1 { lib, pkgs, config, mylibs, myconfig, ... }:
4 networking.firewall.allowedTCPPorts = [ 22 ];
6 services.openssh.extraConfig = ''
7 AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
8 AuthorizedKeysCommandUser nobody
16 text = myconfig.env.sshd.ldap.password;
19 system.activationScripts.sshd = ''
20 install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password
22 # ssh is strict about parent directory having correct rights, don't
23 # move it in the nix store.
24 environment.etc."ssh/ldap_authorized_keys" = let
25 ldap_authorized_keys =
27 name = "ldap_authorized_keys";
28 file = ./ldap_authorized_keys.sh;
29 paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
35 source = ldap_authorized_keys;