ARG FUCKING MIT KPASSWD WAT
This commit is contained in:
parent
9f7ab64d09
commit
945312e94e
|
|
@ -89,7 +89,7 @@ in {
|
|||
auth.kdc = {
|
||||
enable = true;
|
||||
realm = "RUS.SELBY.CA";
|
||||
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
|
||||
bind-addresses = [ "10.0.0.1" "127.0.0.1" "[::1]" ];
|
||||
acl = {
|
||||
"niten" = { perms = [ "all" ]; };
|
||||
"*/root" = { perms = [ "password" "list" ]; };
|
||||
|
|
|
|||
|
|
@ -23,6 +23,8 @@ in {
|
|||
system.autoUpgrade.enable = true;
|
||||
|
||||
krb5 = {
|
||||
enable = true;
|
||||
|
||||
libdefaults = {
|
||||
allow_weak_crypto = false;
|
||||
dns_lookup_kdc = true;
|
||||
|
|
|
|||
|
|
@ -13,7 +13,16 @@
|
|||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoWkjyeIfgwm0b78weToVYOQSD0RQ0qbNzpsN5NokbIFv2/980kLtnYrQEgIJ/JwMLlT3uJYacbCT5/a6Fb8oLxNpj0AF1EKaWZ3Rrlg72Sq+9SEwJwWWmZizX83sovMwUBMaUp6jWLhAhPpzBW5pfc5YWoc89wxGbELSwzgt5EgHbSJgvDnaHSp3fVaY01wfDXbL/oO160iNe7wv2HLMZu/FkWBkIjz6HmoGJJzYM89bUpHbyYG28lmCHB/8UPog5/BsjOn3/qupgf4zh6mMdMsXLvbR2jVwVjxcEMj9N5nCvc+Y3oi7Mij6VNrWbhkaAJMEzeMhWYrF3/pFQxUqG37aK3d0gw9kp5tMDLIlAPX4y1lfA87pIzoa0+Alql0CJQA1IJvp9SFG7lBmSthWQLmZvwwfoGg/ZjF6rOgsVoZ8TizpQnydWJDr6NboU9LL9Oa64OM5Rs0AU3cR2UbOF4QIcWFJ/7oDe3dOnfZ8QYqx9eXJyxoAUpDanaaTHYBiAKkeOBwQU+MVLKCcONKw9FZclf/1TpDB5b3/JeUFANjHQTv0UXA4YYU7iCx6H7XB4qwwtU9O19CGQYYfCfULX12/fRpYJw6VJaQWyyU4Bn5dk/dcB2nGI36jwbLMfhbUTIApujioAnd/GQIMakHEZ1+syPhMx9BxMkZb99B0A1Q== openpgp:0x4EC95B64"
|
||||
];
|
||||
home-directory = "/home/niten";
|
||||
home-manager-config = import ../home-manager/niten.nix { inherit config lib pkgs; };
|
||||
home-manager-config =
|
||||
import ../home-manager/niten.nix { inherit config lib pkgs; };
|
||||
k5login = [
|
||||
"niten@FUDO.ORG"
|
||||
"niten/root@FUDO.ORG"
|
||||
"niten/admin@FUDO.ORG"
|
||||
"niten@INFORMIS.LAND"
|
||||
"niten/root@INFORMIS.LAND"
|
||||
"niten/admin@INFORMIS.LAND"
|
||||
];
|
||||
};
|
||||
|
||||
andrew = {
|
||||
|
|
@ -96,6 +105,8 @@
|
|||
login-hashed-passwd =
|
||||
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
|
||||
home-directory = "/home/reaper";
|
||||
k5login =
|
||||
[ "reaper@FUDO.ORG" "reaper/root@FUDO.ORG" "reaper/admin@FUDO.ORG" ];
|
||||
};
|
||||
|
||||
slickoil = {
|
||||
|
|
@ -452,5 +463,16 @@
|
|||
common-name = "Selby Forum";
|
||||
ldap-hashed-passwd = "{SSHA}f7eDNuwFXRhvants5cJJ/FGtkCKheY2Q";
|
||||
};
|
||||
|
||||
viator = {
|
||||
uid = 10115;
|
||||
primary-group = "informis";
|
||||
common-name = "Viator";
|
||||
home-manager-config =
|
||||
import ../home-manager/niten.nix { inherit config lib pkgs; };
|
||||
ldap-hashed-passwd = "{SSHA}dF/5NGkafL8M1kpa3LYZKdh0Pc7a02gA";
|
||||
login-hashed-passwd =
|
||||
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
186
lib/fudo/kdc.nix
186
lib/fudo/kdc.nix
|
|
@ -4,48 +4,54 @@ with lib;
|
|||
let
|
||||
cfg = config.fudo.auth.kdc;
|
||||
|
||||
kerberos-database = "${cfg.state-directory}/kerberos.db";
|
||||
|
||||
get-domain-hosts = domain:
|
||||
mapAttrsToList (host: hostOpts: "${host}.${domain}")
