliases = [ internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; } { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; } { from = "mail@jla-trading.com"; to = "jla-trading"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
]; ];
system-aliases = [ sender_domains = [
"jla-trading.com"
]; ];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem";

View File

@ -88,13 +88,7 @@ in {
]; ];
}; };
services.phpfpm.phpIni = pkgs.runCommand "php.ini" { services.phpfpm.phpOptions = ''
options = '' sendmail_path = ${sendmail} -t
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
sendmail_path = "${sendmail} -t -i"
'';
} ''
cat ${pkgs.php}/etc/php-recommended.ini > $out
echo "$options" >> $out
''; '';
} }

View File

@ -13,22 +13,27 @@
type = types.str; type = types.str;
default = "/home/%/.shadow"; default = "/home/%/.shadow";
}; };
path = mkOption {
type = types.str;
};
}; };
imp = { imp = {
environment.systemPackages = [ usershadow ]; environment.systemPackages = [ usershadow ];
lass.usershadow.path = "${usershadow}";
security.pam.services.sshd.text = '' security.pam.services.sshd.text = ''
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
auth required pam_permit.so auth required pam_permit.so
account required pam_permit.so account required pam_permit.so
session required pam_permit.so session required pam_permit.so
''; '';
security.pam.services.exim.text = '' security.pam.services.dovecot2.text = ''
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
auth required pam_permit.so auth required pam_permit.so
account required pam_permit.so account required pam_permit.so
session required pam_permit.so session required pam_permit.so
session required pam_env.so envfile=${config.system.build.pamEnvironment}
''; '';
}; };
@ -38,7 +43,7 @@
"bytestring" "bytestring"
]; ];
body = pkgs.writeHaskell "passwords" { body = pkgs.writeHaskell "passwords" {
executables.verify = { executables.verify_pam = {
extra-depends = deps; extra-depends = deps;
text = '' text = ''
import Data.Monoid import Data.Monoid
@ -61,18 +66,42 @@
if res then exitSuccess else exitFailure if res then exitSuccess else exitFailure
''; '';
}; };
executables.verify_arg = {
extra-depends = deps;
text = ''
import Data.Monoid
import System.IO
import Data.Char (chr)
import System.Environment (getEnv, getArgs)
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8
import System.Exit (exitFailure, exitSuccess)
main :: IO ()
main = do
argsList <- getArgs
let shadowFilePattern = argsList !! 0
let user = argsList !! 1
let password = argsList !! 2
let shadowFile = lhs <> user <> tail rhs
(lhs, rhs) = span (/= '%') shadowFilePattern
hash <- readFile shadowFile
let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
if res then do (putStr "yes") else exitFailure
'';
};
executables.passwd = { executables.passwd = {
extra-depends = deps; extra-depends = deps;
text = '' text = ''
import System.Environment (getEnv) import System.Environment (getEnv)
import Crypto.PasswordStore (makePasswordWith, pbkdf2) import Crypto.PasswordStore (makePasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8 import qualified Data.ByteString.Char8 as BS8
import System.IO (stdin, hSetEcho, putStr) import System.IO (stdin, hSetEcho, putStrLn)
main :: IO () main :: IO ()
main = do main = do
home <- getEnv "HOME" home <- getEnv "HOME"
putStr "password:" putStrLn "password:"
hSetEcho stdin False hSetEcho stdin False
password <- BS8.hGetLine stdin password <- BS8.hGetLine stdin
hash <- makePasswordWith pbkdf2 password 10 hash <- makePasswordWith pbkdf2 password 10

View File

@ -129,6 +129,7 @@ myKeyMap =
, ("M4-<Esc>", toggleWS) , ("M4-<Esc>", toggleWS)
, ("M4-S-<Enter>", spawn urxvtcPath) , ("M4-S-<Enter>", spawn urxvtcPath)
, ("M4-x", floatNext True >> spawn urxvtcPath) , ("M4-x", floatNext True >> spawn urxvtcPath)
, ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite")
, ("M4-f", floatNext True) , ("M4-f", floatNext True)
, ("M4-b", sendMessage ToggleStruts) , ("M4-b", sendMessage ToggleStruts)