diff --git a/.sops.yaml b/.sops.yaml index 353c8db..cbc754f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -20,6 +20,7 @@ keys: - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr + - &host_temmie age10avsdvqger25z0lyzlq8v7xfzcmypkmjsswswaxwqnpnl6x9wcjq0uv2n7 - &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq creation_rules: @@ -121,6 +122,19 @@ creation_rules: pgp: - *user_oysteikt + - path_regex: secrets/temmie/[^/]+\.yaml$ + key_groups: + - age: + - *host_temmie + - *user_danio + - *user_felixalb + - *user_pederbs_sopp + - *user_pederbs_nord + - *user_pederbs_bjarte + - *user_vegardbm + pgp: + - *user_oysteikt + - path_regex: secrets/gluttony/[^/]+\.yaml$ key_groups: - age: diff --git a/flake.lock b/flake.lock index 82c4a9f..521f9df 100644 --- a/flake.lock +++ b/flake.lock @@ -309,6 +309,27 @@ "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz" } }, + "passwd2systemd-users": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1780062186, + "narHash": "sha256-FSkwKO/56i9RddwSydK804fSnIvbczBnFJgr2/m+F9U=", + "ref": "main", + "rev": "db2b19f144af046161b7f9ca69ddaf3f06fcceea", + "revCount": 13, + "type": "git", + "url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git" + } + }, "pvv-calendar-bot": { "inputs": { "nixpkgs": [ @@ -387,6 +408,7 @@ "nix-topology": "nix-topology", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", + "passwd2systemd-users": "passwd2systemd-users", "pvv-calendar-bot": "pvv-calendar-bot", "pvv-nettsiden": "pvv-nettsiden", "qotd": "qotd", diff --git a/flake.nix b/flake.nix index 84285e3..c955044 100644 --- a/flake.nix +++ b/flake.nix @@ -50,6 +50,8 @@ bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main"; bro.inputs.nixpkgs.follows = "nixpkgs"; + passwd2systemd-users.url = "git+https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git?ref=main"; + passwd2systemd-users.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { @@ -220,6 +222,7 @@ temmie = stableNixosConfig "temmie" { overlays = [ inputs.bro.overlays.default + inputs.passwd2systemd-users.overlays.default ]; modules = [ inputs.bro.nixosModules.default diff --git a/hosts/temmie/services/userweb/default.nix b/hosts/temmie/services/userweb/default.nix index 7885f36..9fe92ba 100644 --- a/hosts/temmie/services/userweb/default.nix +++ b/hosts/temmie/services/userweb/default.nix @@ -154,6 +154,11 @@ in ./mail.nix ]; + sops.secrets = { + "httpd/passwd-ssh-key" = { }; + "httpd/ssh-known-hosts" = { }; + }; + services.httpd = { enable = true; adminAddr = "drift@pvv.ntnu.no"; @@ -276,11 +281,49 @@ in serviceConfig = { Type = lib.mkForce "notify"; + ExecStartPre = let + rsyncCommand = ''${lib.getExe pkgs.rsync} -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey" -avz''; + in lib.mkForce [ + (lib.getExe (pkgs.writeShellApplication { + name = "http-exec-start-pre-remove-old-semaphores"; + text = '' + # Get rid of old semaphores. These tend to accumulate across + # server restarts, eventually preventing it from restarting + # successfully. + for