|
||||
(filterAttrs (host: hostOpts: hostOpts.domain == domain) config.fudo.hosts);
|
||||
|
||||
add-host-principals = realm: host: ''
|
||||
${pkgs.kerberos}/bin/kadmin.local addprinc -randkey host/${host} -r ${realm}
|
||||
${pkgs.kerberos}/bin/kadmin.local addprinc -randkey ssh/${host} -r ${realm}
|
||||
add-host-principals = realm: db-name: host: ''
|
||||
${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey host/${host} -r ${realm}
|
||||
${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey ssh/${host} -r ${realm}
|
||||
'';
|
||||
|
||||
initialize-db = realm: user: group: key-file: db-file:
|
||||
let
|
||||
domain = toLower realm;
|
||||
hosts = get-domain-hosts domain;
|
||||
in pkgs.writeShellScript "initialize-kdc-db.sh" ''
|
||||
if [ ! -e ${db-file} ]; then
|
||||
PWD=$(${pkgs.pwgen}/bin/pwgen -n1 -y 40)
|
||||
${pkgs.krb5}/bin/kdb5_util -r ${realm} -sf ${key-file} -d ${db-file} -P $PWD -m create -s
|
||||
${pkgs.coreutils}/bin/chown -R ${user}:${group} $(dirname ${db-file})
|
||||
${concatStringsSep "\n" (map (add-host-principals realm) hosts)}
|
||||
initialize-db = realm: kdc-conf: user: group: key-file: db-name:
|
||||
pkgs.writeShellScript "initialize-kdc-db.sh" ''
|
||||
if [ ! -e ${db-name} ]; then
|
||||
KRB5_CONFIG=/etc/krb5.conf
|
||||
KRB5_KDC_PROFILE=${kdc-conf}
|
||||
PWD=$(${pkgs.pwgen}/bin/pwgen 40 1)
|
||||
printf "$PWD\n$PWD\n$PWD\n" | ${pkgs.krb5}/bin/kdb5_util -r ${realm} -sf ${key-file} -d ${db-name} -m create -s
|
||||
${pkgs.coreutils}/bin/chown -R ${user}:${group} $(dirname ${db-name})
|
||||
fi
|
||||
'';
|
||||
|
||||
initialize-kadmin = realm: user: group: kadmin-keytab: host:
|
||||
let domain = toLower realm;
|
||||
initialize-kadmin = realm: db-name: user: group: kadmin-keytab: host:
|
||||
let
|
||||
domain = toLower realm;
|
||||
hosts = get-domain-hosts domain;
|
||||
in pkgs.writeShellScript "initialize-kadmin.sh" ''
|
||||
if [ ! -e ${kadmin-keytab} ]; then
|
||||
${pkgs.krb5}/bin/kadmin.local addprinc -randkey kadmin/${host}.${domain}
|
||||
${pkgs.krb5}/bin/kadmin.local ktadd -k ${kadmin-keytab} kadmin/${host}.${domain}
|
||||
# ${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey kadmin/${host}.${domain}
|
||||
# ${pkgs.krb5}/bin/kadmin.local -d ${db-name} ktadd -k ${kadmin-keytab} kadmin/${host}.${domain}
|
||||
# TODO: extract kadmin keytab
|
||||
# ${
|
||||
concatStringsSep "\n" (map (add-host-principals realm db-name) hosts)
|
||||
}
|
||||
fi
|
||||
'';
|
||||
|
||||
generate-kdc-conf =
|
||||
realm: database: kdc-listen-ips: kadmind-port: acl-file: kadmin-keytab: key-stash-file:
|
||||
realm: database: kdc-listen-addrs: kadmin-listen-addrs: kpasswd-listen-addrs: acl-file: kadmin-keytab: key-stash-file:
|
||||
pkgs.writeText "kdc.conf" ''
|
||||
[kdcdefaults]
|
||||
kdc_listen = ${concatStringsSep "," kdc-listen-ips}
|
||||
kdc_tcp_listen = ${concatStringsSep "," kdc-listen-ips}
|
||||
kdc_listen = ${concatStringsSep "," kdc-listen-addrs}
|
||||
kdc_tcp_listen = ${concatStringsSep "," kdc-listen-addrs}
