nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ARG FUCKING MIT KPASSWD WAT

This commit is contained in:
Niten 2021-03-15 19:39:57 +00:00
parent 9f7ab64d09
commit 945312e94e
7 changed files with 233 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/hosts/clunk.nix
View File

@ -89,7 +89,7 @@ in {
auth.kdc = { auth.kdc = {
enable = true; enable = true;
realm = "RUS.SELBY.CA"; realm = "RUS.SELBY.CA";
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ]; bind-addresses = [ "10.0.0.1" "127.0.0.1" "[::1]" ];
acl = { acl = {
"niten" = { perms = [ "all" ]; }; "niten" = { perms = [ "all" ]; };
"*/root" = { perms = [ "password" "list" ]; }; "*/root" = { perms = [ "password" "list" ]; };

2
config/profiles/common.nix
View File

@ -23,6 +23,8 @@ in {
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
krb5 = { krb5 = {
enable = true;
libdefaults = { libdefaults = {
allow_weak_crypto = false; allow_weak_crypto = false;
dns_lookup_kdc = true; dns_lookup_kdc = true;

24
config/users.nix
View File

@ -13,7 +13,16 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoWkjyeIfgwm0b78weToVYOQSD0RQ0qbNzpsN5NokbIFv2/980kLtnYrQEgIJ/JwMLlT3uJYacbCT5/a6Fb8oLxNpj0AF1EKaWZ3Rrlg72Sq+9SEwJwWWmZizX83sovMwUBMaUp6jWLhAhPpzBW5pfc5YWoc89wxGbELSwzgt5EgHbSJgvDnaHSp3fVaY01wfDXbL/oO160iNe7wv2HLMZu/FkWBkIjz6HmoGJJzYM89bUpHbyYG28lmCHB/8UPog5/BsjOn3/qupgf4zh6mMdMsXLvbR2jVwVjxcEMj9N5nCvc+Y3oi7Mij6VNrWbhkaAJMEzeMhWYrF3/pFQxUqG37aK3d0gw9kp5tMDLIlAPX4y1lfA87pIzoa0+Alql0CJQA1IJvp9SFG7lBmSthWQLmZvwwfoGg/ZjF6rOgsVoZ8TizpQnydWJDr6NboU9LL9Oa64OM5Rs0AU3cR2UbOF4QIcWFJ/7oDe3dOnfZ8QYqx9eXJyxoAUpDanaaTHYBiAKkeOBwQU+MVLKCcONKw9FZclf/1TpDB5b3/JeUFANjHQTv0UXA4YYU7iCx6H7XB4qwwtU9O19CGQYYfCfULX12/fRpYJw6VJaQWyyU4Bn5dk/dcB2nGI36jwbLMfhbUTIApujioAnd/GQIMakHEZ1+syPhMx9BxMkZb99B0A1Q== openpgp:0x4EC95B64" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoWkjyeIfgwm0b78weToVYOQSD0RQ0qbNzpsN5NokbIFv2/980kLtnYrQEgIJ/JwMLlT3uJYacbCT5/a6Fb8oLxNpj0AF1EKaWZ3Rrlg72Sq+9SEwJwWWmZizX83sovMwUBMaUp6jWLhAhPpzBW5pfc5YWoc89wxGbELSwzgt5EgHbSJgvDnaHSp3fVaY01wfDXbL/oO160iNe7wv2HLMZu/FkWBkIjz6HmoGJJzYM89bUpHbyYG28lmCHB/8UPog5/BsjOn3/qupgf4zh6mMdMsXLvbR2jVwVjxcEMj9N5nCvc+Y3oi7Mij6VNrWbhkaAJMEzeMhWYrF3/pFQxUqG37aK3d0gw9kp5tMDLIlAPX4y1lfA87pIzoa0+Alql0CJQA1IJvp9SFG7lBmSthWQLmZvwwfoGg/ZjF6rOgsVoZ8TizpQnydWJDr6NboU9LL9Oa64OM5Rs0AU3cR2UbOF4QIcWFJ/7oDe3dOnfZ8QYqx9eXJyxoAUpDanaaTHYBiAKkeOBwQU+MVLKCcONKw9FZclf/1TpDB5b3/JeUFANjHQTv0UXA4YYU7iCx6H7XB4qwwtU9O19CGQYYfCfULX12/fRpYJw6VJaQWyyU4Bn5dk/dcB2nGI36jwbLMfhbUTIApujioAnd/GQIMakHEZ1+syPhMx9BxMkZb99B0A1Q== openpgp:0x4EC95B64"
]; ];
home-directory = "/home/niten"; home-directory = "/home/niten";
home-manager-config = import ../home-manager/niten.nix { inherit config lib pkgs; }; home-manager-config =
import ../home-manager/niten.nix { inherit config lib pkgs; };
k5login = [
"niten@FUDO.ORG"
"niten/root@FUDO.ORG"
"niten/admin@FUDO.ORG"
"niten@INFORMIS.LAND"
"niten/root@INFORMIS.LAND"
"niten/admin@INFORMIS.LAND"
];
}; };
andrew = { andrew = {
@ -96,6 +105,8 @@
login-hashed-passwd = login-hashed-passwd =
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
home-directory = "/home/reaper"; home-directory = "/home/reaper";
k5login =
[ "reaper@FUDO.ORG" "reaper/root@FUDO.ORG" "reaper/admin@FUDO.ORG" ];
