diff --git a/config/hosts/clunk.nix b/config/hosts/clunk.nix index 3be32ea..1e1d12a 100644 --- a/config/hosts/clunk.nix +++ b/config/hosts/clunk.nix @@ -89,7 +89,7 @@ in { auth.kdc = { enable = true; realm = "RUS.SELBY.CA"; - bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ]; + bind-addresses = [ "10.0.0.1" "127.0.0.1" "[::1]" ]; acl = { "niten" = { perms = [ "all" ]; }; "*/root" = { perms = [ "password" "list" ]; }; diff --git a/config/profiles/common.nix b/config/profiles/common.nix index b3aec76..9c02ad6 100644 --- a/config/profiles/common.nix +++ b/config/profiles/common.nix @@ -23,6 +23,8 @@ in { system.autoUpgrade.enable = true; krb5 = { + enable = true; + libdefaults = { allow_weak_crypto = false; dns_lookup_kdc = true; diff --git a/config/users.nix b/config/users.nix index 53a24d2..f5e77c3 100644 --- a/config/users.nix +++ b/config/users.nix @@ -13,7 +13,16 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoWkjyeIfgwm0b78weToVYOQSD0RQ0qbNzpsN5NokbIFv2/980kLtnYrQEgIJ/JwMLlT3uJYacbCT5/a6Fb8oLxNpj0AF1EKaWZ3Rrlg72Sq+9SEwJwWWmZizX83sovMwUBMaUp6jWLhAhPpzBW5pfc5YWoc89wxGbELSwzgt5EgHbSJgvDnaHSp3fVaY01wfDXbL/oO160iNe7wv2HLMZu/FkWBkIjz6HmoGJJzYM89bUpHbyYG28lmCHB/8UPog5/BsjOn3/qupgf4zh6mMdMsXLvbR2jVwVjxcEMj9N5nCvc+Y3oi7Mij6VNrWbhkaAJMEzeMhWYrF3/pFQxUqG37aK3d0gw9kp5tMDLIlAPX4y1lfA87pIzoa0+Alql0CJQA1IJvp9SFG7lBmSthWQLmZvwwfoGg/ZjF6rOgsVoZ8TizpQnydWJDr6NboU9LL9Oa64OM5Rs0AU3cR2UbOF4QIcWFJ/7oDe3dOnfZ8QYqx9eXJyxoAUpDanaaTHYBiAKkeOBwQU+MVLKCcONKw9FZclf/1TpDB5b3/JeUFANjHQTv0UXA4YYU7iCx6H7XB4qwwtU9O19CGQYYfCfULX12/fRpYJw6VJaQWyyU4Bn5dk/dcB2nGI36jwbLMfhbUTIApujioAnd/GQIMakHEZ1+syPhMx9BxMkZb99B0A1Q== openpgp:0x4EC95B64" ]; home-directory = "/home/niten"; - home-manager-config = import ../home-manager/niten.nix { inherit config lib pkgs; }; + home-manager-config = + import ../home-manager/niten.nix { inherit config lib pkgs; }; + k5login = [ + "niten@FUDO.ORG" + "niten/root@FUDO.ORG" + "niten/admin@FUDO.ORG" + "niten@INFORMIS.LAND" + "niten/root@INFORMIS.LAND" + "niten/admin@INFORMIS.LAND" + ]; }; andrew = { @@ -96,6 +105,8 @@ login-hashed-passwd = "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; home-directory = "/home/reaper"; + k5login = + [ "reaper@FUDO.ORG" "reaper/root@FUDO.ORG" "reaper/admin@FUDO.ORG" ]; }; slickoil = { @@ -452,5 +463,16 @@ common-name = "Selby Forum"; ldap-hashed-passwd = "{SSHA}f7eDNuwFXRhvants5cJJ/FGtkCKheY2Q"; }; + + viator = { + uid = 10115; + primary-group = "informis"; + common-name = "Viator"; + home-manager-config = + import ../home-manager/niten.nix { inherit config lib pkgs; }; + ldap-hashed-passwd = "{SSHA}dF/5NGkafL8M1kpa3LYZKdh0Pc7a02gA"; + login-hashed-passwd = + "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; + }; }; } diff --git a/lib/fudo/kdc.nix b/lib/fudo/kdc.nix index b387ae3..b27bf57 100644 --- a/lib/fudo/kdc.nix +++ b/lib/fudo/kdc.nix @@ -4,48 +4,54 @@ with lib; let cfg = config.fudo.auth.kdc; + kerberos-database = "${cfg.state-directory}/kerberos.db"; + get-domain-hosts = domain: mapAttrsToList (host: hostOpts: "${host}.