|
||||
|
||||
[realm]
|
||||
${realm} = {
|
||||
kadmind_port = ${toString kadmind-port}
|
||||
kadmind_listen = ${concatStringsSep "," kadmin-listen-addrs}
|
||||
kpasswd_listen = ${concatStringsSep "," kpasswd-listen-addrs}
|
||||
max_life = 24h 0m 0s
|
||||
max_renewable_life = 14d 0h 0m 0s
|
||||
acl_file = ${acl-file}
|
||||
|
|
@ -58,6 +64,11 @@ let
|
|||
database_name = ${database}
|
||||
db_library = db2
|
||||
}
|
||||
|
||||
[logging]
|
||||
kdc = SYSLOG
|
||||
admin_server = SYSLOG
|
||||
default = SYSLOG
|
||||
'';
|
||||
|
||||
perm-map = {
|
||||
|
|
@ -92,13 +103,23 @@ let
|
|||
};
|
||||
};
|
||||
|
||||
kdc-acl-file = acl-entries:
|
||||
generate-acl-file = acl-entries:
|
||||
pkgs.writeText "kdc.acl" (concatStringsSep "\n" (mapAttrsToList
|
||||
(principal: opts:
|
||||
"${principal} ${perms-to-permstring opts.perms}${
|
||||
optionalString (opts.target != null) " ${opts.target}"
|
||||
}") acl-entries));
|
||||
|
||||
acl-file = generate-acl-file cfg.acl;
|
||||
|
||||
kdc-listen-addrs = map (ip: "${ip}:88") cfg.bind-addresses;
|
||||
kadmin-listen-addrs = map (ip: "${ip}:749") cfg.bind-addresses;
|
||||
kpasswd-listen-addrs = map (ip: "${ip}:464") cfg.bind-addresses;
|
||||
|
||||
kdc-conf = generate-kdc-conf cfg.realm kerberos-database kdc-listen-addrs
|
||||
kadmin-listen-addrs kpasswd-listen-addrs acl-file cfg.kadmin-keytab
|
||||
cfg.master-key-file;
|
||||
|
||||
in {
|
||||
|
||||
options.fudo.auth.kdc = with types; {
|
||||
|
|
@ -112,7 +133,7 @@ in {
|
|||
acl = mkOption {
|
||||
type = attrsOf (submodule aclEntry);
|
||||
description = "Mapping of pricipals to a list of permissions.";
|
||||
default = { };
|
||||
default = { "*/admin" = [ "all" ]; };
|
||||
example = {
|
||||
"*/root" = [ "all" ];
|
||||
"admin-user" = [ "add" "list" "modify" ];
|
||||
|
|
@ -143,30 +164,6 @@ in {
|
|||
default = "/var/kerberos";
|
||||
};
|
||||
|
||||
kdc-pid-file = mkOption {
|
||||
type = str;
|
||||
description = "PID file for the KDC server.";
|
||||
default = "/var/run/kerberos-kdc.pid";
|
||||
};
|
||||
|
||||
kadmind-pid-file = mkOption {
|
||||
type = str;
|
||||
description = "PID file for the Kerberos admin server.";
|
||||
default = "/var/run/kerberos-kadmin.pid";
|
||||
};
|
||||
|
||||
kadmind-internal-port = mkOption {
|
||||
type = port;
|
||||
description = "Local port on which to run kadmind.";
|
||||
default = 7749;
|
||||
};
|
||||
|
||||
kdc-internal-port = mkOption {
|
||||
type = port;
|
||||
description = "Local port on which to run kdc.";
|
||||
default = 7088;
|
||||
};
|
||||
|
||||
master-key-file = mkOption {
|
||||
type = str;
|
||||
description = "File containing the master key for the realm.";
|
||||
|
|
@ -191,29 +188,27 @@ in {
|
|||
groups.${cfg.group} = { members = [ cfg.user ]; };
|
||||
};
|
||||
|
||||
krb5.libdefaults = { default_realm = mkForce cfg.realm; };
|
||||
krb5 = {
|
||||
libdefaults = { default_realm = mkDefault cfg.realm; };
|
||||
realms.${cfg.realm} = { key_stash_file = cfg.master-key-file; };