}; };
slickoil = { slickoil = {
@ -452,5 +463,16 @@
common-name = "Selby Forum"; common-name = "Selby Forum";
ldap-hashed-passwd = "{SSHA}f7eDNuwFXRhvants5cJJ/FGtkCKheY2Q"; ldap-hashed-passwd = "{SSHA}f7eDNuwFXRhvants5cJJ/FGtkCKheY2Q";
}; };
viator = {
uid = 10115;
primary-group = "informis";
common-name = "Viator";
home-manager-config =
import ../home-manager/niten.nix { inherit config lib pkgs; };
ldap-hashed-passwd = "{SSHA}dF/5NGkafL8M1kpa3LYZKdh0Pc7a02gA";
login-hashed-passwd =
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
};
}; };
} }

186
lib/fudo/kdc.nix
View File

@ -4,48 +4,54 @@ with lib;
let let
cfg = config.fudo.auth.kdc; cfg = config.fudo.auth.kdc;
kerberos-database = "${cfg.state-directory}/kerberos.db";
get-domain-hosts = domain: get-domain-hosts = domain:
mapAttrsToList (host: hostOpts: "${host}.${domain}") mapAttrsToList (host: hostOpts: "${host}.${domain}")
(filterAttrs (host: hostOpts: hostOpts.domain == domain) config.fudo.hosts); (filterAttrs (host: hostOpts: hostOpts.domain == domain) config.fudo.hosts);
add-host-principals = realm: host: '' add-host-principals = realm: db-name: host: ''
${pkgs.kerberos}/bin/kadmin.local addprinc -randkey host/${host} -r ${realm} ${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey host/${host} -r ${realm}
${pkgs.kerberos}/bin/kadmin.local addprinc -randkey ssh/${host} -r ${realm} ${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey ssh/${host} -r ${realm}
''; '';
initialize-db = realm: user: group: key-file: db-file: initialize-db = realm: kdc-conf: user: group: key-file: db-name:
let pkgs.writeShellScript "initialize-kdc-db.sh" ''
domain = toLower realm; if [ ! -e ${db-name} ]; then
hosts = get-domain-hosts domain; KRB5_CONFIG=/etc/krb5.conf
in pkgs.writeShellScript "initialize-kdc-db.sh" '' KRB5_KDC_PROFILE=${kdc-conf}
if [ ! -e ${db-file} ]; then PWD=$(${pkgs.pwgen}/bin/pwgen 40 1)
PWD=$(${pkgs.pwgen}/bin/pwgen -n1 -y 40) printf "$PWD\n$PWD\n$PWD\n" | ${pkgs.krb5}/bin/kdb5_util -r ${realm} -sf ${key-file} -d ${db-name} -m create -s
${pkgs.krb5}/bin/kdb5_util -r ${realm} -sf ${key-file} -d ${db-file} -P $PWD -m create -s ${pkgs.coreutils}/bin/chown -R ${user}:${group} $(dirname ${db-name})
${pkgs.coreutils}/bin/chown -R ${user}:${group} $(dirname ${db-file})
${concatStringsSep "\n" (map (add-host-principals realm) hosts)}
fi fi
''; '';
initialize-kadmin = realm: user: group: kadmin-keytab: host: initialize-kadmin = realm: db-name: user: group: kadmin-keytab: host:
let domain = toLower realm; let
domain = toLower realm;
hosts = get-domain-hosts domain;
in pkgs.writeShellScript "initialize-kadmin.sh" '' in pkgs.writeShellScript "initialize-kadmin.sh" ''
if [ ! -e ${kadmin-keytab} ]; then if [ ! -e ${kadmin-keytab} ]; then
${pkgs.krb5}/bin/kadmin.local addprinc -randkey kadmin/${host}.${domain} # ${pkgs.krb5}/bin/kadmin.local -d ${db-name} addprinc -randkey kadmin/${host}.${domain}
${pkgs.krb5}/bin/kadmin.local ktadd -k ${kadmin-keytab} kadmin/${host}.${domain} # ${pkgs.krb5}/bin/kadmin.local -d ${db-name} ktadd -k ${kadmin-keytab} kadmin/${host}.${domain}
# TODO: extract kadmin keytab # TODO: extract kadmin keytab
# ${
concatStringsSep "\n" (map (add-host-principals realm db-name) hosts)
