DGNum/infrastructure
9
5
Fork 3
Code Issues 31 Pull requests 30 Projects 1 Releases Packages Wiki Activity Actions

fix(ntfy/patch): use upstreamed HashedPassword
Some checks failed
Run pre-commit on all files / pre-commit (push) Successful in 33s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 33s
Details
Check meta / check_dns (pull_request) Successful in 19s
Details
Check meta / check_meta (pull_request) Successful in 17s
Details
Check workflows / check_workflows (pull_request) Successful in 21s
Details
Build all the nodes / Jaccess01 (pull_request) Successful in 30s
Details
Build all the nodes / Jaccess04 (pull_request) Successful in 30s
Details
Build all the nodes / ap01 (pull_request) Successful in 57s
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m23s
Details
Build all the nodes / cof02 (pull_request) Successful in 1m39s
Details
Build all the nodes / build01 (pull_request) Successful in 1m50s
Details
Build all the nodes / netcore01 (pull_request) Successful in 28s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 1m35s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 1m39s
Details
Build all the nodes / geo01 (pull_request) Successful in 1m46s
Details
Build all the nodes / geo02 (pull_request) Successful in 1m45s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m38s
Details
Build all the nodes / netcore02 (pull_request) Successful in 31s
Details
Build all the nodes / iso (pull_request) Successful in 1m50s
Details
Build all the nodes / compute01 (pull_request) Successful in 2m13s
Details
Build all the nodes / lab-router01 (pull_request) Successful in 1m15s
Details
Build the shell / build-shell (pull_request) Successful in 30s
Details
Build all the nodes / tower01 (pull_request) Successful in 1m11s
Details
Build all the nodes / krz01 (pull_request) Successful in 2m29s
Details
Build all the nodes / web02 (pull_request) Successful in 1m19s
Details
Build all the nodes / web01 (pull_request) Failing after 1m26s
Details
Build all the nodes / zulip01 (pull_request) Successful in 1m9s
Details
Build all the nodes / vault01 (pull_request) Successful in 1m32s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m44s
Details
Build all the nodes / web03 (pull_request) Successful in 1m14s
Details
Build all the nodes / storage01 (pull_request) Successful in 2m42s
Details

Browse source
This commit is contained in:
catvayor 2025-06-06 15:30:35 +02:00
parent 125c59b7f8
commit 43243b07c5
Signed by: lbailly
GPG key ID: CE3E645251AC63F3
5 changed files with 9 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

6
REUSE.toml generated
View file

@ -41,12 +41,6 @@ SPDX-License-Identifier = "EUPL-1.2"
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch", "machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"] path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch", "machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"]
precedence = "closest" precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/web01/ntfy-sh/hash-mgmt.patch"]
precedence = "closest"
[[annotations]] [[annotations]]
SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"] SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"]
SPDX-License-Identifier = "EUPL-1.2" SPDX-License-Identifier = "EUPL-1.2"

6
default.nix
View file

@ -151,12 +151,6 @@ let
]; ];
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"; copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
} }
{
path = [
"machines/nixos/web01/ntfy-sh/hash-mgmt.patch"
];
copyright = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>";
}
{ {
path = [ path = [
"patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch" "patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"

6
machines/nixos/web01/ntfy-sh/default.nix
View file

@ -32,7 +32,11 @@ in
nixpkgs.overlays = [ nixpkgs.overlays = [
(_: super: { (_: super: {
ntfy-sh = super.ntfy-sh.overrideAttrs (o: { ntfy-sh = super.ntfy-sh.overrideAttrs (o: {
patches = o.patches or [ ] ++ [ ./hash-mgmt.patch ]; patches = o.patches or [ ] ++ [
(super.fetchurl {
url = "https://github.com/binwiederhier/ntfy/pull/1340.patch";
})
];
}); });
}) })
]; ];