|
||||
extraConfig = mkAfter ''
|
||||
[dbmodules]
|
||||
${cfg.realm} = {
|
||||
database_name = ${kerberos-database}
|
||||
}
|
||||
|
||||
environment = { systemPackages = [ pkgs.kerberos ]; };
|
||||
[realm]
|
||||
${cfg.realm} = {
|
||||
kadmind_listen = ${concatStringsSep "," kadmin-listen-addrs}
|
||||
kpasswd_listen = ${concatStringsSep "," kpasswd-listen-addrs}
|
||||
acl_file = ${acl-file}
|
||||
admin_keytab = ${cfg.kadmin-keytab}
|
||||
key_stash_file = ${cfg.master-key-file}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# services.xinitd = {
|
||||
# enable = true;
|
||||
# services = [
|
||||
# {
|
||||
# name = "kdc";
|
||||
# unlisted = true;
|
||||
# port = 88;
|
||||
# server = "/usr/bin/env";
|
||||
# extraConfig = "redirect = localhost ${cfg.kdc-internal-port}";
|
||||
# }
|
||||
# {
|
||||
# name = "kadmin";
|
||||
# unlisted = true;
|
||||
# port = 749;
|
||||
# server = "/usr/bin/env";
|
||||
# extraConfig = "redirect = localhost ${cfg.kadmin-internal-port}";
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
environment = { systemPackages = [ pkgs.kerberos pkgs.krb5 ]; };
|
||||
|
||||
fudo.system = {
|
||||
ensure-directories = {
|
||||
|
|
@ -222,40 +217,27 @@ in {
|
|||
group = cfg.group;
|
||||
perms = "0740";
|
||||
};
|
||||
};
|
||||
|
||||
internal-port-map = {
|
||||
kdc = {
|
||||
internal-port = cfg.kdc-internal-port;
|
||||
external-port = 88;
|
||||
"/run/mit-kdc" = {
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
perms = "0744";
|
||||
};
|
||||
kadmin = {
|
||||
internal-port = cfg.kadmind-internal-port;
|
||||
external-port = 749;
|
||||
"/run/mit-kadmin" = {
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
perms = "0744";
|
||||
};
|
||||
};
|
||||
|
||||
services = let
|
||||
kerberos-database = "${cfg.state-directory}/kerberos.db";
|
||||
acl-file = kdc-acl-file cfg.acl;
|
||||
kdc-listen-addrs = map (ip: "${ip}:${toString cfg.kdc-internal-port}") [
|
||||
"127.0.0.1"
|
||||
"::1"
|
||||
];
|
||||
|
||||
kdc-conf =
|
||||
generate-kdc-conf cfg.realm kerberos-database kdc-listen-addrs
|
||||
cfg.kadmind-internal-port acl-file cfg.kadmin-keytab
|
||||
cfg.master-key-file;
|
||||
|
||||
in {
|
||||
services = {
|
||||
mit-kdc = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
type = "forking";
|
||||
description = "MIT Kerberos Key Distribution Center (ticket server).";
|
||||
execStart =
|
||||
"${pkgs.krb5}/bin/krb5kdc -r ${cfg.realm} -d ${kerberos-database} -P ${cfg.kdc-pid-file} -M ${cfg.master-key-file}";
|
||||
"${pkgs.krb5}/bin/krb5kdc -r ${cfg.realm} -d ${kerberos-database} -P /run/mit-kdc/mit-kdc.pid";
|
||||
readWritePaths = [ "/run/mit-kdc" ];
|
||||
environment = {
|
||||
KRB5_CONFIG = "/etc/krb5.conf";
|
||||
KRB5_KDC_PROFILE = "${kdc-conf}";
|
||||
|
|
@ -263,9 +245,11 @@ in {
|
|||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
workingDirectory = cfg.state-directory;
|
||||
preStart =
|
||||
"${initialize-db cfg.realm cfg.user cfg.group cfg.master-key-file
|
||||
kerberos-database}";