}
fi fi
''; '';
generate-kdc-conf = generate-kdc-conf =
realm: database: kdc-listen-ips: kadmind-port: acl-file: kadmin-keytab: key-stash-file: realm: database: kdc-listen-addrs: kadmin-listen-addrs: kpasswd-listen-addrs: acl-file: kadmin-keytab: key-stash-file:
pkgs.writeText "kdc.conf" '' pkgs.writeText "kdc.conf" ''
[kdcdefaults] [kdcdefaults]
kdc_listen = ${concatStringsSep "," kdc-listen-ips} kdc_listen = ${concatStringsSep "," kdc-listen-addrs}
kdc_tcp_listen = ${concatStringsSep "," kdc-listen-ips} kdc_tcp_listen = ${concatStringsSep "," kdc-listen-addrs}
[realm] [realm]
${realm} = { ${realm} = {
kadmind_port = ${toString kadmind-port} kadmind_listen = ${concatStringsSep "," kadmin-listen-addrs}
kpasswd_listen = ${concatStringsSep "," kpasswd-listen-addrs}
max_life = 24h 0m 0s max_life = 24h 0m 0s
max_renewable_life = 14d 0h 0m 0s max_renewable_life = 14d 0h 0m 0s
acl_file = ${acl-file} acl_file = ${acl-file}
@ -58,6 +64,11 @@ let
database_name = ${database} database_name = ${database}
db_library = db2 db_library = db2
} }
[logging]
kdc = SYSLOG
admin_server = SYSLOG
default = SYSLOG
''; '';
perm-map = { perm-map = {
@ -92,13 +103,23 @@ let
}; };
}; };
kdc-acl-file = acl-entries: generate-acl-file = acl-entries:
pkgs.writeText "kdc.acl" (concatStringsSep "\n" (mapAttrsToList pkgs.writeText "kdc.acl" (concatStringsSep "\n" (mapAttrsToList
(principal: opts: (principal: opts:
"${principal} ${perms-to-permstring opts.perms}${ "${principal} ${perms-to-permstring opts.perms}${
optionalString (opts.target != null) " ${opts.target}" optionalString (opts.target != null) " ${opts.target}"
}") acl-entries)); }") acl-entries));
acl-file = generate-acl-file cfg.acl;
kdc-listen-addrs = map (ip: "${ip}:88") cfg.bind-addresses;
kadmin-listen-addrs = map (ip: "${ip}:749") cfg.bind-addresses;
kpasswd-listen-addrs = map (ip: "${ip}:464") cfg.bind-addresses;
kdc-conf = generate-kdc-conf cfg.realm kerberos-database kdc-listen-addrs
kadmin-listen-addrs kpasswd-listen-addrs acl-file cfg.kadmin-keytab
cfg.master-key-file;
in { in {
options.fudo.auth.kdc = with types; { options.fudo.auth.kdc = with types; {
@ -112,7 +133,7 @@ in {
acl = mkOption { acl = mkOption {
type = attrsOf (submodule aclEntry); type = attrsOf (submodule aclEntry);
description = "Mapping of pricipals to a list of permissions."; description = "Mapping of pricipals to a list of permissions.";
default = { }; default = { "*/admin" = [ "all" ]; };
example = { example = {
"*/root" = [ "all" ]; "*/root" = [ "all" ];
"admin-user" = [ "add" "list" "modify" ]; "admin-user" = [ "add" "list" "modify" ];
@ -143,30 +164,6 @@ in {
default = "/var/kerberos"; default = "/var/kerberos";
}; };
kdc-pid-file = mkOption {
type = str;
description = "PID file for the KDC server.";
default = "/var/run/kerberos-kdc.pid";
};
kadmind-pid-file = mkOption {
type = str;
description = "PID file for the Kerberos admin server.";
default = "/var/run/kerberos-kadmin.pid";
};
kadmind-internal-port = mkOption {
type = port;
description = "Local port on which to run kadmind.";
default = 7749;
};
kdc-internal-port = mkOption {
type = port;
description = "Local port on which to run kdc.";
default = 7088;
};
