]>
Commit | Line | Data |
---|---|---|
ab8f306d | 1 | { lib, pkgs, config, ... }: |
1b9150a5 IB |
2 | let |
3 | cfg = config.myServices.ssh; | |
4 | in | |
7e6f1fb4 | 5 | { |
1b9150a5 IB |
6 | options.myServices.ssh = let |
7 | module = lib.types.submodule { | |
8 | options = { | |
9 | snippet = lib.mkOption { | |
10 | type = lib.types.lines; | |
11 | description = '' | |
12 | Snippet to use | |
13 | ''; | |
14 | }; | |
15 | dependencies = lib.mkOption { | |
16 | type = lib.types.listOf lib.types.package; | |
17 | default = []; | |
18 | description = '' | |
19 | Dependencies of the package | |
20 | ''; | |
21 | }; | |
22 | }; | |
23 | }; | |
24 | in { | |
25 | predefinedModules = lib.mkOption { | |
26 | type = lib.types.attrsOf module; | |
27 | default = { | |
28 | regular = { | |
29 | snippet = builtins.readFile ./ldap_regular.sh; | |
30 | }; | |
31 | }; | |
32 | readOnly = true; | |
33 | description = '' | |
34 | Predefined modules | |
35 | ''; | |
36 | }; | |
37 | modules = lib.mkOption { | |
38 | type = lib.types.listOf module; | |
39 | default = []; | |
40 | description = '' | |
41 | List of modules to enable | |
42 | ''; | |
43 | }; | |
44 | }; | |
7e6f1fb4 IB |
45 | config = { |
46 | networking.firewall.allowedTCPPorts = [ 22 ]; | |
1b9150a5 | 47 | } // (lib.mkIf (builtins.length cfg.modules > 0) { |
7e6f1fb4 IB |
48 | |
49 | services.openssh.extraConfig = '' | |
50 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | |
51 | AuthorizedKeysCommandUser nobody | |
52 | ''; | |
53 | ||
1a718805 | 54 | secrets.keys = [{ |
742697c9 IB |
55 | dest = "ssh-ldap"; |
56 | user = "nobody"; | |
362d300e | 57 | group = "nogroup"; |
742697c9 | 58 | permissions = "0400"; |
ab8f306d | 59 | text = config.myEnv.sshd.ldap.password; |
742697c9 | 60 | }]; |
3a1461cf IB |
61 | system.activationScripts.sshd = { |
62 | deps = [ "secrets" ]; | |
63 | text = '' | |
362d300e | 64 | install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password |
ea7bf00c | 65 | ''; |
3a1461cf | 66 | }; |
ea7bf00c IB |
67 | # ssh is strict about parent directory having correct rights, don't |
68 | # move it in the nix store. | |
7e6f1fb4 | 69 | environment.etc."ssh/ldap_authorized_keys" = let |
1b9150a5 IB |
70 | deps = lib.lists.unique ( |
71 | [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ] | |
72 | ++ lib.flatten (map (v: v.dependencies) cfg.modules) | |
73 | ); | |
74 | fullScript = pkgs.runCommand "ldap_authorized_keys" { | |
75 | snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules); | |
76 | } '' | |
77 | substituteAll ${./ldap_authorized_keys.sh} $out | |
78 | chmod a+x $out | |
79 | ''; | |
7e6f1fb4 | 80 | ldap_authorized_keys = |
a1a8649a | 81 | pkgs.mylibs.wrap { |
7e6f1fb4 | 82 | name = "ldap_authorized_keys"; |
1b9150a5 IB |
83 | file = fullScript; |
84 | paths = deps; | |
7e6f1fb4 IB |
85 | }; |
86 | in { | |
87 | enable = true; | |
88 | mode = "0755"; | |
89 | user = "root"; | |
90 | source = ldap_authorized_keys; | |
91 | }; | |
1b9150a5 | 92 | }); |
7e6f1fb4 | 93 | } |