|
||||
preStart = "${initialize-db cfg.realm kdc-conf cfg.user cfg.group
|
||||
cfg.master-key-file kerberos-database}";
|
||||
privateNetwork = false;
|
||||
addressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
requiredCapabilities = [ "CAP_NET_BIND_SERVICE+ep" ];
|
||||
};
|
||||
|
||||
mit-kadmin = {
|
||||
|
|
@ -274,7 +258,8 @@ in {
|
|||
requires = [ "mit-kdc.service" ];
|
||||
description = "MIT Kerberos Remote Administration Server.";
|
||||
execStart =
|
||||
"${pkgs.kerberos}/bin/kadmind -r ${cfg.realm} -P ${cfg.kadmind-pid-file}";
|
||||
"${pkgs.krb5}/bin/kadmind -r ${cfg.realm} -P /run/mit-kadmin/mit-kadmin.pid";
|
||||
readWritePaths = [ "/run/mit-kadmin" ];
|
||||
environment = {
|
||||
KRB5_CONFIG = "/etc/krb5.conf";
|
||||
KRB5_KDC_PROFILE = "${kdc-conf}";
|
||||
|
|
@ -282,9 +267,12 @@ in {
|
|||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
workingDirectory = cfg.state-directory;
|
||||
preStart =
|
||||
"${initialize-kadmin cfg.realm cfg.user cfg.group cfg.kadmin-keytab
|
||||
config.networking.hostName}";
|
||||
privateNetwork = false;
|
||||
# postStart =
|
||||
# "${initialize-kadmin cfg.realm kerberos-database cfg.user cfg.group
|
||||
# cfg.kadmin-keytab config.networking.hostName}";
|
||||
addressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
requiredCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -155,7 +155,7 @@ let
|
|||
description = "Command to run to launch the service.";
|
||||
};
|
||||
protectSystem = mkOption {
|
||||
type = enum [ "true" "false" "full" "strict" ];
|
||||
type = enum [ "true" "false" "full" "strict" true false ];
|
||||
default = "full";
|
||||
description =
|
||||
"Level of protection to apply to the system for this service.";
|
||||
|
|
@ -230,6 +230,54 @@ let
|
|||
"Schedule on which the job should be invoked. See: man systemd.time(7).";
|
||||
default = null;
|
||||
};
|
||||
runtimeDirectory = mkOption {
|
||||
type = nullOr str;
|
||||
description =
|
||||
"Directory created at runtime with perms for the service to read/write.";
|
||||
default = null;
|
||||
};
|
||||
readWritePaths = mkOption {
|
||||
type = listOf str;
|
||||
description =
|
||||
"A list of paths to which the service will be allowed normal access, even if ProtectSystem=strict.";
|
||||
default = [ ];
|
||||
};
|
||||
stateDirectory = mkOption {
|
||||
type = nullOr str;
|
||||
description =
|
||||
"State directory for the service, available via STATE_DIRECTORY.";
|
||||
default = null;
|
||||
};
|
||||
cacheDirectory = mkOption {
|
||||
type = nullOr str;
|
||||
description =
|
||||
"Cache directory for the service, available via CACHE_DIRECTORY.";
|
||||
default = null;
|
||||
};
|
||||
inaccessiblePaths = mkOption {
|
||||
type = listOf str;
|
||||
description =
|
||||
"A list of paths which should be inaccessible to the service.";
|
||||
default = [ "/home" "/root" ];
|
||||
};
|
||||
noExecPaths = mkOption {
|
||||
type = listOf str;
|
||||
description =
|
||||
"A list of paths where the service will not be allowed to run executables.";