master-key-file = mkOption { master-key-file = mkOption {
type = str; type = str;
description = "File containing the master key for the realm."; description = "File containing the master key for the realm.";
@ -191,29 +188,27 @@ in {
groups.${cfg.group} = { members = [ cfg.user ]; }; groups.${cfg.group} = { members = [ cfg.user ]; };
}; };
krb5.libdefaults = { default_realm = mkForce cfg.realm; }; krb5 = {
libdefaults = { default_realm = mkDefault cfg.realm; };
realms.${cfg.realm} = { key_stash_file = cfg.master-key-file; };
extraConfig = mkAfter ''
[dbmodules]
${cfg.realm} = {
database_name = ${kerberos-database}
}
environment = { systemPackages = [ pkgs.kerberos ]; }; [realm]
${cfg.realm} = {
kadmind_listen = ${concatStringsSep "," kadmin-listen-addrs}
kpasswd_listen = ${concatStringsSep "," kpasswd-listen-addrs}
acl_file = ${acl-file}
admin_keytab = ${cfg.kadmin-keytab}
key_stash_file = ${cfg.master-key-file}
}
'';
};
# services.xinitd = { environment = { systemPackages = [ pkgs.kerberos pkgs.krb5 ]; };
# enable = true;
# services = [
# {
# name = "kdc";
# unlisted = true;
# port = 88;
# server = "/usr/bin/env";
# extraConfig = "redirect = localhost ${cfg.kdc-internal-port}";
# }
# {
# name = "kadmin";
# unlisted = true;
# port = 749;
# server = "/usr/bin/env";
# extraConfig = "redirect = localhost ${cfg.kadmin-internal-port}";
# }
# ];
# };
fudo.system = { fudo.system = {
ensure-directories = { ensure-directories = {
@ -222,40 +217,27 @@ in {
group = cfg.group; group = cfg.group;
perms = "0740"; perms = "0740";
}; };
}; "/run/mit-kdc" = {
user = cfg.user;
internal-port-map = { group = cfg.group;
kdc = { perms = "0744";
internal-port = cfg.kdc-internal-port;
external-port = 88;
}; };
kadmin = { "/run/mit-kadmin" = {
internal-port = cfg.kadmind-internal-port; user = cfg.user;
external-port = 749; group = cfg.group;
perms = "0744";
}; };
}; };
services = let services = {
kerberos-database = "${cfg.state-directory}/kerberos.db";
acl-file = kdc-acl-file cfg.acl;
kdc-listen-addrs = map (ip: "${ip}:${toString cfg.kdc-internal-port}") [
"127.0.0.1"
"::1"
];
kdc-conf =
generate-kdc-conf cfg.realm kerberos-database kdc-listen-addrs
cfg.kadmind-internal-port acl-file cfg.kadmin-keytab
cfg.master-key-file;
in {
mit-kdc = { mit-kdc = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
type = "forking"; type = "forking";
description = "MIT Kerberos Key Distribution Center (ticket server)."; description = "MIT Kerberos Key Distribution Center (ticket server).";
execStart = execStart =
"${pkgs.krb5}/bin/krb5kdc -r ${cfg.realm} -d ${kerberos-database} -P ${cfg.kdc-pid-file} -M ${cfg.master-key-file}"; "${pkgs.krb5}/bin/krb5kdc -r ${cfg.realm} -d ${kerberos-database} -P /run/mit-kdc/mit-kdc.pid";
readWritePaths = [ "/run/mit-kdc" ];
environment = { environment = {
KRB5_CONFIG = "/etc/krb5.conf"; KRB5_CONFIG = "/etc/krb5.conf";
KRB5_KDC_PROFILE = "${kdc-conf}"; KRB5_KDC_PROFILE = "${kdc-conf}";
@ -263,9 +245,11 @@ in {
user = cfg.user; user = cfg.user;
group = cfg.group; group = cfg.group;
workingDirectory = cfg.state-directory; workingDirectory = cfg.state-directory;
preStart = preStart = "${initialize-db cfg.realm kdc-conf cfg.user cfg.group
