X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fssh%2Fdefault.nix;h=4dc0d65501cb236c39ae306af931c1758abc0751;hb=fffbbb5623649ca7c7b32b74558a26ec5cf11abb;hp=b28f6cac6242cce8105529b19e81edb25b3f8dc2;hpb=7e6f1fb434797b4ffaf7eefa4a69825ce884fd20;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
index b28f6ca..4dc0d65 100644
--- a/nixops/modules/ssh/default.nix
+++ b/nixops/modules/ssh/default.nix
@@ -8,17 +8,27 @@
       AuthorizedKeysCommandUser nobody
       '';
 
+    mySecrets.keys = [{
+      dest = "ssh-ldap";
+      user = "nobody";
+      group = "nogroup";
+      permissions = "0400";
+      text = myconfig.env.sshd.ldap.password;
+    }];
+    system.activationScripts.sshd = {
+      deps = [ "secrets" ];
+      text = ''
+      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+      '';
+    };
+    # ssh is strict about parent directory having correct rights, don't
+    # move it in the nix store.
     environment.etc."ssh/ldap_authorized_keys" = let
       ldap_authorized_keys =
         mylibs.wrap {
           name = "ldap_authorized_keys";
           file = ./ldap_authorized_keys.sh;
-          vars = {
-            LDAP_PASS = myconfig.env.sshd.ldap.password;
-            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
-            ECHO = "${pkgs.coreutils}/bin/echo";
-          };
-          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
         };
     in {
       enable = true;