X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fssh%2Fdefault.nix;h=ee5dda5c4eb32072ca03ca1df421dd918c223777;hb=fa25ffd4583cc362075cd5e1b4130f33306103f0;hp=beedaff594fd46550e857699f79da676af12d426;hpb=8d213e2b1c934f6861f76aad5eb7c11097fa97de;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
index beedaff..ee5dda5 100644
--- a/modules/private/ssh/default.nix
+++ b/modules/private/ssh/default.nix
@@ -1,40 +1,91 @@
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.myServices.ssh;
+in
 {
+  options.myServices.ssh = let
+    module = lib.types.submodule {
+      options = {
+        snippet = lib.mkOption {
+          type = lib.types.lines;
+          description = ''
+              Snippet to use
+          '';
+        };
+        dependencies = lib.mkOption {
+          type = lib.types.listOf lib.types.package;
+          default = [];
+          description = ''
+              Dependencies of the package
+          '';
+        };
+      };
+    };
+  in {
+    predefinedModules = lib.mkOption {
+      type = lib.types.attrsOf module;
+      default = {
+        regular = {
+          snippet = builtins.readFile ./ldap_regular.sh;
+        };
+      };
+      readOnly = true;
+      description = ''
+        Predefined modules
+        '';
+    };
+    modules = lib.mkOption {
+      type = lib.types.listOf module;
+      default = [];
+      description = ''
+        List of modules to enable
+        '';
+    };
+  };
   config = {
     networking.firewall.allowedTCPPorts = [ 22 ];
+  } // (lib.mkIf (builtins.length cfg.modules > 0) {
 
     services.openssh.extraConfig = ''
       AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
       AuthorizedKeysCommandUser nobody
       '';
 
-    secrets.keys = [{
-      dest = "ssh-ldap";
+    secrets.keys."ssh-ldap" = {
       user = "nobody";
       group = "nogroup";
       permissions = "0400";
-      text = myconfig.env.sshd.ldap.password;
-    }];
+      text = config.myEnv.sshd.ldap.password;
+    };
     system.activationScripts.sshd = {
       deps = [ "secrets" ];
       text = ''
-      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+      install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
       '';
     };
     # ssh is strict about parent directory having correct rights, don't
     # move it in the nix store.
     environment.etc."ssh/ldap_authorized_keys" = let
-      ldap_authorized_keys =
-        pkgs.mylibs.wrap {
-          name = "ldap_authorized_keys";
-          file = ./ldap_authorized_keys.sh;
-          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
-        };
+      deps = lib.lists.unique (
+        [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
+        ++ lib.flatten (map (v: v.dependencies) cfg.modules)
+        );
+      fullScript = pkgs.runCommand "ldap_authorized_keys" {
+        snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
+      } ''
+        substituteAll ${./ldap_authorized_keys.sh} $out
+        chmod a+x $out
+        '';
+      ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" {
+        buildInputs = [ pkgs.makeWrapper ];
+      } ''
+        makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps}
+        '';
     in {
       enable = true;
       mode = "0755";
       user = "root";
       source = ldap_authorized_keys;
     };
-  };
+  });
 }