"${initialize-db cfg.realm cfg.user cfg.group cfg.master-key-file cfg.master-key-file kerberos-database}";
kerberos-database}"; privateNetwork = false;
addressFamilies = [ "AF_INET" "AF_INET6" ];
requiredCapabilities = [ "CAP_NET_BIND_SERVICE+ep" ];
}; };
mit-kadmin = { mit-kadmin = {
@ -274,7 +258,8 @@ in {
requires = [ "mit-kdc.service" ]; requires = [ "mit-kdc.service" ];
description = "MIT Kerberos Remote Administration Server."; description = "MIT Kerberos Remote Administration Server.";
execStart = execStart =
"${pkgs.kerberos}/bin/kadmind -r ${cfg.realm} -P ${cfg.kadmind-pid-file}"; "${pkgs.krb5}/bin/kadmind -r ${cfg.realm} -P /run/mit-kadmin/mit-kadmin.pid";
readWritePaths = [ "/run/mit-kadmin" ];
environment = { environment = {
KRB5_CONFIG = "/etc/krb5.conf"; KRB5_CONFIG = "/etc/krb5.conf";
KRB5_KDC_PROFILE = "${kdc-conf}"; KRB5_KDC_PROFILE = "${kdc-conf}";
@ -282,9 +267,12 @@ in {
user = cfg.user; user = cfg.user;
group = cfg.group; group = cfg.group;
workingDirectory = cfg.state-directory; workingDirectory = cfg.state-directory;
preStart = privateNetwork = false;
"${initialize-kadmin cfg.realm cfg.user cfg.group cfg.kadmin-keytab # postStart =
config.networking.hostName}"; # "${initialize-kadmin cfg.realm kerberos-database cfg.user cfg.group
# cfg.kadmin-keytab config.networking.hostName}";
addressFamilies = [ "AF_INET" "AF_INET6" ];
requiredCapabilities = [ "CAP_NET_BIND_SERVICE" ];
}; };
}; };
}; };

130
lib/fudo/system.nix
View File

@ -155,7 +155,7 @@ let
description = "Command to run to launch the service."; description = "Command to run to launch the service.";
}; };
protectSystem = mkOption { protectSystem = mkOption {
type = enum [ "true" "false" "full" "strict" ]; type = enum [ "true" "false" "full" "strict" true false ];
default = "full"; default = "full";
description = description =
"Level of protection to apply to the system for this service."; "Level of protection to apply to the system for this service.";
@ -230,6 +230,54 @@ let
"Schedule on which the job should be invoked. See: man systemd.time(7)."; "Schedule on which the job should be invoked. See: man systemd.time(7).";
default = null; default = null;
}; };
runtimeDirectory = mkOption {
type = nullOr str;
description =
"Directory created at runtime with perms for the service to read/write.";
default = null;
};
readWritePaths = mkOption {
type = listOf str;
description =
"A list of paths to which the service will be allowed normal access, even if ProtectSystem=strict.";
default = [ ];
};
stateDirectory = mkOption {
type = nullOr str;
description =
"State directory for the service, available via STATE_DIRECTORY.";
default = null;
};
cacheDirectory = mkOption {
type = nullOr str;
description =
"Cache directory for the service, available via CACHE_DIRECTORY.";
default = null;
};
inaccessiblePaths = mkOption {
type = listOf str;
description =
"A list of paths which should be inaccessible to the service.";
default = [ "/home" "/root" ];
};
noExecPaths = mkOption {
type = listOf str;
description =
"A list of paths where the service will not be allowed to run executables.";
default = [ "/home" "/root" "/tmp" "/var" ];
};
readOnlyPaths = mkOption {
type = listOf str;
description =
"A list of paths to which will be read-only for the service.";
