-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
+let
+ cfg = config.myServices.ssh;
+in
{
+ options.myServices.ssh = let
+ module = lib.types.submodule {
+ options = {
+ snippet = lib.mkOption {
+ type = lib.types.lines;
+ description = ''
+ Snippet to use
+ '';
+ };
+ dependencies = lib.mkOption {
+ type = lib.types.listOf lib.types.package;
+ default = [];
+ description = ''
+ Dependencies of the package
+ '';
+ };
+ };
+ };
+ in {
+ predefinedModules = lib.mkOption {
+ type = lib.types.attrsOf module;
+ default = {
+ regular = {
+ snippet = builtins.readFile ./ldap_regular.sh;
+ };
+ };
+ readOnly = true;
+ description = ''
+ Predefined modules
+ '';
+ };
+ modules = lib.mkOption {
+ type = lib.types.listOf module;
+ default = [];
+ description = ''
+ List of modules to enable
+ '';
+ };
+ };
config = {
networking.firewall.allowedTCPPorts = [ 22 ];
+ } // (lib.mkIf (builtins.length cfg.modules > 0) {
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
user = "nobody";
group = "nogroup";
permissions = "0400";
- text = myconfig.env.sshd.ldap.password;
+ text = config.myEnv.sshd.ldap.password;
}];
system.activationScripts.sshd = {
deps = [ "secrets" ];
# ssh is strict about parent directory having correct rights, don't
# move it in the nix store.
environment.etc."ssh/ldap_authorized_keys" = let
+ deps = lib.lists.unique (
+ [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
+ ++ lib.flatten (map (v: v.dependencies) cfg.modules)
+ );
+ fullScript = pkgs.runCommand "ldap_authorized_keys" {
+ snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
+ } ''
+ substituteAll ${./ldap_authorized_keys.sh} $out
+ chmod a+x $out
+ '';
ldap_authorized_keys =
pkgs.mylibs.wrap {
name = "ldap_authorized_keys";
- file = ./ldap_authorized_keys.sh;
- paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+ file = fullScript;
+ paths = deps;
};
in {
enable = true;
user = "root";
source = ldap_authorized_keys;
};
- };
+ });
}