]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - nixops/modules/ssh/ldap_authorized_keys.sh
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Move rest of the modules outside of nixops
[perso/Immae/Config/Nix.git] / nixops / modules / ssh / ldap_authorized_keys.sh
diff --git a/nixops/modules/ssh/ldap_authorized_keys.sh b/nixops/modules/ssh/ldap_authorized_keys.sh
deleted file mode 100755 (executable)
index d556452..0000000
--- a/nixops/modules/ssh/ldap_authorized_keys.sh
+++ /dev/null
@@ -1,152 +0,0 @@
-#!/usr/bin/env bash
-
-LDAPSEARCH=ldapsearch
-KEY="immaeSshKey"
-LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
-LDAP_PASS=$(cat /etc/ssh/ldap_password)
-LDAP_HOST="ldap.immae.eu"
-LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
-LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
-LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
-LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
-LDAP_BASE="dc=immae,dc=eu"
-GITOLITE_SHELL=$(which gitolite-shell)
-ECHO=$(which echo)
-
-suitable_for() {
-  type_for="$1"
-  key="$2"
-
-  if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
-    echo "$key"
-  else
-    key_type=$(cut -d " " -f 1 <<< "$key")
-
-    if grep -q "\b-$type_for\b" <<< "$key_type"; then
-      echo ""
-    elif grep -q "\b$type_for\b" <<< "$key_type"; then
-      echo $(sed -e "s/^[^ ]* //g" <<< "$key")
-    else
-      echo ""
-    fi
-  fi
-}
-
-clean_key_line() {
-  type_for="$1"
-  line="$2"
-
-  if [[ "$line" == $KEY::* ]]; then
-    # base64 keys should't happen, unless wrong copy-pasting
-    key=""
-  else
-    key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
-  fi
-
-  suitable_for "$type_for" "$key"
-}
-
-ldap_search() {
-  $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
-}
-
-ldap_keys() {
-  user=$1;
-  if [[ $user == gitolite ]]; then
-    ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \
-      while read line ;
-      do
-        if [ ! -z "$line" ]; then
-          if [[ $line == dn* ]]; then
-            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
-            if [ -n "$user" ]; then
-              if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
-                # Capitalize first letter (backward compatibility)
-                user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
-              fi
-            else
-              # Service fake user
-              user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line")
-            fi
-          elif [[ $line == $KEY* ]]; then
-            key=$(clean_key_line git "$line")
-            if [ ! -z "$key" ]; then
-              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
-                echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
-                echo $key
-              fi
-            fi
-          fi
-        fi
-      done
-    exit 0
-  elif [[ $user == pub ]]; then
-    ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
-      while read line ;
-      do
-        if [ ! -z "$line" ]; then
-          if [[ $line == dn* ]]; then
-            echo ""
-            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
-            echo "# $user"
-          elif [[ $line == $KEY* ]]; then
-            key=$(clean_key_line pub "$line")
-            key_forward=$(clean_key_line forward "$line")
-            if [ ! -z "$key" ]; then
-              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
-                echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
-                echo $key
-              fi
-            elif [ ! -z "$key_forward" ]; then
-              if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
-                echo "# forward only"
-                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
-                echo $key_forward
-              fi
-            fi
-          fi
-        fi
-      done
-
-    echo ""
-    ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
-      while read line ;
-      do
-        if [ ! -z "$line" ]; then
-          if [[ $line == dn* ]]; then
-            echo ""
-            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
-            echo "# $user"
-          elif [[ $line == $KEY* ]]; then
-            key=$(clean_key_line forward "$line")
-            if [ ! -z "$key" ]; then
-              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
-                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
-                echo $key
-              fi
-            fi
-          fi
-        fi
-      done
-    exit 0
-  else
-    ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \
-      while read line ;
-      do
-        if [ ! -z "$line" ]; then
-          if [[ $line == dn* ]]; then
-            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
-          elif [[ $line == $KEY* ]]; then
-            key=$(clean_key_line ssh "$line")
-            if [ ! -z "$key" ]; then
-              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
-                echo $key
-              fi
-            fi
-          fi
-        fi
-      done
-  fi
-}
-
-ldap_keys $@
My infrastructure configuration