${domain}") (filterAttrs (host: hostOpts: hostOpts.domain == domain) config.fudo.hosts); - add-host-principals = realm: host: '' - ${pkgs.kerberos}/bin/kadmin.local addprinc -randkey host/${host} -r ${realm} - ${pkgs.kerberos}/bin/kadmin.local addprinc -randkey ssh/${host} -r ${realm} + add-host-principals = realm: db-name: host: '' + ${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey host/${host} -r ${realm} + ${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey ssh/${host} -r ${realm} ''; - initialize-db = realm: user: group: key-file: db-file: - let - domain = toLower realm; - hosts = get-domain-hosts domain; - in pkgs.writeShellScript "initialize-kdc-db.sh" '' - if [ ! -e ${db-file} ]; then - PWD=$(${pkgs.pwgen}/bin/pwgen -n1 -y 40) - ${pkgs.krb5}/bin/kdb5_util -r ${realm} -sf ${key-file} -d ${db-file} -P $PWD -m create -s - ${pkgs.coreutils}/bin/chown -R ${user}:${group} $(dirname ${db-file}) - ${concatStringsSep "\n" (map (add-host-principals realm) hosts)} + initialize-db = realm: kdc-conf: user: group: key-file: db-name: + pkgs.writeShellScript "initialize-kdc-db.sh" '' + if [ ! -e ${db-name} ]; then + KRB5_CONFIG=/etc/krb5.conf + KRB5_KDC_PROFILE=${kdc-conf} + PWD=$(${pkgs.pwgen}/bin/pwgen 40 1) + printf "$PWD\n$PWD\n$PWD\n" | ${pkgs.krb5}/bin/kdb5_util -r ${realm} -sf ${key-file} -d ${db-name} -m create -s + ${pkgs.coreutils}/bin/chown -R ${user}:${group} $(dirname ${db-name}) fi ''; - initialize-kadmin = realm: user: group: kadmin-keytab: host: - let domain = toLower realm; + initialize-kadmin = realm: db-name: user: group: kadmin-keytab: host: + let + domain = toLower realm; + hosts = get-domain-hosts domain; in pkgs.writeShellScript "initialize-kadmin.sh" '' if [ ! -e ${kadmin-keytab} ]; then - ${pkgs.krb5}/bin/kadmin.local addprinc -randkey kadmin/${host}.${domain} - ${pkgs.krb5}/bin/kadmin.local ktadd -k ${kadmin-keytab} kadmin/${host}.${domain} + # ${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey kadmin/${host}.${domain} + # ${pkgs.krb5}/bin/kadmin.local -d ${db-name} ktadd -k ${kadmin-keytab} kadmin/${host}.${domain} # TODO: extract kadmin keytab + # ${ + concatStringsSep "\n" (map (add-host-principals realm db-name) hosts) + } fi ''; generate-kdc-conf = - realm: database: kdc-listen-ips: kadmind-port: acl-file: kadmin-keytab: key-stash-file: + realm: database: kdc-listen-addrs: kadmin-listen-addrs: kpasswd-listen-addrs: acl-file: kadmin-keytab: key-stash-file: pkgs.writeText "kdc.conf" '' [kdcdefaults] - kdc_listen = ${concatStringsSep "," kdc-listen-ips} - kdc_tcp_listen = ${concatStringsSep "," kdc-listen-ips} + kdc_listen = ${concatStringsSep "," kdc-listen-addrs} + kdc_tcp_listen = ${concatStringsSep "," kdc-listen-addrs} [realm] ${realm} = { - kadmind_port = ${toString kadmind-port} + kadmind_listen = ${concatStringsSep "," kadmin-listen-addrs} + kpasswd_listen = ${concatStringsSep "," kpasswd-listen-addrs} max_life = 24h 0m 0s max_renewable_life = 14d 0h 0m 0s acl_file = ${acl-file} @@ -58,6 +64,11 @@ let database_name = ${database} db_library = db2 } + + [logging] + kdc = SYSLOG + admin_server = SYSLOG + default = SYSLOG ''; perm-map = { @@ -92,13 +103,23 @@ let }; }; - kdc-acl-file = acl-entries: + generate-acl-file = acl-entries: pkgs.writeText "kdc.acl" (concatStringsSep "\n" (mapAttrsToList (principal: opts: "${principal} ${perms-to-permstring opts.perms}${ optionalString (opts.target != null) " ${opts.target}" }") acl-entries)); + acl-file = generate-acl-file cfg.acl; + + kdc-listen-addrs = map (ip: "${ip}:88") cfg.bind-addresses; + kadmin-listen-addrs = map (ip: "${ip}:749") cfg.bind-addresses; + kpasswd-listen-addrs = map (ip: "${ip}:464") cfg.bind-addresses; + + kdc-conf = generate-kdc-conf cfg.realm kerberos-database kdc-listen-addrs + kadmin-listen-addrs kpasswd-listen-addrs acl-file cfg.kadmin-keytab + cfg.master-key-file; + in { options.fudo.auth.kdc = with types; { @@ -112,7 +133,7 @@ in { acl = mkOption { type = attrsOf (submodule aclEntry); description = "Mapping of pricipals to a list of permissions."; - default = { }; + default = { "*/admin" = [ "all" ]; }; example = { "*/root" = [ "all" ]; "admin-user" = [ "add" "list" "modify" ]; @@ -143,30 +164,6 @@ in { default = "/var/kerberos"; }; - kdc-pid-file = mkOption { - type = str; - description = "PID file for the KDC server."; - default = "/var/run/kerberos-kdc.pid"; - }; - - kadmind-pid-file = mkOption { - type = str; - description = "PID file for the Kerberos admin server."; - default = "/var/run/kerberos-kadmin.pid"; - }; - - kadmind-internal-port = mkOption { - type = port; - description = "Local port on which to run kadmind."; - default = 7749; - }; - - kdc-internal-port = mkOption { - type = port; - description = "Local port on which to run kdc."; - default = 7088; - }; - master-key-file = mkOption { type = str; description = "File containing the master key for the realm."; @@ -191,29 +188,27 @@ in { groups.${cfg.group} = { members = [ cfg.user ]; }; }; - krb5.libdefaults = { default_realm = mkForce cfg.realm; }; + krb5 = { + libdefaults = { default_realm = mkDefault cfg.realm; }; + realms.${cfg.realm} = { key_stash_file = cfg.master-key-file; }; + extraConfig = mkAfter '' + [dbmodules] + ${cfg.realm} = { + database_name = ${kerberos-database} + } - environment = { systemPackages = [ pkgs.kerberos ]; }; + [realm] + ${cfg.realm} = { + kadmind_listen = ${concatStringsSep "," kadmin-listen-addrs} + kpasswd_listen = ${concatStringsSep "," kpasswd-listen-addrs} + acl_file = ${acl-file} + admin_keytab = ${cfg.kadmin-keytab} + key_stash_file = ${cfg.master-key-file} + } + ''; + }; - # services.xinitd = { - # enable = true; - # services = [ - # { - # name = "kdc"; - # unlisted = true; - # port = 88; - # server = "/usr/bin/env"; - # extraConfig = "redirect = localhost ${cfg.kdc-internal-port}"; - # } - # { - # name = "kadmin"; - # unlisted = true; - # port = 749; - # server = "/usr/bin/env"; - # extraConfig = "redirect = localhost ${cfg.kadmin-internal-port}"; - # } - # ]; - # }; + environment = { systemPackages = [ pkgs.kerberos pkgs.krb5 ]; }; fudo.system = { ensure-directories = { @@ -222,40 +217,27 @@ in { group = cfg.group; perms = "0740"; }; - }; - - internal-port-map = { - kdc = { - internal-port = cfg.kdc-internal-port; - external-port = 88; + "/run/mit-kdc" = { + user = cfg.user; + group = cfg.group; + perms = "0744"; }; - kadmin = { - internal-port = cfg.kadmind-internal-port; - external-port = 749; + "/run/mit-kadmin" = { + user = cfg.user; + group = cfg.group; + perms = "0744"; }; }; - services = let - kerberos-database = "${cfg.state-directory}/kerberos.db"; - acl-file = kdc-acl-file cfg.acl; - kdc-listen-addrs = map (ip: "${ip}:${toString cfg.kdc-internal-port}") [ - "127.0.0.1" - "::1" - ]; - - kdc-conf = - generate-kdc-conf cfg.realm kerberos-database kdc-listen-addrs - cfg.kadmind-internal-port acl-file cfg.kadmin-keytab - cfg.master-key-file; - - in { + services = { mit-kdc = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; type = "forking"; description = "MIT Kerberos Key Distribution Center (ticket server)."; execStart = - "${pkgs.krb5}/bin/krb5kdc -r ${cfg.realm} -d ${kerberos-database} -P ${cfg.kdc-pid-file} -M ${cfg.master-key-file}"; + "${pkgs.krb5}/bin/krb5kdc -r ${cfg.realm} -d ${kerberos-database} -P /run/mit-kdc/mit-kdc.pid"; + readWritePaths = [ "/run/mit-kdc" ]; environment = { KRB5_CONFIG = "/etc/krb5.conf"; KRB5_KDC_PROFILE = "${kdc-conf}"; @@ -263,9 +245,11 @@ in { user = cfg.user; group = cfg.group; workingDirectory = cfg.state-directory; - preStart = - "${initialize-db cfg.realm cfg.user cfg.group cfg.master-key-file - kerberos-database}"; + preStart = "${initialize-db cfg.realm kdc-conf cfg.user cfg.group + cfg.master-key-file kerberos-database}"; + privateNetwork = false; + addressFamilies = [ "AF_INET" "AF_INET6" ]; + requiredCapabilities = [ "CAP_NET_BIND_SERVICE+ep" ]; }; mit-kadmin = { @@ -274,7 +258,8 @@ in { requires = [ "mit-kdc.service" ]; description = "MIT Kerberos Remote Administration Server."; execStart = - "${pkgs.kerberos}/bin/kadmind -r ${cfg.realm} -P ${cfg.kadmind-pid-file}"; + "${pkgs.krb5}/bin/kadmind -r ${cfg.realm} -P /run/mit-kadmin/mit-kadmin.pid"; + readWritePaths = [ "/run/mit-kadmin" ]; environment = { KRB5_CONFIG = "/etc/krb5.conf"; KRB5_KDC_PROFILE = "${kdc-conf}"; @@ -282,9 +267,12 @@ in { user = cfg.user; group = cfg.group; workingDirectory = cfg.state-directory; - preStart = - "${initialize-kadmin cfg.realm cfg.user cfg.group cfg.kadmin-keytab - config.networking.hostName}"; + privateNetwork = false; + # postStart = + # "${initialize-kadmin cfg.realm kerberos-database cfg.user cfg.group + # cfg.kadmin-keytab config.networking.hostName}"; + addressFamilies = [ "AF_INET" "AF_INET6" ]; + requiredCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; }; diff --git a/lib/fudo/system.nix b/lib/fudo/system.nix index 76d71a9..025a515 100644 --- a/lib/fudo/system.nix +++ b/lib/fudo/system.nix @@ -155,7 +155,7 @@ let description = "Command to run to launch the service."; }; protectSystem = mkOption { - type = enum [ "true" "false" "full" "strict" ]; + type = enum [ "true" "false" "full" "strict" true false ]; default = "full"; description = "Level of protection to apply to the system for this service."; @@ -230,6 +230,54 @@ let "Schedule on which the job should be invoked. See: man systemd.time(7)."; default = null; }; + runtimeDirectory = mkOption { + type = nullOr str; + description = + "Directory created at runtime with perms for the service to read/write."; + default = null; + }; + readWritePaths = mkOption { + type = listOf str; + description = + "A list of paths to which the service will be allowed normal access, even if ProtectSystem=strict."; + default = [ ]; + }; + stateDirectory = mkOption { + type = nullOr str; + description = + "State directory for the service, available via STATE_DIRECTORY."; + default = null; + }; + cacheDirectory = mkOption { + type = nullOr str; + description = + "Cache directory for the service, available via CACHE_DIRECTORY."; + default = null; + }; + inaccessiblePaths = mkOption { + type = listOf str; + description = + "A list of paths which should be inaccessible to the service."; + default = [ "/home" "/root" ]; + }; + noExecPaths = mkOption { + type = listOf str; + description = + "A list of paths where the service will not be allowed to run executables."; + default = [ "/home" "/root" "/tmp" "/var" ]; + }; + readOnlyPaths = mkOption { + type = listOf str; + description = + "A list of paths to which will be read-only for the service."; + default = [ ]; + }; + execPaths = mkOption { + type = listOf str; + description = + "A list of paths where the service WILL be allowed to run executables."; + default = [ ]; + }; }; }; @@ -387,42 +435,44 @@ in { }; config = { - # systemd.slices = mapAttrs (name: opts: { - # sliceConfig = { - # IpAddressAllow = opts.networkWhitelist; - # IpAddressDeny = "any"; - # }; - # }) (filterAttrs (name: opts: opts.networkWhitelist != null) cfg.services); + # boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) { + # "net.ipv4.conf.all.route_localhost" = "1"; + # }; - boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) { - "net.ipv4.conf.all.route_localhost" = "1"; - }; + # networking.firewall = let + # ip-forward-line = protocols: internal: external: + # concatStringsSep "\n" (map (protocol: + # "${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${ + # toString external + # } -j DNAT --to 127.0.0.1:${toString internal}") protocols); - networking.firewall = let - ip-forward-line = protocols: internal: external: - concatStringsSep "\n" (map (protocol: - "${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${ - toString external - } -j DNAT --to 127.0.0.1:${toString internal}") protocols); + # ip-unforward-line = protocols: internal: external: + # concatStringsSep "\n" (map (protocol: + # "${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${ + # toString external + # } -j DNAT --to 127.0.0.1:${toString internal} || true") protocols); - ip-unforward-line = protocols: internal: external: - concatStringsSep "\n" (map (protocol: - "${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${ - toString external - } -j DNAT --to 127.0.0.1:${toString internal} || true") protocols); + # protocol-list = protocol: + # if (protocol == null) then [ "tcp" "udp" ] else [ protocol ]; + # in { + # extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: + # ip-forward-line (protocol-list opts.protocol) opts.internal-port + # opts.external-port) cfg.internal-port-map); - protocol-list = protocol: - if (protocol == null) then [ "tcp" "udp" ] else [ protocol ]; - in { - extraCommands = mkAfter (concatStringsSep "\n" (mapAttrsToList - (name: opts: - ip-forward-line (protocol-list opts.protocol) opts.internal-port - opts.external-port) cfg.internal-port-map)); + # extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: + # ip-unforward-line (protocol-list opts.protocol) opts.internal-port + # opts.external-port) cfg.internal-port-map); + # }; - extraStopCommands = mkAfter (concatStringsSep "\n" (mapAttrsToList - (name: opts: - ip-unforward-line (protocol-list opts.protocol) opts.internal-port - opts.external-port) cfg.internal-port-map)); + services.xinetd = { + enable = true; + services = mapAttrsToList (name: opts: { + name = name; + unlisted = true; + port = opts.external-port; + server = "${pkgs.coreutils}/bin/false"; + extraConfig = "redirect = localhost ${toString opts.internal-port}"; + }) cfg.internal-port-map; }; systemd.timers = mapAttrs (name: opts: { @@ -473,9 +523,13 @@ in { ProtectKernelLogs = opts.protectKernelLogs; KeyringMode = opts.keyringMode; EnvironmentFile = opts.environment-file; + # This is more complicated than it looks... CapabilityBoundingSet = restrict-capabilities opts.requiredCapabilities; - DynamicUser = opts.dynamicUser; + Capabilities = opts.requiredCapabilities; + SecureBits = mkIf ((length opts.requiredCapabilities) > 0) "keep-caps"; + + DynamicUser = mkIf (opts.user == null) opts.dynamicUser; Restart = opts.restartWhen; WorkingDirectory = mkIf (opts.workingDirectory != null) opts.workingDirectory; @@ -493,12 +547,20 @@ in { MemoryDenyWriteExecute = opts.memoryDenyWriteExecute; SystemCallFilter = restrict-syscalls opts.allowedSyscalls; UMask = opts.maximumUmask; - IpAddressAllow = mkIf (opts.networkWhitelist != null) opts.networkWhitelist; IpAddressDeny = mkIf (opts.networkWhitelist != null) "any"; LimitNOFILE = "49152"; PermissionsStartOnly = opts.startOnlyPerms; + RuntimeDirectory = + mkIf (opts.runtimeDirectory != null) opts.runtimeDirectory; + CacheDirectory = mkIf (opts.cacheDirectory != null) opts.cacheDirectory; + StateDirectory = mkIf (opts.stateDirectory != null) opts.stateDirectory; + ReadWritePaths = opts.readWritePaths; + ReadOnlyPaths = opts.readOnlyPaths; + InaccessiblePaths = opts.inaccessiblePaths; + NoExecPaths = opts.noExecPaths; + ExecPaths = opts.execPaths; }; }) config.fudo.system.services; }; diff --git a/lib/fudo/users.nix b/lib/fudo/users.nix index d12160d..92d23bc 100644 --- a/lib/fudo/users.nix +++ b/lib/fudo/users.nix @@ -86,7 +86,13 @@ let home-directory = mkOption { type = with types; nullOr str; description = "Default home directory for the given user."; - default = null; + default = null; + }; + + k5login = mkOption { + type = listOf str; + description = "List of Kerberos principals that map to this user."; + default = [ ]; }; }; }; @@ -151,7 +157,8 @@ in { host-user-list = config.fudo.hosts."${local-host}".local-users; domain-user-list = config.fudo.domains."${local-domain}".local-users; - local-users = getAttrs (host-user-list ++ domain-user-list) config.fudo.users; + local-users = + getAttrs (host-user-list ++ domain-user-list) config.fudo.users; host-admin-list = config.fudo.hosts."${local-host}".local-admins; domain-admin-list = config.fudo.domains."${local-domain}".local-admins; @@ -161,12 +168,15 @@ in { host-group-list = config.fudo.hosts."${local-host}".local-groups; domain-group-list = config.fudo.domains."${local-domain}".local-groups; site-group-list = config.fudo.sites."${local-site}".local-groups; - local-groups = getAttrs (host-group-list ++ domain-group-list ++ site-group-list) config.fudo.groups; + local-groups = + getAttrs (host-group-list ++ domain-group-list ++ site-group-list) + config.fudo.groups; in { fudo.auth.ldap-server = let ldapUsers = (filterAttrs - (username: userOpts: userOpts.ldap-hashed-password != null)) config.fudo.users; + (username: userOpts: userOpts.ldap-hashed-password != null)) + config.fudo.users; in { users = mapAttrs (username: userOpts: { @@ -195,7 +205,10 @@ in { createHome = true; description = userOpts.common-name; group = userOpts.primary-group; - home = if (userOpts.home-directory != null) then userOpts.home-directory else "/home/${userOpts.primary-group}/${username}"; + home = if (userOpts.home-directory != null) then + userOpts.home-directory + else + "/home/${userOpts.primary-group}/${username}"; hashedPassword = userOpts.login-hashed-passwd; openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys; }) local-users; @@ -203,11 +216,8 @@ in { groups = (mapAttrs (groupname: groupOpts: { gid = groupOpts.gid; members = filterExistingUsers local-users groupOpts.members; - }) local-groups) // - { - wheel = { - members = local-admins; - }; + }) local-groups) // { + wheel = { members = local-admins; }; }; }; diff --git a/packages/default.nix b/packages/default.nix index a5af867..424e772 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -66,9 +66,8 @@ in { buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; }); - gtk3-x11 = pkgs.gtk3.overrideAttrs (oldAttrs: rec { - buildInputs = oldAttrs.buildInputs ++ [ pkgs.cmake ]; - }); + gtk3-x11 = pkgs.gtk3.overrideAttrs + (oldAttrs: rec { buildInputs = oldAttrs.buildInputs ++ [ pkgs.cmake ]; }); hll2380dw-cups = import ./hll2380dw-cups.nix { inherit (pkgs) @@ -157,8 +156,8 @@ in { doom-emacs-config = pkgs.fetchgit { url = "https://git.fudo.org/niten/doom-emacs.git"; - rev = "bc8224ec110e8a69a40d1521665884c4b14bb2b9"; - sha256 = "09j3sfdcfn0qi34qspvcmm201klai543i21zx8rixx9qcc40xm7q"; + rev = "c57d6712e358a9941b1de3508b104ffd38099a3a"; + sha256 = "1b2aw06irmv3xha6rhqlw3lmy6qxv281j4w91c8af0qsvhcq9g1y"; }; vanilla-forum = import ./vanilla-forum.nix { pkgs = pkgs; };