|
||||
default = [ "/home" "/root" "/tmp" "/var" ];
|
||||
};
|
||||
readOnlyPaths = mkOption {
|
||||
type = listOf str;
|
||||
description =
|
||||
"A list of paths to which will be read-only for the service.";
|
||||
default = [ ];
|
||||
};
|
||||
execPaths = mkOption {
|
||||
type = listOf str;
|
||||
description =
|
||||
"A list of paths where the service WILL be allowed to run executables.";
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -387,42 +435,44 @@ in {
|
|||
};
|
||||
|
||||
config = {
|
||||
# systemd.slices = mapAttrs (name: opts: {
|
||||
# sliceConfig = {
|
||||
# IpAddressAllow = opts.networkWhitelist;
|
||||
# IpAddressDeny = "any";
|
||||
# };
|
||||
# }) (filterAttrs (name: opts: opts.networkWhitelist != null) cfg.services);
|
||||
# boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) {
|
||||
# "net.ipv4.conf.all.route_localhost" = "1";
|
||||
# };
|
||||
|
||||
boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) {
|
||||
"net.ipv4.conf.all.route_localhost" = "1";
|
||||
};
|
||||
# networking.firewall = let
|
||||
# ip-forward-line = protocols: internal: external:
|
||||
# concatStringsSep "\n" (map (protocol:
|
||||
# "${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${
|
||||
# toString external
|
||||
# } -j DNAT --to 127.0.0.1:${toString internal}") protocols);
|
||||
|
||||
networking.firewall = let
|
||||
ip-forward-line = protocols: internal: external:
|
||||
concatStringsSep "\n" (map (protocol:
|
||||
"${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${
|
||||
toString external
|
||||
} -j DNAT --to 127.0.0.1:${toString internal}") protocols);
|
||||
# ip-unforward-line = protocols: internal: external:
|
||||
# concatStringsSep "\n" (map (protocol:
|
||||
# "${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${
|
||||
# toString external
|
||||
# } -j DNAT --to 127.0.0.1:${toString internal} || true") protocols);
|
||||
|
||||
ip-unforward-line = protocols: internal: external:
|
||||
concatStringsSep "\n" (map (protocol:
|
||||
"${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${
|
||||
toString external
|
||||
} -j DNAT --to 127.0.0.1:${toString internal} || true") protocols);
|
||||
# protocol-list = protocol:
|
||||
# if (protocol == null) then [ "tcp" "udp" ] else [ protocol ];
|
||||
# in {
|
||||
# extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
|
||||
# ip-forward-line (protocol-list opts.protocol) opts.internal-port
|
||||
# opts.external-port) cfg.internal-port-map);
|
||||
|
||||
protocol-list = protocol:
|
||||
if (protocol == null) then [ "tcp" "udp" ] else [ protocol ];
|
||||
in {
|
||||
extraCommands = mkAfter (concatStringsSep "\n" (mapAttrsToList
|
||||
(name: opts:
|
||||
ip-forward-line (protocol-list opts.protocol) opts.internal-port
|
||||
opts.external-port) cfg.internal-port-map));
|
||||
# extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
|
||||
# ip-unforward-line (protocol-list opts.protocol) opts.internal-port
|
||||
