diff --git a/hosts/temmie/services/userweb/default.nix b/hosts/temmie/services/userweb/default.nix index 9fe92ba..8199bab 100644 --- a/hosts/temmie/services/userweb/default.nix +++ b/hosts/temmie/services/userweb/default.nix @@ -130,6 +130,9 @@ let file findutils gawk + glibc.getent + strace + systemd gnugrep gnumake gnupg @@ -284,7 +287,7 @@ in ExecStartPre = let rsyncCommand = ''${lib.getExe pkgs.rsync} -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey" -avz''; in lib.mkForce [ - (lib.getExe (pkgs.writeShellApplication { + "${lib.getExe (pkgs.writeShellApplication { name = "http-exec-start-pre-remove-old-semaphores"; text = '' # Get rid of old semaphores. These tend to accumulate across @@ -294,14 +297,20 @@ in ${pkgs.util-linux}/bin/ipcrm -s "$i" done ''; - })) + })}" + # "${pkgs.systemd}/bin/resolvectl query smtp.pvv.ntnu.no" + "${pkgs.strace}/bin/strace ${pkgs.glibc.getent}/bin/getent ahosts smtp.pvv.ntnu.no" "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/passwd /run/httpd/pamunix-sync/" "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/group /run/httpd/pamunix-sync/" + # "+|echo 'wwwrun:x:54:54:Apache httpd user:/var/empty:/run/current-system/sw/bin/nologin' >> /run/httpd/pamunix-sync/passwd" + # "+|echo 'root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash' >> /run/httpd/pamunix-sync/passwd" + # "+|echo 'wwwrun:x:54:' >> /run/httpd/pamunix-sync/group" # "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/shadow /run/httpd/pamunix-sync/" (let args = lib.cli.toCommandLineShellGNU { } { passwd-file = "/run/httpd/pamunix-sync/passwd"; group-file = "/run/httpd/pamunix-sync/group"; + output-dir = "/run/httpd/systemd-userdb"; shadow-file = pkgs.emptyFile; email-domain = "pvv.ntnu.no"; ignore-user-file = toString ./ignore_user_file.txt; @@ -312,7 +321,7 @@ in set-default-mount-no-execute = "false"; }; in ''${lib.getExe pkgs.passwd2systemd-users} ${args}'') - "${lib.getExe' pkgs.coreutils "shred"} /run/httpd/pamunix-sync/passwd /run/httpd/pamunix-sync/group" + "${lib.getExe' pkgs.coreutils "shred"} -u /run/httpd/pamunix-sync/passwd /run/httpd/pamunix-sync/group" ]; ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start"; ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; @@ -328,8 +337,9 @@ in LogsDirectory = [ "httpd" ]; LogsDirectoryMode = "0700"; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - LockPersonality = true; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_PTRACE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_PTRACE" ]; + # LockPersonality = true; PrivateDevices = true; PrivateTmp = true; # NOTE: this removes CAP_NET_BIND_SERVICE... @@ -356,9 +366,9 @@ in "tcp:443" ]; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - ]; + # SystemCallFilter = [ + # "@system-service" + # ]; UMask = "0077"; RuntimeDirectory = [ @@ -371,9 +381,30 @@ in BindReadOnlyPaths = [ builtins.storeDir "/etc" + "/dev/null" # NCSD socket - "/var/run" + # "/var/run" + # "/var/run/systemd/resolve" + "/etc/resolv.conf" "/var/lib/acme" + "/run/httpd/systemd-userdb:/etc/userdb" + "${pkgs.writeText "userweb-fake-nsswitch.conf" '' + passwd: systemd files + group: systemd files + shadow: systemd files + sudoers: files + + hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns + networks: files + + ethers: files + services: files + protocols: files + rpc: files + + subuid: files + subgid: files + ''}:/etc/nsswitch.conf" "${fhsEnv}/bin:/bin" "${fhsEnv}/sbin:/sbin"