]>
Commit | Line | Data |
---|---|---|
7e6f1fb4 IB |
1 | { lib, pkgs, config, mylibs, myconfig, ... }: |
2 | { | |
3 | config = { | |
4 | networking.firewall.allowedTCPPorts = [ 22 ]; | |
5 | ||
6 | services.openssh.extraConfig = '' | |
7 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | |
8 | AuthorizedKeysCommandUser nobody | |
9 | ''; | |
10 | ||
742697c9 IB |
11 | mySecrets.keys = [{ |
12 | dest = "ssh-ldap"; | |
13 | user = "nobody"; | |
362d300e | 14 | group = "nogroup"; |
742697c9 IB |
15 | permissions = "0400"; |
16 | text = myconfig.env.sshd.ldap.password; | |
17 | }]; | |
3a1461cf IB |
18 | system.activationScripts.sshd = { |
19 | deps = [ "secrets" ]; | |
20 | text = '' | |
362d300e | 21 | install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password |
ea7bf00c | 22 | ''; |
3a1461cf | 23 | }; |
ea7bf00c IB |
24 | # ssh is strict about parent directory having correct rights, don't |
25 | # move it in the nix store. | |
7e6f1fb4 IB |
26 | environment.etc."ssh/ldap_authorized_keys" = let |
27 | ldap_authorized_keys = | |
28 | mylibs.wrap { | |
29 | name = "ldap_authorized_keys"; | |
30 | file = ./ldap_authorized_keys.sh; | |
ea7bf00c | 31 | paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; |
7e6f1fb4 IB |
32 | }; |
33 | in { | |
34 | enable = true; | |
35 | mode = "0755"; | |
36 | user = "root"; | |
37 | source = ldap_authorized_keys; | |
38 | }; | |
39 | }; | |
40 | } |