default = [ ];
};
execPaths = mkOption {
type = listOf str;
description =
"A list of paths where the service WILL be allowed to run executables.";
default = [ ];
};
}; };
}; };
@ -387,42 +435,44 @@ in {
}; };
config = { config = {
# systemd.slices = mapAttrs (name: opts: { # boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) {
# sliceConfig = { # "net.ipv4.conf.all.route_localhost" = "1";
# IpAddressAllow = opts.networkWhitelist; # };
# IpAddressDeny = "any";
# };
# }) (filterAttrs (name: opts: opts.networkWhitelist != null) cfg.services);
boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) { # networking.firewall = let
"net.ipv4.conf.all.route_localhost" = "1"; # ip-forward-line = protocols: internal: external:
}; # concatStringsSep "\n" (map (protocol:
# "${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${
# toString external
# } -j DNAT --to 127.0.0.1:${toString internal}") protocols);
networking.firewall = let # ip-unforward-line = protocols: internal: external:
ip-forward-line = protocols: internal: external: # concatStringsSep "\n" (map (protocol:
concatStringsSep "\n" (map (protocol: # "${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${
"${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${ # toString external
toString external # } -j DNAT --to 127.0.0.1:${toString internal} || true") protocols);
} -j DNAT --to 127.0.0.1:${toString internal}") protocols);
ip-unforward-line = protocols: internal: external: # protocol-list = protocol:
concatStringsSep "\n" (map (protocol: # if (protocol == null) then [ "tcp" "udp" ] else [ protocol ];
"${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${ # in {
toString external # extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
} -j DNAT --to 127.0.0.1:${toString internal} || true") protocols); # ip-forward-line (protocol-list opts.protocol) opts.internal-port
# opts.external-port) cfg.internal-port-map);
protocol-list = protocol: # extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
if (protocol == null) then [ "tcp" "udp" ] else [ protocol ]; # ip-unforward-line (protocol-list opts.protocol) opts.internal-port
in { # opts.external-port) cfg.internal-port-map);
extraCommands = mkAfter (concatStringsSep "\n" (mapAttrsToList # };
(name: opts:
ip-forward-line (protocol-list opts.protocol) opts.internal-port
opts.external-port) cfg.internal-port-map));
extraStopCommands = mkAfter (concatStringsSep "\n" (mapAttrsToList services.xinetd = {
(name: opts: enable = true;
ip-unforward-line (protocol-list opts.protocol) opts.internal-port services = mapAttrsToList (name: opts: {
opts.external-port) cfg.internal-port-map)); name = name;
unlisted = true;
port = opts.external-port;
server = "${pkgs.coreutils}/bin/false";
extraConfig = "redirect = localhost ${toString opts.internal-port}";
}) cfg.internal-port-map;
}; };
systemd.timers = mapAttrs (name: opts: { systemd.timers = mapAttrs (name: opts: {
@ -473,9 +523,13 @@ in {
ProtectKernelLogs = opts.protectKernelLogs; ProtectKernelLogs = opts.protectKernelLogs;
KeyringMode = opts.keyringMode; KeyringMode = opts.keyringMode;
EnvironmentFile = opts.environment-file; EnvironmentFile = opts.environment-file;
