nix
/
lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Specify full path for chown

This commit is contained in:
niten 2023-10-06 19:08:50 -07:00
parent 37bd62f950
commit 0890bb7b1e
2 changed files with 76 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/fudo/auth/kerberos/kdc.nix
View File

@ -74,21 +74,18 @@ let
after = [ "network-online.target" ]; after = [ "network-online.target" ];
description = description =
"Heimdal Kerberos Key Distribution Center (primary ticket server)."; "Heimdal Kerberos Key Distribution Center (primary ticket server).";
path = with pkgs; [ heimdal coreutils ]; path = with pkgs; [ heimdal ];
serviceConfig = { serviceConfig = {
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# PrivateMounts = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
# ProtectSystem = true;
ProtectHostname = true; ProtectHostname = true;
# ProtectHome = true;
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
# LockPersonality = true;
PermissionsStartOnly = false; PermissionsStartOnly = false;
LimitNOFILE = 4096; LimitNOFILE = 4096;
User = cfg.user; User = cfg.user;
@ -99,8 +96,8 @@ let
SecureBits = "keep-caps"; SecureBits = "keep-caps";
ExecStartPre = let ExecStartPre = let
chownScript = '' chownScript = ''
chown ${cfg.user}:${cfg.group} ${cfg.kdc.database} ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log
''; '';
in "+${chownScript}"; in "+${chownScript}";
ExecStart = let ExecStart = let

