X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=sidebyside;f=nixops%2Fmodules%2Fssh%2Fdefault.nix;h=e8d606348bd41c41bf07c544ce730d3deba1d3ef;hb=1a7188052f235fb632700478fad0108e4306107d;hp=924f86e213427d18f9e16cc9298ebab2a1002c7f;hpb=ea7bf00c5af841b6f3980cb8d957daec5e609422;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
index 924f86e..e8d6063 100644
--- a/nixops/modules/ssh/default.nix
+++ b/nixops/modules/ssh/default.nix
@@ -8,17 +8,19 @@
       AuthorizedKeysCommandUser nobody
       '';
 
-    deployment.keys = {
-      ssh-ldap = {
-        user = "nobody";
-        group = "nobody";
-        permissions = "0400";
-        text = myconfig.env.sshd.ldap.password;
-      };
-    };
-    system.activationScripts.sshd = ''
-      install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password
+    secrets.keys = [{
+      dest = "ssh-ldap";
+      user = "nobody";
+      group = "nogroup";
+      permissions = "0400";
+      text = myconfig.env.sshd.ldap.password;
+    }];
+    system.activationScripts.sshd = {
+      deps = [ "secrets" ];
+      text = ''
+      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
       '';
+    };
     # ssh is strict about parent directory having correct rights, don't
     # move it in the nix store.
     environment.etc."ssh/ldap_authorized_keys" = let