# This is more complicated than it looks... # This is more complicated than it looks...
CapabilityBoundingSet = restrict-capabilities opts.requiredCapabilities; CapabilityBoundingSet = restrict-capabilities opts.requiredCapabilities;
DynamicUser = opts.dynamicUser; Capabilities = opts.requiredCapabilities;
SecureBits = mkIf ((length opts.requiredCapabilities) > 0) "keep-caps";
DynamicUser = mkIf (opts.user == null) opts.dynamicUser;
Restart = opts.restartWhen; Restart = opts.restartWhen;
WorkingDirectory = WorkingDirectory =
mkIf (opts.workingDirectory != null) opts.workingDirectory; mkIf (opts.workingDirectory != null) opts.workingDirectory;
@ -493,12 +547,20 @@ in {
MemoryDenyWriteExecute = opts.memoryDenyWriteExecute; MemoryDenyWriteExecute = opts.memoryDenyWriteExecute;
SystemCallFilter = restrict-syscalls opts.allowedSyscalls; SystemCallFilter = restrict-syscalls opts.allowedSyscalls;
UMask = opts.maximumUmask; UMask = opts.maximumUmask;
IpAddressAllow = IpAddressAllow =
mkIf (opts.networkWhitelist != null) opts.networkWhitelist; mkIf (opts.networkWhitelist != null) opts.networkWhitelist;
IpAddressDeny = mkIf (opts.networkWhitelist != null) "any"; IpAddressDeny = mkIf (opts.networkWhitelist != null) "any";
LimitNOFILE = "49152"; LimitNOFILE = "49152";
PermissionsStartOnly = opts.startOnlyPerms; PermissionsStartOnly = opts.startOnlyPerms;
RuntimeDirectory =
mkIf (opts.runtimeDirectory != null) opts.runtimeDirectory;
CacheDirectory = mkIf (opts.cacheDirectory != null) opts.cacheDirectory;
StateDirectory = mkIf (opts.stateDirectory != null) opts.stateDirectory;
ReadWritePaths = opts.readWritePaths;
ReadOnlyPaths = opts.readOnlyPaths;
InaccessiblePaths = opts.inaccessiblePaths;
NoExecPaths = opts.noExecPaths;
ExecPaths = opts.execPaths;
}; };
}) config.fudo.system.services; }) config.fudo.system.services;
}; };

30
lib/fudo/users.nix
View File

@ -86,7 +86,13 @@ let
home-directory = mkOption { home-directory = mkOption {
type = with types; nullOr str; type = with types; nullOr str;
description = "Default home directory for the given user."; description = "Default home directory for the given user.";
default = null; default = null;
};
k5login = mkOption {
type = listOf str;
description = "List of Kerberos principals that map to this user.";
default = [ ];
}; };
}; };
}; };
@ -151,7 +157,8 @@ in {
host-user-list = config.fudo.hosts."${local-host}".local-users; host-user-list = config.fudo.hosts."${local-host}".local-users;
domain-user-list = config.fudo.domains."${local-domain}".local-users; domain-user-list = config.fudo.domains."${local-domain}".local-users;
local-users = getAttrs (host-user-list ++ domain-user-list) config.fudo.users; local-users =
getAttrs (host-user-list ++ domain-user-list) config.fudo.users;
host-admin-list = config.fudo.hosts."${local-host}".local-admins; host-admin-list = config.fudo.hosts."${local-host}".local-admins;
domain-admin-list = config.fudo.domains."${local-domain}".local-admins; domain-admin-list = config.fudo.domains."${local-domain}".local-admins;
@ -161,12 +168,15 @@ in {