# opts.external-port) cfg.internal-port-map);
|
||||
# };
|
||||
|
||||
extraStopCommands = mkAfter (concatStringsSep "\n" (mapAttrsToList
|
||||
(name: opts:
|
||||
ip-unforward-line (protocol-list opts.protocol) opts.internal-port
|
||||
opts.external-port) cfg.internal-port-map));
|
||||
services.xinetd = {
|
||||
enable = true;
|
||||
services = mapAttrsToList (name: opts: {
|
||||
name = name;
|
||||
unlisted = true;
|
||||
port = opts.external-port;
|
||||
server = "${pkgs.coreutils}/bin/false";
|
||||
extraConfig = "redirect = localhost ${toString opts.internal-port}";
|
||||
}) cfg.internal-port-map;
|
||||
};
|
||||
|
||||
systemd.timers = mapAttrs (name: opts: {
|
||||
|
|
@ -473,9 +523,13 @@ in {
|
|||
ProtectKernelLogs = opts.protectKernelLogs;
|
||||
KeyringMode = opts.keyringMode;
|
||||
EnvironmentFile = opts.environment-file;
|
||||
|
||||
# This is more complicated than it looks...
|
||||
CapabilityBoundingSet = restrict-capabilities opts.requiredCapabilities;
|
||||
DynamicUser = opts.dynamicUser;
|
||||
Capabilities = opts.requiredCapabilities;
|
||||
SecureBits = mkIf ((length opts.requiredCapabilities) > 0) "keep-caps";
|
||||
|
||||
DynamicUser = mkIf (opts.user == null) opts.dynamicUser;
|
||||
Restart = opts.restartWhen;
|
||||
WorkingDirectory =
|
||||
mkIf (opts.workingDirectory != null) opts.workingDirectory;
|
||||
|
|
@ -493,12 +547,20 @@ in {
|
|||
MemoryDenyWriteExecute = opts.memoryDenyWriteExecute;
|
||||
SystemCallFilter = restrict-syscalls opts.allowedSyscalls;
|
||||
UMask = opts.maximumUmask;
|
||||
|
||||
IpAddressAllow =
|
||||
mkIf (opts.networkWhitelist != null) opts.networkWhitelist;
|
||||
IpAddressDeny = mkIf (opts.networkWhitelist != null) "any";
|
||||
LimitNOFILE = "49152";
|
||||
PermissionsStartOnly = opts.startOnlyPerms;
|
||||
RuntimeDirectory =
|
||||
mkIf (opts.runtimeDirectory != null) opts.runtimeDirectory;
|
||||
CacheDirectory = mkIf (opts.cacheDirectory != null) opts.cacheDirectory;
|
||||
StateDirectory = mkIf (opts.stateDirectory != null) opts.stateDirectory;
|
||||
ReadWritePaths = opts.readWritePaths;
|
||||
ReadOnlyPaths = opts.readOnlyPaths;
|
||||
InaccessiblePaths = opts.inaccessiblePaths;
|
||||
NoExecPaths = opts.noExecPaths;
|
||||
ExecPaths = opts.execPaths;
|
||||
};
|
||||
}) config.fudo.system.services;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -86,7 +86,13 @@ let
|
|||
home-directory = mkOption {
|
||||
type = with types; nullOr str;
|
||||
description = "Default home directory for the given user.";
|
||||
default = null;
|
||||
default = null;
|
||||
};
|
||||
|
||||
k5login = mkOption {
|
||||
type = listOf str;
|
||||
description = "List of Kerberos principals that map to this user.";
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
@ -151,7 +157,8 @@ in {
|
|||
|
||||
host-user-list = config.fudo.hosts."${local-host}".local-users;
|
||||
domain-user-list = config.fudo.domains."${local-domain}".local-users;
|
||||
local-users = getAttrs (host-user-list ++ domain-user-list) config.fudo.users;