146
lib/lib/dns.nix
View File

@ -7,16 +7,17 @@ let
pthru = obj: builtins.trace obj obj; pthru = obj: builtins.trace obj obj;
remove-blank-lines = str: remove-blank-lines = str:
concatStringsSep "\n\n" concatStringsSep "\n\n" (filter builtins.isString (builtins.split ''
(filter builtins.isString
(builtins.split "\n\n\n+" str));
n-spaces = n:
concatStringsSep "" (builtins.genList (_: " ") n);
pad-to-length = strlen: str: let
spaces = n-spaces (strlen - (stringLength str)); +'' str));
in str + spaces;
n-spaces = n: concatStringsSep "" (builtins.genList (_: " ") n);
pad-to-length = strlen: str:
let spaces = n-spaces (strlen - (stringLength str));
in str + spaces;
record-matcher = builtins.match "^([^;].*) IN ([A-Z][A-Z0-9]*) (.+)$"; record-matcher = builtins.match "^([^;].*) IN ([A-Z][A-Z0-9]*) (.+)$";
@ -24,32 +25,35 @@ let
max-int = foldr (a: b: if (a < b) then b else a) 0; max-int = foldr (a: b: if (a < b) then b else a) 0;
make-zone-formatter = zonedata: let make-zone-formatter = zonedata:
lines = splitString "\n" zonedata; let
records = filter is-record lines; lines = splitString "\n" zonedata;
split-records = map record-matcher records; records = filter is-record lines;
index-strlen = i: record: stringLength (elemAt record i); split-records = map record-matcher records;
record-index-maxlen = i: max-int (map (index-strlen i) split-records); index-strlen = i: record: stringLength (elemAt record i);
in record-formatter (record-index-maxlen 0) (record-index-maxlen 1); record-index-maxlen = i: max-int (map (index-strlen i) split-records);
in record-formatter (record-index-maxlen 0) (record-index-maxlen 1);
record-formatter = name-max: type-max: let record-formatter = name-max: type-max:
name-padder = pad-to-length name-max; let
type-padder = pad-to-length type-max; name-padder = pad-to-length name-max;
in record-line: let type-padder = pad-to-length type-max;
record-parts = record-matcher record-line; in record-line:
in let record-parts = record-matcher record-line;
if (record-parts == null) then in if (record-parts == null) then
record-line record-line
else (let else
name = elemAt record-parts 0; (let
type = elemAt record-parts 1; name = elemAt record-parts 0;
data = elemAt record-parts 2; type = elemAt record-parts 1;
in "${name-padder name} IN ${type-padder type} ${data}"); data = elemAt record-parts 2;
in "${name-padder name} IN ${type-padder type} ${data}");
format-zone = zonedata: let format-zone = zonedata:
formatter = make-zone-formatter zonedata; let
lines = splitString "\n" zonedata; formatter = make-zone-formatter zonedata;
in concatStringsSep "\n" (map formatter lines); lines = splitString "\n" zonedata;
in concatStringsSep "\n" (map formatter lines);
makeSrvRecords = protocol: service: records: makeSrvRecords = protocol: service: records:
join-lines (map (record: join-lines (map (record:
@ -61,13 +65,10 @@ let
join-lines (mapAttrsToList (makeSrvRecords protocol) services); join-lines (mapAttrsToList (makeSrvRecords protocol) services);
makeMetricRecords = metric-type: records: makeMetricRecords = metric-type: records:
join-lines join-lines (map (record:
(map (record: "${metric-type}._metrics._tcp IN SRV ${toString record.priority} ${
"${metric-type}._metrics._tcp IN SRV ${ toString record.weight
toString record.priority } ${toString record.port} ${record.host}.") records);
} ${
toString record.weight
} ${toString record.port} ${record.host}.") records);
srvRecordOpts = with types; { srvRecordOpts = with types; {
options = { options = {
@ -96,33 +97,31 @@ let
}; };
}; };
hostRecords = hostname: nethost-data: let hostRecords = hostname: nethost-data:
sshfp-records = map (sshfp: "${hostname} IN SSHFP ${sshfp}") let
nethost-data.sshfp-records; sshfp-records =
a-record = optional (nethost-data.ipv4-address != null) map (sshfp: "${hostname} IN SSHFP ${sshfp}") nethost-data.sshfp-records;
"${hostname} IN A ${nethost-data.ipv4-address}"; a-record = optional (nethost-data.ipv4-address != null)
aaaa-record = optional (nethost-data.ipv6-address != null) "${hostname} IN A ${nethost-data.ipv4-address}";
"${hostname} IN AAAA ${nethost-data.ipv6-address}"; aaaa-record = optional (nethost-data.ipv6-address != null)
description-record = optional (nethost-data.description != null) "${hostname} IN AAAA ${nethost-data.ipv6-address}";
''${hostname} IN TXT "${nethost-data.description}"''; description-record = optional (nethost-data.description != null)
in join-lines (a-record ++ ''${hostname} IN TXT "${nethost-data.description}"'';
aaaa-record ++ in join-lines
sshfp-records ++ (a-record ++ aaaa-record ++ sshfp-records ++ description-record);
description-record);
cnameRecord = alias: host: "${alias} IN CNAME ${host}"; cnameRecord = alias: host: "${alias} IN CNAME ${host}";
dmarcRecord = dmarc-email: dmarcRecord = dmarc-email:
optionalString (dmarc-email != null) optionalString (dmarc-email != null) ''
''_dmarc IN TXT "v=DMARC1;p=quarantine;sp=quarantine;rua=mailto:${dmarc-email};"''; _dmarc IN TXT "v=DMARC1;p=quarantine;sp=quarantine;rua=mailto:${dmarc-email};"'';
mxRecords = mxs: map (mx: "@ IN MX 10 ${mx}.") mxs; mxRecords = mxs: map (mx: "@ IN MX 10 ${mx}.") mxs;
nsRecords = map (ns-host: "@ IN NS ${ns-host}"); nsRecords = map (ns-host: "@ IN NS ${ns-host}");
flatmapAttrsToList = f: attrs: flatmapAttrsToList = f: attrs:
foldr (a: b: a ++ b) [] (mapAttrsToList f attrs); foldr (a: b: a ++ b) [ ] (mapAttrsToList f attrs);
srvRecordPair = domain: protocol: service: record: { srvRecordPair = domain: protocol: service: record: {
"_${service}._${protocol}.${domain}" = "_${service}._${protocol}.${domain}" =
@ -135,15 +134,14 @@ let
$ORIGIN ${dom}. $ORIGIN ${dom}.
$TTL ${zone.default-ttl} $TTL ${zone.default-ttl}
${optionalString (zone.default-host != null) ${optionalString (zone.default-host != null) "@ IN A ${zone.default-host}"}
"@ IN A ${zone.default-host}"}
${join-lines (mxRecords zone.mx)} ${join-lines (mxRecords zone.mx)}
${dmarcRecord zone.dmarc-report-address} ${dmarcRecord zone.dmarc-report-address}
${optionalString (zone.gssapi-realm != null) ${optionalString (zone.gssapi-realm != null)
''_kerberos IN TXT "${zone.gssapi-realm}"''} ''_kerberos IN TXT "${zone.gssapi-realm}"''}
${join-lines (nsRecords zone.nameservers)} ${join-lines (nsRecords zone.nameservers)}
@ -164,6 +162,9 @@ let
zone.subdomains)} zone.subdomains)}
''; '';
concatMapAttrs = f: attrs:
concatMap (x: x) (mapAttrsToList (key: val: f key val) attrs);
in rec { in rec {
srvRecords = with types; attrsOf (attrsOf (listOf (submodule srvRecordOpts))); srvRecords = with types; attrsOf (attrsOf (listOf (submodule srvRecordOpts)));
@ -171,27 +172,24 @@ in rec {
srvRecordsToBindZone = srvRecords: srvRecordsToBindZone = srvRecords:
join-lines (mapAttrsToList makeSrvProtocolRecords srvRecords); join-lines (mapAttrsToList makeSrvProtocolRecords srvRecords);
concatMapAttrs = f: attrs: srvRecordsToPairs = domain: srvRecords:
concatMap (x: x) (mapAttrsToList (key: val: f key val) attrs);
srvRecordsToPairs = domain: srvRecords:
listToAttrs (concatMapAttrs (protocol: services: listToAttrs (concatMapAttrs (protocol: services:
concatMapAttrs concatMapAttrs
(service: records: map (srvRecordPair domain protocol service) records) services) (service: records: map (srvRecordPair domain protocol service) records)
srvRecords); services) srvRecords);
zoneToZonefile = timestamp: dom: zone: zoneToZonefile = timestamp: dom: zone:
remove-blank-lines (format-zone '' remove-blank-lines (format-zone ''
$ORIGIN ${dom}. $ORIGIN ${dom}.
$TTL ${zone.default-ttl} $TTL ${zone.default-ttl}
@ IN SOA ns1.${dom}. hostmaster.${dom}. ( @ IN SOA ns1.${dom}. hostmaster.${dom}. (
${toString timestamp} ${toString timestamp}
30m 30m
2m 2m
3w 3w
5m) 5m)
${domain-records dom zone} ${domain-records dom zone}
''); '');
} }