1 { lib, pkgs, config, ... }:
3 cfg = config.myServices.ssh;
6 options.myServices.ssh = let
7 module = lib.types.submodule {
9 snippet = lib.mkOption {
10 type = lib.types.lines;
15 dependencies = lib.mkOption {
16 type = lib.types.listOf lib.types.package;
19 Dependencies of the package
25 predefinedModules = lib.mkOption {
26 type = lib.types.attrsOf module;
29 snippet = builtins.readFile ./ldap_regular.sh;
37 modules = lib.mkOption {
38 type = lib.types.listOf module;
41 List of modules to enable
46 networking.firewall.allowedTCPPorts = [ 22 ];
47 } // (lib.mkIf (builtins.length cfg.modules > 0) {
49 services.openssh.extraConfig = ''
50 AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
51 AuthorizedKeysCommandUser nobody
54 secrets.keys."ssh-ldap" = {
58 text = config.myEnv.sshd.ldap.password;
60 system.activationScripts.sshd = {
63 install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
66 # ssh is strict about parent directory having correct rights, don't
67 # move it in the nix store.
68 environment.etc."ssh/ldap_authorized_keys" = let
69 deps = lib.lists.unique (
70 [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
71 ++ lib.flatten (map (v: v.dependencies) cfg.modules)
73 fullScript = pkgs.runCommand "ldap_authorized_keys" {
74 snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
76 substituteAll ${./ldap_authorized_keys.sh} $out
79 ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" {
80 buildInputs = [ pkgs.makeWrapper ];
82 makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps}
88 source = ldap_authorized_keys;