]>
Commit | Line | Data |
---|---|---|
ab8f306d | 1 | { lib, pkgs, config, ... }: |
1b9150a5 IB |
2 | let |
3 | cfg = config.myServices.ssh; | |
4 | in | |
7e6f1fb4 | 5 | { |
1b9150a5 IB |
6 | options.myServices.ssh = let |
7 | module = lib.types.submodule { | |
8 | options = { | |
9 | snippet = lib.mkOption { | |
10 | type = lib.types.lines; | |
11 | description = '' | |
12 | Snippet to use | |
13 | ''; | |
14 | }; | |
15 | dependencies = lib.mkOption { | |
16 | type = lib.types.listOf lib.types.package; | |
17 | default = []; | |
18 | description = '' | |
19 | Dependencies of the package | |
20 | ''; | |
21 | }; | |
22 | }; | |
23 | }; | |
24 | in { | |
25 | predefinedModules = lib.mkOption { | |
26 | type = lib.types.attrsOf module; | |
27 | default = { | |
28 | regular = { | |
29 | snippet = builtins.readFile ./ldap_regular.sh; | |
30 | }; | |
31 | }; | |
32 | readOnly = true; | |
33 | description = '' | |
34 | Predefined modules | |
35 | ''; | |
36 | }; | |
37 | modules = lib.mkOption { | |
38 | type = lib.types.listOf module; | |
39 | default = []; | |
40 | description = '' | |
41 | List of modules to enable | |
42 | ''; | |
43 | }; | |
44 | }; | |
7e6f1fb4 IB |
45 | config = { |
46 | networking.firewall.allowedTCPPorts = [ 22 ]; | |
1b9150a5 | 47 | } // (lib.mkIf (builtins.length cfg.modules > 0) { |
7e6f1fb4 IB |
48 | |
49 | services.openssh.extraConfig = '' | |
50 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | |
51 | AuthorizedKeysCommandUser nobody | |
52 | ''; | |
53 | ||
4c4652aa | 54 | secrets.keys."ssh-ldap" = { |
742697c9 | 55 | user = "nobody"; |
362d300e | 56 | group = "nogroup"; |
742697c9 | 57 | permissions = "0400"; |
ab8f306d | 58 | text = config.myEnv.sshd.ldap.password; |
4c4652aa | 59 | }; |
3a1461cf IB |
60 | system.activationScripts.sshd = { |
61 | deps = [ "secrets" ]; | |
62 | text = '' | |
da30ae4f | 63 | install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password |
ea7bf00c | 64 | ''; |
3a1461cf | 65 | }; |
ea7bf00c IB |
66 | # ssh is strict about parent directory having correct rights, don't |
67 | # move it in the nix store. | |
7e6f1fb4 | 68 | environment.etc."ssh/ldap_authorized_keys" = let |
1b9150a5 IB |
69 | deps = lib.lists.unique ( |
70 | [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ] | |
71 | ++ lib.flatten (map (v: v.dependencies) cfg.modules) | |
72 | ); | |
73 | fullScript = pkgs.runCommand "ldap_authorized_keys" { | |
74 | snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules); | |
75 | } '' | |
76 | substituteAll ${./ldap_authorized_keys.sh} $out | |
77 | chmod a+x $out | |
78 | ''; | |
0b3f9cb9 IB |
79 | ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" { |
80 | buildInputs = [ pkgs.makeWrapper ]; | |
81 | } '' | |
82 | makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps} | |
83 | ''; | |
7e6f1fb4 IB |
84 | in { |
85 | enable = true; | |
86 | mode = "0755"; | |
87 | user = "root"; | |
88 | source = ldap_authorized_keys; | |
89 | }; | |
1b9150a5 | 90 | }); |
7e6f1fb4 | 91 | } |