X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fssh%2Fdefault.nix;fp=modules%2Fprivate%2Fssh%2Fdefault.nix;h=beedaff594fd46550e857699f79da676af12d426;hb=8d213e2b1c934f6861f76aad5eb7c11097fa97de;hp=0000000000000000000000000000000000000000;hpb=a1a8649a2be768685eb04c246c114fce36b8096f;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
new file mode 100644
index 0000000..beedaff
--- /dev/null
+++ b/modules/private/ssh/default.nix
@@ -0,0 +1,40 @@
+{ lib, pkgs, config, myconfig, ... }:
+{
+  config = {
+    networking.firewall.allowedTCPPorts = [ 22 ];
+
+    services.openssh.extraConfig = ''
+      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
+      AuthorizedKeysCommandUser nobody
+      '';
+
+    secrets.keys = [{
+      dest = "ssh-ldap";
+      user = "nobody";
+      group = "nogroup";
+      permissions = "0400";
+      text = myconfig.env.sshd.ldap.password;
+    }];
+    system.activationScripts.sshd = {
+      deps = [ "secrets" ];
+      text = ''
+      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+      '';
+    };
+    # ssh is strict about parent directory having correct rights, don't
+    # move it in the nix store.
+    environment.etc."ssh/ldap_authorized_keys" = let
+      ldap_authorized_keys =
+        pkgs.mylibs.wrap {
+          name = "ldap_authorized_keys";
+          file = ./ldap_authorized_keys.sh;
+          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+        };
+    in {
+      enable = true;
+      mode = "0755";
+      user = "root";
+      source = ldap_authorized_keys;
+    };
+  };
+}