[perso/Immae/Config/Nix.git] / modules / private / ssh / default.nix

{ lib, pkgs, config, myconfig, ... }:
{
  config = {
    networking.firewall.allowedTCPPorts = [ 22 ];

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    secrets.keys = [{
      dest = "ssh-ldap";
      user = "nobody";
      group = "nogroup";
      permissions = "0400";
      text = myconfig.env.sshd.ldap.password;
    }];
    system.activationScripts.sshd = {
      deps = [ "secrets" ];
      text = ''
      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
      '';
    };
    # ssh is strict about parent directory having correct rights, don't
    # move it in the nix store.
    environment.etc."ssh/ldap_authorized_keys" = let
      ldap_authorized_keys =
        pkgs.mylibs.wrap {
          name = "ldap_authorized_keys";
          file = ./ldap_authorized_keys.sh;
          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };
  };
}
Commit	Line	Data
a1a8649a	1	{ lib, pkgs, config, myconfig, ... }:
7e6f1fb4 IB	2	{
	3	config = {
	4	networking.firewall.allowedTCPPorts = [ 22 ];
	5
	6	services.openssh.extraConfig = ''
	7	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
	8	AuthorizedKeysCommandUser nobody
	9	'';
	10
1a718805	11	secrets.keys = [{
742697c9 IB	12	dest = "ssh-ldap";
742697c9 IB	13	user = "nobody";
362d300e	14	group = "nogroup";
742697c9 IB	15	permissions = "0400";
	16	text = myconfig.env.sshd.ldap.password;
	17	}];
3a1461cf IB	18	system.activationScripts.sshd = {
	19	deps = [ "secrets" ];
	20	text = ''
362d300e	21	install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
ea7bf00c	22	'';
3a1461cf	23	};
ea7bf00c IB	24	# ssh is strict about parent directory having correct rights, don't
ea7bf00c IB	25	# move it in the nix store.
7e6f1fb4 IB	26	environment.etc."ssh/ldap_authorized_keys" = let
7e6f1fb4 IB	27	ldap_authorized_keys =
a1a8649a	28	pkgs.mylibs.wrap {
7e6f1fb4 IB	29	name = "ldap_authorized_keys";
7e6f1fb4 IB	30	file = ./ldap_authorized_keys.sh;
ea7bf00c	31	paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
7e6f1fb4 IB	32	};
	33	in {
	34	enable = true;
	35	mode = "0755";
	36	user = "root";
	37	source = ldap_authorized_keys;
	38	};
	39	};
	40	}