diff options
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 7 | ||||
| -rw-r--r-- | nixos/modules/config/ldap.nix | 89 | ||||
| -rw-r--r-- | nixos/tests/ldap.nix | 9 | ||||
| -rw-r--r-- | pkgs/development/python-modules/nevow/default.nix | 2 | ||||
| -rw-r--r-- | pkgs/development/r-modules/default.nix | 1 | ||||
| -rw-r--r-- | pkgs/development/tools/build-managers/scons/default.nix | 4 | ||||
| -rw-r--r-- | pkgs/servers/mail/dovecot/default.nix | 4 | ||||
| -rw-r--r-- | pkgs/tools/networking/p2p/tahoe-lafs/default.nix | 2 |
8 files changed, 64 insertions, 54 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 7d40637df93..bbd3cf2e9db 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -516,6 +516,13 @@ Graylog</link> for details. </para> </listitem> + <listitem> + <para> + The option <literal>users.ldap.bind.password</literal> was renamed to <literal>users.ldap.bind.passwordFile</literal>, + and needs to be readable by the <literal>nslcd</literal> user. + Same applies to the new <literal>users.ldap.daemon.rootpwmodpwFile</literal> option. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index f65a3fc50d5..e008497a2a6 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -27,25 +27,29 @@ let ''; }; - nslcdConfig = { - target = "nslcd.conf"; - source = writeText "nslcd.conf" '' - uid nslcd - gid nslcd - uri ${cfg.server} - base ${cfg.base} - timelimit ${toString cfg.timeLimit} - bind_timelimit ${toString cfg.bind.timeLimit} - ${optionalString (cfg.bind.distinguishedName != "") - "binddn ${cfg.bind.distinguishedName}" } - ${optionalString (cfg.daemon.rootpwmoddn != "") - "rootpwmoddn ${cfg.daemon.rootpwmoddn}" } - ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig } - ''; - }; - - insertLdapPassword = !config.users.ldap.daemon.enable && - config.users.ldap.bind.distinguishedName != ""; + nslcdConfig = writeText "nslcd.conf" '' + uid nslcd + gid nslcd + uri ${cfg.server} + base ${cfg.base} + timelimit ${toString cfg.timeLimit} + bind_timelimit ${toString cfg.bind.timeLimit} + ${optionalString (cfg.bind.distinguishedName != "") + "binddn ${cfg.bind.distinguishedName}" } + ${optionalString (cfg.daemon.rootpwmoddn != "") + "rootpwmoddn ${cfg.daemon.rootpwmoddn}" } + ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig } + ''; + + # nslcd normally reads configuration from /etc/nslcd.conf. + # this file might contain secrets. We append those at runtime, + # so redirect its location to something more temporary. + nslcdWrapped = runCommandNoCC "nslcd-wrapped" { nativeBuildInputs = [ makeWrapper ]; } '' + mkdir -p $out/bin + makeWrapper ${nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \ + --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \ + --set NIX_REDIRECTS "/etc/nslcd.conf=/run/nslcd/nslcd.conf" + ''; in @@ -139,13 +143,13 @@ in ''; }; - rootpwmodpw = mkOption { + rootpwmodpwFile = mkOption { default = ""; example = "/run/keys/nslcd.rootpwmodpw"; type = types.str; description = '' - The path to a file containing the credentials with which - to bind to the LDAP server if the root user tries to change a user's password + The path to a file containing the credentials with which to bind to + the LDAP server if the root user tries to change a user's password. ''; }; }; @@ -161,7 +165,7 @@ in ''; }; - password = mkOption { + passwordFile = mkOption { default = "/etc/ldap/bind.password"; type = types.str; description = '' @@ -220,14 +224,14 @@ in config = mkIf cfg.enable { - environment.etc = if cfg.daemon.enable then [nslcdConfig] else [ldapConfig]; + environment.etc = optional (!cfg.daemon.enable) ldapConfig; - system.activationScripts = mkIf insertLdapPassword { + system.activationScripts = mkIf (!cfg.daemon.enable) { ldap = stringAfter [ "etc" "groups" "users" ] '' - if test -f "${cfg.bind.password}" ; then + if test -f "${cfg.bind.passwordFile}" ; then umask 0077 conf="$(mktemp)" - printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | + printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | cat ${ldapConfig.source} - >"$conf" mv -fT "$conf" /etc/ldap.conf fi @@ -251,7 +255,6 @@ in }; systemd.services = mkIf cfg.daemon.enable { - nslcd = { wantedBy = [ "multi-user.target" ]; @@ -259,32 +262,32 @@ in umask 0077 conf="$(mktemp)" { - cat ${nslcdConfig.source} - test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' || - printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')" - test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' || - printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')" + cat ${nslcdConfig} + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" } >"$conf" - mv -fT "$conf" /etc/nslcd.conf + mv -fT "$conf" /run/nslcd/nslcd.conf ''; - - # NOTE: because one cannot pass a custom config path to `nslcd` - # (which is only able to use `/etc/nslcd.conf`) - # changes in `nslcdConfig` won't change `serviceConfig`, - # and thus won't restart `nslcd`. - # Therefore `restartTriggers` is used on `/etc/nslcd.conf`. - restartTriggers = [ nslcdConfig.source ]; + restartTriggers = [ "/run/nslcd/nslcd.conf" ]; serviceConfig = { - ExecStart = "${nss_pam_ldapd}/sbin/nslcd"; + ExecStart = "${nslcdWrapped}/bin/nslcd"; Type = "forking"; - PIDFile = "/run/nslcd/nslcd.pid"; Restart = "always"; + User = "nslcd"; + Group = "nslcd"; RuntimeDirectory = [ "nslcd" ]; + PIDFile = "/run/nslcd/nslcd.pid"; }; }; }; }; + + imports = + [ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"]) + ]; } diff --git a/nixos/tests/ldap.nix b/nixos/tests/ldap.nix index b3fd42e7588..fe859876ed2 100644 --- a/nixos/tests/ldap.nix +++ b/nixos/tests/ldap.nix @@ -28,20 +28,19 @@ let users.ldap.daemon = { enable = useDaemon; rootpwmoddn = "cn=admin,${dbSuffix}"; - rootpwmodpw = "/etc/nslcd.rootpwmodpw"; + rootpwmodpwFile = "/etc/nslcd.rootpwmodpw"; }; - # NOTE: password stored in clear in Nix's store, but this is a test. - environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd; users.ldap.loginPam = true; users.ldap.nsswitch = true; users.ldap.server = "ldap://server"; users.ldap.base = "ou=posix,${dbSuffix}"; users.ldap.bind = { distinguishedName = "cn=admin,${dbSuffix}"; - password = "/etc/ldap/bind.password"; + passwordFile = "/etc/ldap/bind.password"; }; - # NOTE: password stored in clear in Nix's store, but this is a test. + # NOTE: passwords stored in clear in Nix's store, but this is a test. environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd; + environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd; }; in diff --git a/pkgs/development/python-modules/nevow/default.nix b/pkgs/development/python-modules/nevow/default.nix index 1adfe13dd13..fa11ab3fb90 100644 --- a/pkgs/development/python-modules/nevow/default.nix +++ b/pkgs/development/python-modules/nevow/default.nix @@ -12,6 +12,8 @@ buildPythonPackage rec { propagatedBuildInputs = [ twisted ]; + checkInputs = [ twisted ]; + checkPhase = '' trial formless nevow ''; diff --git a/pkgs/development/r-modules/default.nix b/pkgs/development/r-modules/default.nix index 2b2d17eb2e8..5d8d7d56225 100644 --- a/pkgs/development/r-modules/default.nix +++ b/pkgs/development/r-modules/default.nix @@ -424,7 +424,6 @@ let showtext = [ pkgs.pkgconfig ]; spate = [ pkgs.pkgconfig ]; stringi = [ pkgs.pkgconfig ]; - sys = [ pkgs.libapparmor ]; sysfonts = [ pkgs.pkgconfig ]; tesseract = [ pkgs.pkgconfig ]; Cairo = [ pkgs.pkgconfig ]; diff --git a/pkgs/development/tools/build-managers/scons/default.nix b/pkgs/development/tools/build-managers/scons/default.nix index 2d0bf244370..ce15de8678d 100644 --- a/pkgs/development/tools/build-managers/scons/default.nix +++ b/pkgs/development/tools/build-managers/scons/default.nix @@ -8,7 +8,7 @@ in { sha256 = "0wzid419mlwqw9llrg8gsx4nkzhqy16m4m40r0xnh6cwscw5wir4"; }; scons_latest = mkScons { - version = "3.0.4"; - sha256 = "06lv3pmdz5l23rx3kqsi1k712bdl36i942hgbjh209s94mpb7f72"; + version = "3.0.5"; + sha256 = "0gn7fgxvx94bjm4cim29cdz91ar1rmfxk2f39wwgljvdvhinyryz"; }; } diff --git a/pkgs/servers/mail/dovecot/default.nix b/pkgs/servers/mail/dovecot/default.nix index 7528c4c8c03..802c6698df6 100644 --- a/pkgs/servers/mail/dovecot/default.nix +++ b/pkgs/servers/mail/dovecot/default.nix @@ -9,7 +9,7 @@ }: stdenv.mkDerivation rec { - name = "dovecot-2.3.5"; + name = "dovecot-2.3.5.1"; nativeBuildInputs = [ perl pkgconfig ]; buildInputs = @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://dovecot.org/releases/2.3/${name}.tar.gz"; - sha256 = "1zxa9banams9nmk99sf1rqahr11cdqxhwi7hyz3ddxqidpn15qdz"; + sha256 = "0gy3qzwbp6zsyn44pcfq8iiv9iy9q7z6py30h60alb1vkr3rv3yp"; }; enableParallelBuilding = true; diff --git a/pkgs/tools/networking/p2p/tahoe-lafs/default.nix b/pkgs/tools/networking/p2p/tahoe-lafs/default.nix index 6d4c77d5198..3e9d1f9f5f7 100644 --- a/pkgs/tools/networking/p2p/tahoe-lafs/default.nix +++ b/pkgs/tools/networking/p2p/tahoe-lafs/default.nix @@ -59,7 +59,7 @@ pythonPackages.buildPythonApplication rec { service-identity pyyaml magic-wormhole treq ]; - checkInputs = with pythonPackages; [ hypothesis ]; + checkInputs = with pythonPackages; [ hypothesis twisted ]; # Install the documentation. postInstall = '' |