i in $(${pkgs.util-linux}/bin/ipcs -s | grep ' ${cfg.user} ' | cut -f2 -d ' '); do + ${pkgs.util-linux}/bin/ipcrm -s "$i" + done + ''; + })) + "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/passwd /run/httpd/pamunix-sync/" + "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/group /run/httpd/pamunix-sync/" + # "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/shadow /run/httpd/pamunix-sync/" + (let + args = lib.cli.toCommandLineShellGNU { } { + passwd-file = "/run/httpd/pamunix-sync/passwd"; + group-file = "/run/httpd/pamunix-sync/group"; + shadow-file = pkgs.emptyFile; + email-domain = "pvv.ntnu.no"; + ignore-user-file = toString ./ignore_user_file.txt; + ignore-group-file = toString ./ignore_group_file.txt; + set-default-umask = "0077"; + set-default-mount-no-devices = "true"; + set-default-mount-no-suid = "true"; + set-default-mount-no-execute = "false"; + }; + in ''${lib.getExe pkgs.passwd2systemd-users} ${args}'') + "${lib.getExe' pkgs.coreutils "shred"} /run/httpd/pamunix-sync/passwd /run/httpd/pamunix-sync/group" + ]; ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start"; ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; ExecStop = lib.mkForce ""; KillMode = "mixed"; + LoadCredential=[ + "sshkey:${config.sops.secrets."httpd/passwd-ssh-key".path}" + "ssh-known-hosts:${config.sops.secrets."httpd/ssh-known-hosts".path}" + ]; + ConfigurationDirectory = [ "httpd" ]; LogsDirectory = [ "httpd" ]; LogsDirectoryMode = "0700"; @@ -318,7 +361,11 @@ in ]; UMask = "0077"; - RuntimeDirectory = [ "httpd/root-mnt" ]; + RuntimeDirectory = [ + "httpd/root-mnt" + "httpd/pamunix-sync" + "httpd/systemd-userdb" + ]; RootDirectory = "/run/httpd/root-mnt"; MountAPIVFS = true; BindReadOnlyPaths = [ diff --git a/hosts/temmie/services/userweb/ignore_group_file.txt b/hosts/temmie/services/userweb/ignore_group_file.txt new file mode 100644 index 0000000..57cc054 --- /dev/null +++ b/hosts/temmie/services/userweb/ignore_group_file.txt @@ -0,0 +1,91 @@ +Debian-exim +_cvsadmin +_ssh +adm +audio +avahi +backup +bin +cdrom +cl-builder +clamav +clock +colord +courier +crontab +daemon +debian-spamd +dialout +dip +dirmngr +disk +dovecot +fax +floppy +fuse +games +geoclue +gnats +input +irc +kmem +kvm +list +lock +lp +lpadmin +mail +man +messagebus +mlocate +munin +netdev +news +nogroup +ntp +ntpsec +oident +opendkim +operator +plocate +plugdev +polkitd +postdrop +postfix +postgres +prometheus +prometheus-exporter +proxy +rdma +root +# runit +salt +sambashare +saned +sasl +scanner +sgx +shadow +src +ssl-cert +staff +stunnel4 +sudo +sys +systemd-coredump +systemd-journal +systemd-network +systemd-resolve +systemd-timesync +tape +tcpdump +tty +users +utempter +utmp +uucp +uuidd +video +voice +winbindd_priv +www-data diff --git a/hosts/temmie/services/userweb/ignore_user_file.txt b/hosts/temmie/services/userweb/ignore_user_file.txt new file mode 100644 index 0000000..8a630b1 --- /dev/null +++ b/hosts/temmie/services/userweb/ignore_user_file.txt @@ -0,0 +1,74 @@ +# System Users +Debian-exim +_apt +_rpc +avahi +backup +bin +cl-builder +clamav +colord +courier +daemon +debian-spamd +debian-spamd +dirmngr +distccd +dovecot +dovenull +driftsupport +fetchmail +games +geoclue +gitea +gnats +hplip +irc +list +lp +mail +mail2news +mailnews +man +messagebus +munin +news +nobody +noone +ntp +ntpsec +oident +opendkim +polkitd +postfix +postgres +prometheus +prometheus-exporter +proxy +root +rwhod +salt +saned +spamd +sshd +statd +stunnel4 +sync +sys +systemd-coredump +systemd-network +systemd-resolve +systemd-timesync +tcpdump +uucp +uuidd +vaultwarden +www-data + +# Misc +nuccc04 +nuccc +kybkokos +kybkokos2 +testbruker2309 +testbruker2404 diff --git a/secrets/temmie/temmie.yaml b/secrets/temmie/temmie.yaml new file mode 100644 index 0000000..b015178 --- /dev/null +++ b/secrets/temmie/temmie.yaml @@ -0,0 +1,93 @@ +httpd: + passwd-ssh-key: ENC[AES256_GCM,data:fXfqlhNbAIdacm7s4yirp+XS7gWhsp4jrD5yRzsU8lP+oueqS8cCkQGV4MB83OKa/D3wm1zxvjRsys9uxa+4kKL2/xOetDex5WXH7xAjzMaE0jHRNCjJMYM44L9+n3oc2c6rXz2DZ+4TEdGfJOru3pUIZx2LVYO/NB+FXSW59632PFhkuSypmpeeXRFn13ksd27W5x9fB4lOw9nrdyQkfuqvl0pD9uC6zef/sZ12rfre1JHyhN+jiowzWjJuzA9iiJpjNcek2wTyymVYZNxngfugnCkTKtWcfl+BOTgyhpEtGmL3mLs3n9r6bD725IAuoXUSzBEJqE1dCw93AvlPyrUwOXLM5lOX4h9IYS/0Izfc4w+qC+ID02XU0/cFufT8ODfTK08xF5QAOp5AdLxbcvMq3KadVPesD/5K75mzWtfC+UM4lo8TfphqnEtetL/P0DBXIJIsyY04gyTWsUVCfjcwWcliW6p3pcZZ+rkqObFs9n06uMWQq8qULa85yLq+mMsyPlBW1HE+TIV8jrLtVBqPkfXp85ZtllMOJRpeEOf/l48=,iv:1BE0moa2a4k2yqVBboS/EbNiFGLTu4Df/tnXBassls4=,tag:iPUOAEhqKbF9umsyBLaoJg==,type:str] + ssh-known-hosts: ENC[AES256_GCM,data:E2NiTUQokUDHzkfmTh5eECHZxt8v/Ug63ETA/CcO8358EpPeaFI1tAFt3q0o5rTCAUlB5cJ1ZOxX4mTeIH370wnwFN6emg+iAaK3VM+AL3Tp8Acb5EwErSOTKjAwrS5vwqb3oTYMzj42bKBk0b/qPWspGnoUfDI481+p99PS8eqpNCcGaNEDNk0BPwDvngwuur9o2RTmuWwxZO+s3wqlktQPkCguii8/FD3x3O8eow+v,iv:tJNxoY4UsRrB9k/fX9jLUc4hC3bioekpgKu4aa2o/4Q=,tag:DLj9rqse33D8PDLMxF/heQ==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMStZRlNCem0zRWgvMytj + b2tGR0M4SmF2Z1dYR2RBK1ZTUEx4c3NhMmlnCkVwcStqZ0RPRm1EK01lTWJpUmd2 + Qis2WlU2ZUpFcUVXZUdVaWVyQno4NFEKLS0tIGJZWmlSdEtaUnd1alZ6NURsSFY3 + VXJGank2UlBqY0hNZ1QvUGZUdVljaXMK9P4IVuSZ8uhDXDWMOkqABWImL4mu18AU + 7X+1t3nZVmPze3MOTBRWf483DBAM+69QDlio1uSzZjJQc1X0H6ePKQ== + -----END AGE ENCRYPTED FILE----- + recipient: age10avsdvqger25z0lyzlq8v7xfzcmypkmjsswswaxwqnpnl6x9wcjq0uv2n7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMGdHZ2xvdnVMbFAxYkhF + WHRPWjg3OE4vU1RhTWxPc0cxNm1RU1BPem40CnRHc0gyQVNxelBnZERMNlp2YnFk + U0xpbHN6RlVHZHdkZktnK0hCMFQ1aGcKLS0tIDVtODVvNzN0NFJ3UGFYdkpLTmZR + R0FvdzE5NDhUNFpWZTYreklCMmhCWmcKuD5nNqDSP4SK3E1AsnZtE4jzYgxfgHau + nmPKA2dgsPoA2rug/kGB9uXeUUA0oL26FyjlPi6NYDVvN4u1IHgPSw== + -----END AGE ENCRYPTED FILE----- + recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SUdGMUgwSEV2SUhkMEJm + MWJ5Y1VMdWsyK1NWYmxUK3N1cHoydWp5eUVrCllZK3hKZjNDYzMwQTFENTg2aFFi + dXpkWGZkT0hiWGRQdjltNXZ6ZkN2S1EKLS0tIFREeDFVZkZEV0phM3dRYUVRSSsx + UVpkZ3hTd0JuWm16WnFFREt4S0hxMjAKbihmtr3/d/BbX21zkZWNarCNa4cYCM9B + HGwcEfP4fnevWdM4LbXXBBmfoVUErKjK5tiMwocVZXZrsHBYI4amPA== + -----END AGE ENCRYPTED FILE----- + recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3d3g2aHUrT0d5Kzl1RmVk + MUh4eW8vTS9qbkZ3WHNYMjFHSlZLV2M1aVgwCllWTDFwZDV1QTFkQkVrUnN0bSto + aTlvVTVaOWVldDJjSHMyaFhLNXlBcUEKLS0tIHZ6d0ZZWlo5SVJ3a0VNbjRFYnkz + dDFFT1JVN2N1cjg2TW5xOUZKZDVzZkUKjtRmm87B4AECzS8mmL6rUyVfNYlsem1w + HDFw4p0Nt9JWFFWEWamnTQ+Bq2UPsueBW4Ei/WyDj5d4EyNptoJrDQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2aWs5V0xhTzJlMi9PNks0 + ZUNiOFB5TDZQUVBnVThRQjdzYTJ0Uml1blJzCjhUdTdpRURsVlIrUkxnUXVhM3Vn + cmJSL0x2Y29aMnltcWhiYmhLem1ldGsKLS0tIFpMa1lmZjZPQ0FvSUhTbUhzRlM5 + bHNqMm1xRGdMd2NOdVo0Y0xFLzJCbGcKnSMBn2kp/RGDr5NL+qMoWqqdCdSu4wFz + GjjUS43nW0++TVXusGIj60sDJtK623N4srpubykZtYfEO1c1cAURpg== + -----END AGE ENCRYPTED FILE----- + recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnU2d6bFRqMk5jZ3lDdzA5 + WFpsNVdLL2lXRGZ5ZjRIdGs5VjRVZ1JKdDJJCmxQeHZsZk9OQ1g4dG00MVNGeFF2 + OURQUndCOTM3eUh1SnRaOGFKMi80TjQKLS0tIEE2eE8vK1dnN0dnbGNqaWZqdzJx + WGhRM2R0VzV1SlpxeGVWOXNCeWlzcVUK/nD3DWVDjVbWJmP33OC4LSKA3qrjN0hb + kZV4U44y+8uLtBVm3WnkZd/cg5wqoD/1agG7aCc9DMmOmxHUfdfrJw== + -----END AGE ENCRYPTED FILE----- + recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtczYrL3NrM295NEd4N3V0 + WndPRXltZFhOUU1LdGVNM05LRzV5blhmU1JRClBpU0g2K0FJbFE0RVEyVW1ZRTJU + d2ZoeTM0QWx1NE9wSjc3c0tUa3Z3VlkKLS0tIEVrQStXSWRTUkJvK2paTU1EUkcy + ZWtMdDRhTWdLZnI2T2ZmS2VXdjFpZVkK1LAo54bl2QIx08rMJ0A8Q5bVXWcaoFPo + Y0/PSyL+vMa2Ab6b4vD6GNY5/KAE5XPlvBEKBrIe2oIAMJw38KUq8g== + -----END AGE ENCRYPTED FILE----- + recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune + lastmodified: "2026-05-29T13:54:14Z" + mac: ENC[AES256_GCM,data:g1PT225ggTfHuzU9qaNfNrhIVqtTWRCSm7iFDTlCZTDr4PPGbRtUH5fIJSY1F+2mu+H2XRM9ueenhqTyyyDJGsq+Oqp6Ae4E7vp2Uo4qH8O2d/u78EL2zNVestTvCnJGJ5lPWrN2i41pqOWbNx+dXt0O+sdgS890IQkj4i8VrRU=,iv:CjBKRSCMpAT+gWEFjvqb5OBy5u6ZsDelsCg5lGNOsN0=,tag:k1ia0wkw3YQfeFdv0GTX6g==,type:str] + pgp: + - created_at: "2026-05-29T13:54:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA0av/duuklWYARAAq4qDoGJmeum8aPwO6TGOO+iIKNE3rqIdCsUsTs+SF3VL + ejSW3yB9hw5ptg3CCUH0tZRuZyvQ3fkXFh08hSBfBhICSr9NS2vllXp4ILlhNG0P + gEIq67+daK2YyWBcV3Rh8OMz5niGYDKF6WZjzlkFxinUFcqVtQrVKw9pti+Crhs9 + QgZbTz5+Cph/ACSLufSUV2yyjv+zO+VhyMpHR4x/B/el/T921vAQAdGx9DprC1ed + cse2kg9ouhMQI+Aii5oSnDCAuVZGZQN23WXQBQp66l4gFmR3Av85miguEF5Gf8YW + 44GiixHyul5583NDsMQuoPu1gzE8CqUPMVFVGzp5BsXbb4HzmEslxkpi7obCs7wx + fCplc2L+mLa4hTBJXYcCcRbsbopjDnYLNLfl4nvYHW5utimNej4EBdzQQg3DNf8J + zdNXlwHXUBgU8ayAyOwThQIP4s+VDSh2ASSWwEmqNMr5nkocIl7UO3J9MzkLNuc1 + 0S4b8rM9om755SlQTeLrOy/4aloZwCMFxQOeIoJ0fxNlgap1BS1FQ68leA+uiCcc + vCFVMlYUOwMl2wqkQ84pY3SEL6z96o9wpOyRERk/yfjBWnGjqjANNz4uSXggo4B9 + LTLIqO+Li26+geyTATIMJU5SeMdP5s+Lvc2qzn0c4qr67hVo9H5Df2qzijsqIqrS + XgHQdNafa0JYSH07UKFvfmcDYU/sWRi7QrFD3/zn5HPUN2XNQj4P9OF93NV8tAqK + pFqgdJCybDSp4sQujjQOZkJ3tpVnlq/G/QjiAY2TpbYxzPUDWP0Pu0yGxVIrJ5Q= + =atHd + -----END PGP MESSAGE----- + fp: F7D37890228A907440E1FD4846B9228E814A2AAC + unencrypted_suffix: _unencrypted + version: 3.13.0