Merge remote-tracking branch 'prism/lassulus'

2016-10-27 14:54:32 +02:00 · 2016-10-27 14:54:32 +02:00 · 32fff8c80e
commit 32fff8c80e
parent 36cbb3d300 c091949a15
10 changed files with 60 additions and 26 deletions
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@ -246,12 +246,12 @@ let

        remote_smtp:
          driver = smtp
-          ${optionalString (cfg.dkim != []) ''
+          ${optionalString (cfg.dkim != []) (indent ''
            dkim_canon = relaxed
            dkim_domain = $sender_address_domain
            dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
            dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
-          ''}
+          '')}
          helo_data = ''${if eq{$acl_m_special_dom}{}  \
                               {$primary_hostname}   \
                               {$acl_m_special_dom} }
--- a/lass/1systems/helios.nix
+++ b/lass/1systems/helios.nix
@ -41,7 +41,6 @@ with import <stockholm/lib>;
      environment.systemPackages = with pkgs; [
        firefox
        chromium
-        oraclejre8
        maven
        arandr
        libreoffice
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@ -224,6 +224,11 @@ in {
        OnCalendar = "*:0/5";
      };
    }
+    {
+      lass.usershadow = {
+        enable = true;
+      };
+    }
  ];

  krebs.build.host = config.krebs.hosts.prism;
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@ -46,6 +46,13 @@ with import <stockholm/lib>;
        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
      };
    }
+    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
+      environment.variables = {
+        CURL_CA_BUNDLE = ca-bundle;
+        GIT_SSL_CAINFO = ca-bundle;
+        SSL_CERT_FILE = ca-bundle;
+      };
+    })
  ];

  networking.hostName = config.krebs.build.host.name;
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@ -3,6 +3,6 @@
 {
  krebs.build.source.nixpkgs.git = {
    url = https://github.com/nixos/nixpkgs;
-    ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d";
+    ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
  };
 }
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@ -93,6 +93,7 @@ in {
    (sync-remote "xintmap" "https://github.com/4z3/xintmap")
    (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
    (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
+    (sync-remote "painload" "https://github.com/krebscode/painload")
    (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
    (sync-retiolum "go")
    (sync-retiolum "much")
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@ -142,28 +142,26 @@ in {
  krebs.iptables.tables.filter.INPUT.rules = [
    { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
    { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
-    { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
  ];

  krebs.exim-smarthost = {
    authenticators.PLAIN = ''
      driver = plaintext
-      server_prompts = :
-      server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
-      server_set_id = $auth2
+      public_name = PLAIN
+      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
    '';
    authenticators.LOGIN = ''
      driver = plaintext
+      public_name = LOGIN
      server_prompts = "Username:: : Password::"
-      server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
-      server_set_id = $auth1
+      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
    '';
    internet-aliases = [
      { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
      { from = "mail@jla-trading.com"; to = "jla-trading"; }
-      { from = "testuser@lassul.us"; to = "testuser"; }
    ];
-    system-aliases = [
+    sender_domains = [
+      "jla-trading.com"
    ];
    ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
    ssl_key = "/var/lib/acme/lassul.us/key.pem";
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@ -88,13 +88,7 @@ in {
    ];
  };

-  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
-     options = ''
-      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-      sendmail_path = "${sendmail} -t -i"
-    '';
-  } ''
-    cat ${pkgs.php}/etc/php-recommended.ini > $out
-    echo "$options" >> $out
+  services.phpfpm.phpOptions = ''
+    sendmail_path = ${sendmail} -t
  '';
 }
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@ -13,22 +13,27 @@
      type = types.str;
      default = "/home/%/.shadow";
    };
+    path = mkOption {
+      type = types.str;
+    };
  };

  imp = {
    environment.systemPackages = [ usershadow ];
+    lass.usershadow.path = "${usershadow}";
    security.pam.services.sshd.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
      auth required pam_permit.so
      account required pam_permit.so
      session required pam_permit.so
    '';

-    security.pam.services.exim.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+    security.pam.services.dovecot2.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
      auth required pam_permit.so
      account required pam_permit.so
      session required pam_permit.so
+      session required pam_env.so envfile=${config.system.build.pamEnvironment}
    '';
  };

@ -38,7 +43,7 @@
      "bytestring"
    ];
    body = pkgs.writeHaskell "passwords" {
-      executables.verify = {
+      executables.verify_pam = {
        extra-depends = deps;
        text = ''
          import Data.Monoid
@ -61,18 +66,42 @@
            if res then exitSuccess else exitFailure
        '';
      };
+      executables.verify_arg = {
+        extra-depends = deps;
+        text = ''
+          import Data.Monoid
+          import System.IO
+          import Data.Char (chr)
+          import System.Environment (getEnv, getArgs)
+          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.Exit (exitFailure, exitSuccess)
+
+          main :: IO ()
+          main = do
+            argsList <- getArgs
+            let shadowFilePattern = argsList !! 0
+            let user = argsList !! 1
+            let password = argsList !! 2
+            let shadowFile = lhs <> user <> tail rhs
+                (lhs, rhs) = span (/= '%') shadowFilePattern
+            hash <- readFile shadowFile
+            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+            if res then do (putStr "yes") else exitFailure
+        '';
+      };
      executables.passwd = {
        extra-depends = deps;
        text = ''
          import System.Environment (getEnv)
          import Crypto.PasswordStore (makePasswordWith, pbkdf2)
          import qualified Data.ByteString.Char8 as BS8
-          import System.IO (stdin, hSetEcho, putStr)
+          import System.IO (stdin, hSetEcho, putStrLn)

          main :: IO ()
          main = do
            home <- getEnv "HOME"
-            putStr "password:"
+            putStrLn "password:"
            hSetEcho stdin False
            password <- BS8.hGetLine stdin
            hash <- makePasswordWith pbkdf2 password 10
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@ -129,6 +129,7 @@ myKeyMap =
    , ("M4-<Esc>", toggleWS)
    , ("M4-S-<Enter>", spawn urxvtcPath)
    , ("M4-x", floatNext True >> spawn urxvtcPath)
+    , ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite")
    , ("M4-f", floatNext True)
    , ("M4-b", sendMessage ToggleStruts)