diff options
-rw-r--r-- | cokiki.hs | 16 | ||||
-rw-r--r-- | lib/Kiki.hs | 9 |
2 files changed, 23 insertions, 2 deletions
@@ -132,17 +132,29 @@ sshServer uid root cmn = whenRoot uid root cmn $ do | |||
132 | Kiki.importAndRefresh root cmn | 132 | Kiki.importAndRefresh root cmn |
133 | 133 | ||
134 | strongswan uid root cmn = whenRoot uid root cmn $ do | 134 | strongswan uid root cmn = whenRoot uid root cmn $ do |
135 | -- (1) /etc/ipsec.conf <-- 'include /var/cache/kiki/config/ipsec.conf' | ||
135 | -- Parsing as if ssh config, that's not right, but good enough for now. | 136 | -- Parsing as if ssh config, that's not right, but good enough for now. |
136 | ipsecconf <- parseSshConfig . fromMaybe "" <$> maybeReadFile (root "/etc/ipsec.conf") | 137 | ipsecconf <- parseSshConfig . fromMaybe "" <$> maybeReadFile (root "/etc/ipsec.conf") |
137 | let p:gs = groupBy (\_ d -> not $ sshIsDirective "include" d) $ ["#"]:ipsecconf | 138 | let p:gs = groupBy (\_ d -> not $ sshIsDirective "include" d) $ ["#"]:ipsecconf |
138 | got = filter (\(d:ds) -> elem "/var/cache/kiki/config/ipsec.conf" d) gs | 139 | got = filter (\(d:ds) -> elem "/var/cache/kiki/config/ipsec.conf" d) gs |
139 | case got of | 140 | case got of |
140 | _:_ -> do hPutStrLn stderr "ipsec already configured." | 141 | _:_ -> do hPutStrLn stderr "ipsec.conf already configured." |
141 | [] -> do let ipsecconf' = drop 1 $ ipsecconf ++ [stmt] | 142 | [] -> do let ipsecconf' = drop 1 $ ipsecconf ++ [stmt] |
142 | stmt = ["include", " ", "/var/cache/kiki/config/ipsec.conf"] | 143 | stmt = ["include", " ", "/var/cache/kiki/config/ipsec.conf"] |
143 | hPutStrLn stderr "adding include directive" | 144 | hPutStrLn stderr "adding include directive" |
144 | myWriteFile (root "/etc/ipsec.conf") $ unparseSshConfig ipsecconf' | 145 | myWriteFile (root "/etc/ipsec.conf") $ unparseSshConfig ipsecconf' |
145 | -- etc/ipsec.conf <-- 'include /var/cache/kiki/ipsec.conf' | 146 | |
147 | -- (2) /etc/ipsec.secrets/ <- include /var/cache/kiki/config/ipsec.secrets | ||
148 | -- Parsing as if ssh config, that's not right, but good enough for now. | ||
149 | ipsecconf <- parseSshConfig . fromMaybe "" <$> maybeReadFile (root "/etc/ipsec.secrets") | ||
150 | let p:gs = groupBy (\_ d -> not $ sshIsDirective "include" d) $ ["#"]:ipsecconf | ||
151 | got = filter (\(d:ds) -> elem "/var/cache/kiki/config/ipsec.secrets" d) gs | ||
152 | case got of | ||
153 | _:_ -> do hPutStrLn stderr "ipsec.secrets already configured." | ||
154 | [] -> do let ipsecconf' = drop 1 $ ipsecconf ++ [stmt] | ||
155 | stmt = ["include", " ", "/var/cache/kiki/config/ipsec.secrets"] | ||
156 | hPutStrLn stderr "adding include directive" | ||
157 | myWriteFile (root "/etc/ipsec.secrets") $ unparseSshConfig ipsecconf' | ||
146 | Kiki.importAndRefresh root cmn | 158 | Kiki.importAndRefresh root cmn |
147 | 159 | ||
148 | configureTor uid root cmn = whenRoot uid root cmn $ do | 160 | configureTor uid root cmn = whenRoot uid root cmn $ do |
diff --git a/lib/Kiki.hs b/lib/Kiki.hs index 121826b..dc228bb 100644 --- a/lib/Kiki.hs +++ b/lib/Kiki.hs | |||
@@ -271,6 +271,10 @@ refreshCache rt rootdir = do | |||
271 | wr f bs | 271 | wr f bs |
272 | write = write' writeFile | 272 | write = write' writeFile |
273 | writeL = write' L.writeFile | 273 | writeL = write' L.writeFile |
274 | writeL077 f bs = do | ||
275 | old_umask <- setFileCreationMask 0o077 | ||
276 | writeL f bs | ||
277 | setFileCreationMask old_umask | ||
274 | 278 | ||
275 | let names = do wk <- rtWorkingKey rt | 279 | let names = do wk <- rtWorkingKey rt |
276 | -- XXX unnecessary signature check | 280 | -- XXX unnecessary signature check |
@@ -313,6 +317,11 @@ refreshCache rt rootdir = do | |||
313 | (mkpath "ipsec.d/private/" ++ Char8.unpack oname++".pem") | 317 | (mkpath "ipsec.d/private/" ++ Char8.unpack oname++".pem") |
314 | "missing ipsec key?" | 318 | "missing ipsec key?" |
315 | 319 | ||
320 | -- TODO: probably we should add multiple entries for the case that there | ||
321 | -- are multiple secret master-keys each with distinct tor and ipsec keys. | ||
322 | writeL077 (mkpath "ipsec.secrets") | ||
323 | $ ": RSA /var/cache/kiki/config/ipsec.d/private/" <> oname <> ".pem" | ||
324 | |||
316 | writeSecret "ssh-client" | 325 | writeSecret "ssh-client" |
317 | (mkpath "root/.ssh/id_rsa") | 326 | (mkpath "root/.ssh/id_rsa") |
318 | "missing ssh-client key?" | 327 | "missing ssh-client key?" |