host-group-list = config.fudo.hosts."${local-host}".local-groups; host-group-list = config.fudo.hosts."${local-host}".local-groups;
domain-group-list = config.fudo.domains."${local-domain}".local-groups; domain-group-list = config.fudo.domains."${local-domain}".local-groups;
site-group-list = config.fudo.sites."${local-site}".local-groups; site-group-list = config.fudo.sites."${local-site}".local-groups;
local-groups = getAttrs (host-group-list ++ domain-group-list ++ site-group-list) config.fudo.groups; local-groups =
getAttrs (host-group-list ++ domain-group-list ++ site-group-list)
config.fudo.groups;
in { in {
fudo.auth.ldap-server = let fudo.auth.ldap-server = let
ldapUsers = (filterAttrs ldapUsers = (filterAttrs
(username: userOpts: userOpts.ldap-hashed-password != null)) config.fudo.users; (username: userOpts: userOpts.ldap-hashed-password != null))
config.fudo.users;
in { in {
users = mapAttrs (username: userOpts: { users = mapAttrs (username: userOpts: {
@ -195,7 +205,10 @@ in {
createHome = true; createHome = true;
description = userOpts.common-name; description = userOpts.common-name;
group = userOpts.primary-group; group = userOpts.primary-group;
home = if (userOpts.home-directory != null) then userOpts.home-directory else "/home/${userOpts.primary-group}/${username}"; home = if (userOpts.home-directory != null) then
userOpts.home-directory
else
"/home/${userOpts.primary-group}/${username}";
hashedPassword = userOpts.login-hashed-passwd; hashedPassword = userOpts.login-hashed-passwd;
openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys; openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys;
}) local-users; }) local-users;
@ -203,11 +216,8 @@ in {
groups = (mapAttrs (groupname: groupOpts: { groups = (mapAttrs (groupname: groupOpts: {
gid = groupOpts.gid; gid = groupOpts.gid;
members = filterExistingUsers local-users groupOpts.members; members = filterExistingUsers local-users groupOpts.members;
}) local-groups) // }) local-groups) // {
{ wheel = { members = local-admins; };
wheel = {
members = local-admins;
};
}; };
}; };

9
packages/default.nix
View File

@ -66,9 +66,8 @@ in {
buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
}); });
gtk3-x11 = pkgs.gtk3.overrideAttrs (oldAttrs: rec { gtk3-x11 = pkgs.gtk3.overrideAttrs
buildInputs = oldAttrs.buildInputs ++ [ pkgs.cmake ]; (oldAttrs: rec { buildInputs = oldAttrs.buildInputs ++ [ pkgs.cmake ]; });
});
hll2380dw-cups = import ./hll2380dw-cups.nix { hll2380dw-cups = import ./hll2380dw-cups.nix {
inherit (pkgs) inherit (pkgs)
@ -157,8 +156,8 @@ in {
doom-emacs-config = pkgs.fetchgit { doom-emacs-config = pkgs.fetchgit {
url = "https://git.fudo.org/niten/doom-emacs.git"; url = "https://git.fudo.org/niten/doom-emacs.git";
rev = "bc8224ec110e8a69a40d1521665884c4b14bb2b9"; rev = "c57d6712e358a9941b1de3508b104ffd38099a3a";
sha256 = "09j3sfdcfn0qi34qspvcmm201klai543i21zx8rixx9qcc40xm7q"; sha256 = "1b2aw06irmv3xha6rhqlw3lmy6qxv281j4w91c8af0qsvhcq9g1y";
}; };
vanilla-forum = import ./vanilla-forum.nix { pkgs = pkgs; }; vanilla-forum = import ./vanilla-forum.nix { pkgs = pkgs; };