diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 2ed5607f1..c96b14723 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -246,12 +246,12 @@ let
remote_smtp:
driver = smtp
- ${optionalString (cfg.dkim != []) ''
+ ${optionalString (cfg.dkim != []) (indent ''
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
- ''}
+ '')}
helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \
{$acl_m_special_dom} }
diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix
index c16080762..82db8ef7b 100644
--- a/lass/1systems/helios.nix
+++ b/lass/1systems/helios.nix
@@ -41,7 +41,6 @@ with import <stockholm/lib>;
environment.systemPackages = with pkgs; [
firefox
chromium
- oraclejre8
maven
arandr
libreoffice
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 76710ac9d..5da66d265 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -224,6 +224,11 @@ in {
OnCalendar = "*:0/5";
};
}
+ {
+ lass.usershadow = {
+ enable = true;
+ };
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 43c4d5b0d..a7d2a6cef 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -46,6 +46,13 @@ with import <stockholm/lib>;
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
};
}
+ (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
+ environment.variables = {
+ CURL_CA_BUNDLE = ca-bundle;
+ GIT_SSL_CAINFO = ca-bundle;
+ SSL_CERT_FILE = ca-bundle;
+ };
+ })
];
networking.hostName = config.krebs.build.host.name;
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 4ef4c6ce7..e665b6c6f 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d";
+ ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
};
}
diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix
index f88149730..f2e4de6a7 100644
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@@ -93,6 +93,7 @@ in {
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
(sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
(sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
+ (sync-remote "painload" "https://github.com/krebscode/painload")
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
(sync-retiolum "go")
(sync-retiolum "much")
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 18c771fad..fa56d0e12 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -142,28 +142,26 @@ in {
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
];
krebs.exim-smarthost = {
authenticators.PLAIN = ''
driver = plaintext
- server_prompts = :
- server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
- server_set_id = $auth2
+ public_name = PLAIN
+ server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
'';
authenticators.LOGIN = ''
driver = plaintext
+ public_name = LOGIN
server_prompts = "Username:: : Password::"
- server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
- server_set_id = $auth1
+ server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
'';
internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
- { from = "testuser@lassul.us"; to = "testuser"; }
];
- system-aliases = [
+ sender_domains = [
+ "jla-trading.com"
];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem";
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index d93d310da..52914f444 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -88,13 +88,7 @@ in {
];
};
- services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
- options = ''
- extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
- sendmail_path = "${sendmail} -t -i"
- '';
- } ''
- cat ${pkgs.php}/etc/php-recommended.ini > $out
- echo "$options" >> $out
+ services.phpfpm.phpOptions = ''
+ sendmail_path = ${sendmail} -t
'';
}
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index 1ee01e8d9..a8ab1c52a 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -13,22 +13,27 @@
type = types.str;
default = "/home/%/.shadow";
};
+ path = mkOption {
+ type = types.str;
+ };
};
imp = {
environment.systemPackages = [ usershadow ];
+ lass.usershadow.path = "${usershadow}";
security.pam.services.sshd.text = ''
- auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
'';
- security.pam.services.exim.text = ''
- auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ security.pam.services.dovecot2.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
+ session required pam_env.so envfile=${config.system.build.pamEnvironment}
'';
};
@@ -38,7 +43,7 @@
"bytestring"
];
body = pkgs.writeHaskell "passwords" {
- executables.verify = {
+ executables.verify_pam = {
extra-depends = deps;
text = ''
import Data.Monoid
@@ -61,18 +66,42 @@
if res then exitSuccess else exitFailure
'';
};
+ executables.verify_arg = {
+ extra-depends = deps;
+ text = ''
+ import Data.Monoid
+ import System.IO
+ import Data.Char (chr)
+ import System.Environment (getEnv, getArgs)
+ import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.Exit (exitFailure, exitSuccess)
+
+ main :: IO ()
+ main = do
+ argsList <- getArgs
+ let shadowFilePattern = argsList !! 0
+ let user = argsList !! 1
+ let password = argsList !! 2
+ let shadowFile = lhs <> user <> tail rhs
+ (lhs, rhs) = span (/= '%') shadowFilePattern
+ hash <- readFile shadowFile
+ let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+ if res then do (putStr "yes") else exitFailure
+ '';
+ };
executables.passwd = {
extra-depends = deps;
text = ''
import System.Environment (getEnv)
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8
- import System.IO (stdin, hSetEcho, putStr)
+ import System.IO (stdin, hSetEcho, putStrLn)
main :: IO ()
main = do
home <- getEnv "HOME"
- putStr "password:"
+ putStrLn "password:"
hSetEcho stdin False
password <- BS8.hGetLine stdin
hash <- makePasswordWith pbkdf2 password 10
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 96b12b9d4..70be61022 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -129,6 +129,7 @@ myKeyMap =
, ("M4-<Esc>", toggleWS)
, ("M4-S-<Enter>", spawn urxvtcPath)
, ("M4-x", floatNext True >> spawn urxvtcPath)
+ , ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite")
, ("M4-f", floatNext True)
, ("M4-b", sendMessage ToggleStruts)