summaryrefslogtreecommitdiffstats
path: root/lass/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'lass/3modules')
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/ensure-permissions.nix66
-rw-r--r--lass/3modules/usershadow.nix31
3 files changed, 22 insertions, 76 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 59043aeb1..613c7c8ac 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -3,7 +3,6 @@ _:
imports = [
./dnsmasq.nix
./ejabberd
- ./ensure-permissions.nix
./folderPerms.nix
./hosts.nix
./mysql-backup.nix
diff --git a/lass/3modules/ensure-permissions.nix b/lass/3modules/ensure-permissions.nix
deleted file mode 100644
index 36edc1127..000000000
--- a/lass/3modules/ensure-permissions.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-{ config, pkgs, ... }: with import <stockholm/lib>;
-
-let
-
- cfg = config.lass.ensure-permissions;
-
-in
-
-{
- options.lass.ensure-permissions = mkOption {
- default = [];
- type = types.listOf (types.submodule ({
- options = {
-
- folder = mkOption {
- type = types.absolute-pathname;
- };
-
- owner = mkOption {
- # TODO user type
- type = types.str;
- default = "root";
- };
-
- group = mkOption {
- # TODO group type
- type = types.str;
- default = "root";
- };
-
- permission = mkOption {
- # TODO permission type
- type = types.str;
- default = "u+rw,g+rw";
- };
-
- };
- }));
- };
-
- config = mkIf (cfg != []) {
-
- system.activationScripts.ensure-permissions = concatMapStringsSep "\n" (plan: ''
- ${pkgs.coreutils}/bin/mkdir -p ${plan.folder}
- ${pkgs.coreutils}/bin/chmod -R ${plan.permission} ${plan.folder}
- ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} ${plan.folder}
- '') cfg;
- systemd.services =
- listToAttrs (map (plan: nameValuePair "ensure-permisson.${replaceStrings ["/"] ["_"] plan.folder}" {
- wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- Restart = "always";
- RestartSec = 10;
- ExecStart = pkgs.writeDash "ensure-perms" ''
- ${pkgs.inotifyTools}/bin/inotifywait -mrq -e CREATE --format %w%f ${plan.folder} \
- | while IFS= read -r FILE; do
- ${pkgs.coreutils}/bin/chmod -R ${plan.permission} "$FILE" 2>/dev/null
- ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} "$FILE" 2>/dev/null
- done
- '';
- };
- }) cfg)
- ;
-
- };
-}
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index cb2890969..51da2ec93 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -31,13 +31,24 @@
session required pam_loginuid.so
'';
- security.pam.services.dovecot2.text = ''
- auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
- auth required pam_permit.so
- account required pam_permit.so
- session required pam_permit.so
- session required pam_env.so envfile=${config.system.build.pamEnvironment}
- '';
+ security.pam.services.dovecot2 = {
+ text = ''
+ auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ session required pam_env.so envfile=${config.system.build.pamEnvironment}
+ '';
+ };
+
+ security.wrappers.shadow_verify_pam = {
+ source = "${usershadow}/bin/verify_pam";
+ owner = "root";
+ };
+ security.wrappers.shadow_verify_arg = {
+ source = "${usershadow}/bin/verify_arg";
+ owner = "root";
+ };
};
usershadow = let {
@@ -46,10 +57,13 @@
"bytestring"
];
body = pkgs.writeHaskellPackage "passwords" {
+ ghc-options = [
+ "-rtsopts"
+ "-Wall"
+ ];
executables.verify_pam = {
extra-depends = deps;
text = ''
- import Data.Monoid
import System.IO
import Data.Char (chr)
import System.Environment (getEnv, getArgs)
@@ -72,7 +86,6 @@
executables.verify_arg = {
extra-depends = deps;
text = ''
- import Data.Monoid
import System.Environment (getArgs)
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8