]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, ... }: | |
2 | let | |
3 | cfg = config.myServices.ssh; | |
4 | in | |
5 | { | |
6 | options.myServices.ssh = let | |
7 | module = lib.types.submodule { | |
8 | options = { | |
9 | snippet = lib.mkOption { | |
10 | type = lib.types.lines; | |
11 | description = '' | |
12 | Snippet to use | |
13 | ''; | |
14 | }; | |
15 | dependencies = lib.mkOption { | |
16 | type = lib.types.listOf lib.types.package; | |
17 | default = []; | |
18 | description = '' | |
19 | Dependencies of the package | |
20 | ''; | |
21 | }; | |
22 | }; | |
23 | }; | |
24 | in { | |
25 | predefinedModules = lib.mkOption { | |
26 | type = lib.types.attrsOf module; | |
27 | default = { | |
28 | regular = { | |
29 | snippet = builtins.readFile ./ldap_regular.sh; | |
30 | }; | |
31 | }; | |
32 | readOnly = true; | |
33 | description = '' | |
34 | Predefined modules | |
35 | ''; | |
36 | }; | |
37 | modules = lib.mkOption { | |
38 | type = lib.types.listOf module; | |
39 | default = []; | |
40 | description = '' | |
41 | List of modules to enable | |
42 | ''; | |
43 | }; | |
44 | }; | |
45 | config = { | |
46 | networking.firewall.allowedTCPPorts = [ 22 ]; | |
47 | } // (lib.mkIf (builtins.length cfg.modules > 0) { | |
48 | ||
49 | services.openssh.extraConfig = '' | |
50 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | |
51 | AuthorizedKeysCommandUser nobody | |
52 | ''; | |
53 | ||
54 | secrets.keys."ssh-ldap" = { | |
55 | user = "nobody"; | |
56 | group = "nogroup"; | |
57 | permissions = "0400"; | |
58 | text = config.myEnv.sshd.ldap.password; | |
59 | }; | |
60 | system.activationScripts.sshd = { | |
61 | deps = [ "secrets" ]; | |
62 | text = '' | |
63 | install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password | |
64 | ''; | |
65 | }; | |
66 | # ssh is strict about parent directory having correct rights, don't | |
67 | # move it in the nix store. | |
68 | environment.etc."ssh/ldap_authorized_keys" = let | |
69 | deps = lib.lists.unique ( | |
70 | [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ] | |
71 | ++ lib.flatten (map (v: v.dependencies) cfg.modules) | |
72 | ); | |
73 | fullScript = pkgs.runCommand "ldap_authorized_keys" { | |
74 | snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules); | |
75 | } '' | |
76 | substituteAll ${./ldap_authorized_keys.sh} $out | |
77 | chmod a+x $out | |
78 | ''; | |
79 | ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" { | |
80 | buildInputs = [ pkgs.makeWrapper ]; | |
81 | } '' | |
82 | makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps} | |
83 | ''; | |
84 | in { | |
85 | enable = true; | |
86 | mode = "0755"; | |
87 | user = "root"; | |
88 | source = ldap_authorized_keys; | |
89 | }; | |
90 | }); | |
91 | } |