109
machines/nixos/web01/ntfy-sh/hash-mgmt.patch
View file

@ -1,109 +0,0 @@
From a14edcbb0f746baecd983c2bea06248ddeffe1d2 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Fri, 16 May 2025 18:18:19 +0200
Subject: [PATCH] feat(auth): allow to manage hashed password directly
---
cmd/user.go | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
user/manager.go | 13 +++++++++----
2 files changed, 57 insertions(+), 4 deletions(-)
diff --git a/cmd/user.go b/cmd/user.go
index af3afe54..8618fdc0 100644
--- a/cmd/user.go
+++ b/cmd/user.go
@@ -93,6 +93,26 @@ Example:
You may set the NTFY_PASSWORD environment variable to pass the new password. This is
useful if you are updating users via scripts.
+`,
+ },
+ {
+ Name: "change-pass-hash",
+ Aliases: []string{"chph"},
+ Usage: "Changes a user's password hash",
+ UsageText: "ntfy user change-pass USERNAME\nNTFY_PASSWORD=... ntfy user change-pass USERNAME",
+ Action: execUserChangePassHashed,
+ Description: `Change the password hash for the given user.
+
+The new password hash will be read from STDIN, and it'll be confirmed by typing
+it twice.
+
+Example:
+ ntfy user change-pass phil
+ NTFY_PASSWORD=.. ntfy user change-pass phil
+
+You may set the NTFY_PASSWORD environment variable to pass the new password hash. This is
+useful if you are updating users via scripts.
+
`,
},
{
@@ -256,6 +276,34 @@ func execUserChangePass(c *cli.Context) error {
return nil
}
+func execUserChangePassHashed(c *cli.Context) error {
+ username := c.Args().Get(0)
+ password := os.Getenv("NTFY_PASSWORD")
+ if username == "" {
+ return errors.New("username expected, type 'ntfy user change-pass --help' for help")
+ } else if username == userEveryone || username == user.Everyone {
+ return errors.New("username not allowed")
+ }
+ manager, err := createUserManager(c)
+ if err != nil {
+ return err
+ }
+ if _, err := manager.User(username); err == user.ErrUserNotFound {
+ return fmt.Errorf("user %s does not exist", username)
+ }
+ if password == "" {
+ password, err = readPasswordAndConfirm(c)
+ if err != nil {
+ return err
+ }
+ }
+ if err := manager.ChangePasswordHashed(username, []byte(password)); err != nil {
+ return err
+ }
+ fmt.Fprintf(c.App.ErrWriter, "changed password for user %s\n", username)
+ return nil
+}
+
func execUserChangeRole(c *cli.Context) error {
username := c.Args().Get(0)
role := user.Role(c.Args().Get(1))
diff --git a/user/manager.go b/user/manager.go
index 9f54625f..19f7be40 100644
--- a/user/manager.go
+++ b/user/manager.go
@@ -1191,16 +1191,21 @@ func (a *Manager) ReservationOwner(topic string) (string, error) {
return ownerUserID, nil
}
+// ChangePassword changes a user's password
+func (a *Manager) ChangePasswordHashed(username string, hash []byte) error {
+ if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
+ return err
+ }
+ return nil
+}
+
// ChangePassword changes a user's password
func (a *Manager) ChangePassword(username, password string) error {
hash, err := bcrypt.GenerateFromPassword([]byte(password), a.bcryptCost)
if err != nil {
return err
}
- if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
- return err
- }
- return nil
+ return a.ChangePasswordHashed(username, hash)
}
// ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
--
2.49.0

15
modules/nixos/ntfy-sh/ntfy-acl.py
View file

@ -17,27 +17,20 @@ def create_user(u: str, role: str, passwordFile: str, hashedPassword: str):
if passwordFile != None: if passwordFile != None:
with open(passwordFile) as pwd_fp: with open(passwordFile) as pwd_fp:
env = {"NTFY_PASSWORD": pwd_fp.read().strip()} env = {"NTFY_PASSWORD": pwd_fp.read().strip()}
ntfy("user", "add", f"--role={role}", u, env=env)
else: else:
env = {"NTFY_PASSWORD": hashedPassword} env = {"NTFY_PASSWORD_HASH": hashedPassword}
ntfy("user", "add", f"--role={role}", u, env=env) ntfy("user", "add", f"--role={role}", u, env=env)
# HACK: add does not supports hashedPassword entry
ntfy("user", "change-pass-hash", u, env=env)
def update_user(u: str, role: str, passwordFile: str, hashedPassword: str): def update_user(u: str, role: str, passwordFile: str, hashedPassword: str):
# Update the user with the required role and password # Update the user with the required role and password
if passwordFile != None: if passwordFile != None:
with open(passwordFile) as pwd_fp: with open(passwordFile) as pwd_fp:
env = {"NTFY_PASSWORD": pwd_fp.read().strip()} env = {"NTFY_PASSWORD": pwd_fp.read().strip()}
ntfy("user", "change-pass", u, env=env)
else: else:
env = {"NTFY_PASSWORD": hashedPassword} env = {"NTFY_PASSWORD_HASH": hashedPassword}
ntfy("user", "change-pass-hash", u, env=env)
ntfy("user", "change-pass", u, env=env)
ntfy("user", "change-role", u, role) ntfy("user", "change-role", u, role)