|
||||
local-users =
|
||||
getAttrs (host-user-list ++ domain-user-list) config.fudo.users;
|
||||
|
||||
host-admin-list = config.fudo.hosts."${local-host}".local-admins;
|
||||
domain-admin-list = config.fudo.domains."${local-domain}".local-admins;
|
||||
|
|
@ -161,12 +168,15 @@ in {
|
|||
host-group-list = config.fudo.hosts."${local-host}".local-groups;
|
||||
domain-group-list = config.fudo.domains."${local-domain}".local-groups;
|
||||
site-group-list = config.fudo.sites."${local-site}".local-groups;
|
||||
local-groups = getAttrs (host-group-list ++ domain-group-list ++ site-group-list) config.fudo.groups;
|
||||
local-groups =
|
||||
getAttrs (host-group-list ++ domain-group-list ++ site-group-list)
|
||||
config.fudo.groups;
|
||||
|
||||
in {
|
||||
fudo.auth.ldap-server = let
|
||||
ldapUsers = (filterAttrs
|
||||
(username: userOpts: userOpts.ldap-hashed-password != null)) config.fudo.users;
|
||||
(username: userOpts: userOpts.ldap-hashed-password != null))
|
||||
config.fudo.users;
|
||||
|
||||
in {
|
||||
users = mapAttrs (username: userOpts: {
|
||||
|
|
@ -195,7 +205,10 @@ in {
|
|||
createHome = true;
|
||||
description = userOpts.common-name;
|
||||
group = userOpts.primary-group;
|
||||
home = if (userOpts.home-directory != null) then userOpts.home-directory else "/home/${userOpts.primary-group}/${username}";
|
||||
home = if (userOpts.home-directory != null) then
|
||||
userOpts.home-directory
|
||||
else
|
||||
"/home/${userOpts.primary-group}/${username}";
|
||||
hashedPassword = userOpts.login-hashed-passwd;
|
||||
openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys;
|
||||
}) local-users;
|
||||
|
|
@ -203,11 +216,8 @@ in {
|
|||
groups = (mapAttrs (groupname: groupOpts: {
|
||||
gid = groupOpts.gid;
|
||||
members = filterExistingUsers local-users groupOpts.members;
|
||||
}) local-groups) //
|
||||
{
|
||||
wheel = {
|
||||
members = local-admins;
|
||||
};
|
||||
}) local-groups) // {
|
||||
wheel = { members = local-admins; };
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -66,9 +66,8 @@ in {
|
|||
buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
|
||||
});
|
||||
|
||||
gtk3-x11 = pkgs.gtk3.overrideAttrs (oldAttrs: rec {
|
||||
buildInputs = oldAttrs.buildInputs ++ [ pkgs.cmake ];
|
||||
});
|
||||
gtk3-x11 = pkgs.gtk3.overrideAttrs
|
||||
(oldAttrs: rec { buildInputs = oldAttrs.buildInputs ++ [ pkgs.cmake ]; });
|
||||
|
||||
hll2380dw-cups = import ./hll2380dw-cups.nix {
|
||||
inherit (pkgs)
|
||||
|
|
@ -157,8 +156,8 @@ in {
|
|||
|
||||
doom-emacs-config = pkgs.fetchgit {
|
||||
url = "https://git.fudo.org/niten/doom-emacs.git";
|
||||
rev = "bc8224ec110e8a69a40d1521665884c4b14bb2b9";
|
||||
sha256 = "09j3sfdcfn0qi34qspvcmm201klai543i21zx8rixx9qcc40xm7q";
|
||||
rev = "c57d6712e358a9941b1de3508b104ffd38099a3a";
|
||||
sha256 = "1b2aw06irmv3xha6rhqlw3lmy6qxv281j4w91c8af0qsvhcq9g1y";
|
||||
};
|
||||
|
||||
vanilla-forum = import ./vanilla-forum.nix { pkgs = pkgs; };
|
||||
|
|
|
|||
Loading…
Reference in New Issue