[perso/Immae/Config/Nix.git] / modules / private / ssh / default.nix

{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.ssh;
in
{
  options.myServices.ssh = let
    module = lib.types.submodule {
      options = {
        snippet = lib.mkOption {
          type = lib.types.lines;
          description = ''
              Snippet to use
          '';
        };
        dependencies = lib.mkOption {
          type = lib.types.listOf lib.types.package;
          default = [];
          description = ''
              Dependencies of the package
          '';
        };
      };
    };
  in {
    predefinedModules = lib.mkOption {
      type = lib.types.attrsOf module;
      default = {
        regular = {
          snippet = builtins.readFile ./ldap_regular.sh;
        };
      };
      readOnly = true;
      description = ''
        Predefined modules
        '';
    };
    modules = lib.mkOption {
      type = lib.types.listOf module;
      default = [];
      description = ''
        List of modules to enable
        '';
    };
  };
  config = {
    networking.firewall.allowedTCPPorts = [ 22 ];
  } // (lib.mkIf (builtins.length cfg.modules > 0) {

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    secrets.keys = [{
      dest = "ssh-ldap";
      user = "nobody";
      group = "nogroup";
      permissions = "0400";
      text = config.myEnv.sshd.ldap.password;
    }];
    system.activationScripts.sshd = {
      deps = [ "secrets" ];
      text = ''
      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
      '';
    };
    # ssh is strict about parent directory having correct rights, don't
    # move it in the nix store.
    environment.etc."ssh/ldap_authorized_keys" = let
      deps = lib.lists.unique (
        [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
        ++ lib.flatten (map (v: v.dependencies) cfg.modules)
        );
      fullScript = pkgs.runCommand "ldap_authorized_keys" {
        snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
      } ''
        substituteAll ${./ldap_authorized_keys.sh} $out
        chmod a+x $out
        '';
      ldap_authorized_keys =
        pkgs.mylibs.wrap {
          name = "ldap_authorized_keys";
          file = fullScript;
          paths = deps;
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };
  });
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
1b9150a5 IB	2	let
	3	cfg = config.myServices.ssh;
	4	in
7e6f1fb4	5	{
1b9150a5 IB	6	options.myServices.ssh = let
	7	module = lib.types.submodule {
	8	options = {
	9	snippet = lib.mkOption {
	10	type = lib.types.lines;
	11	description = ''
	12	Snippet to use
	13	'';
	14	};
	15	dependencies = lib.mkOption {
	16	type = lib.types.listOf lib.types.package;
	17	default = [];
	18	description = ''
	19	Dependencies of the package
	20	'';
	21	};
	22	};
	23	};
	24	in {
	25	predefinedModules = lib.mkOption {
	26	type = lib.types.attrsOf module;
	27	default = {
	28	regular = {
	29	snippet = builtins.readFile ./ldap_regular.sh;
	30	};
	31	};
	32	readOnly = true;
	33	description = ''
	34	Predefined modules
	35	'';
	36	};
	37	modules = lib.mkOption {
	38	type = lib.types.listOf module;
	39	default = [];
	40	description = ''
	41	List of modules to enable
	42	'';
	43	};
	44	};
7e6f1fb4 IB	45	config = {
7e6f1fb4 IB	46	networking.firewall.allowedTCPPorts = [ 22 ];
1b9150a5	47	} // (lib.mkIf (builtins.length cfg.modules > 0) {
7e6f1fb4 IB	48
	49	services.openssh.extraConfig = ''
	50	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
	51	AuthorizedKeysCommandUser nobody
	52	'';
	53
1a718805	54	secrets.keys = [{
742697c9 IB	55	dest = "ssh-ldap";
742697c9 IB	56	user = "nobody";
362d300e	57	group = "nogroup";
742697c9	58	permissions = "0400";
ab8f306d	59	text = config.myEnv.sshd.ldap.password;
742697c9	60	}];
3a1461cf IB	61	system.activationScripts.sshd = {
	62	deps = [ "secrets" ];
	63	text = ''
362d300e	64	install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
ea7bf00c	65	'';
3a1461cf	66	};
ea7bf00c IB	67	# ssh is strict about parent directory having correct rights, don't
ea7bf00c IB	68	# move it in the nix store.
7e6f1fb4	69	environment.etc."ssh/ldap_authorized_keys" = let
1b9150a5 IB	70	deps = lib.lists.unique (
	71	[ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
	72	++ lib.flatten (map (v: v.dependencies) cfg.modules)
	73	);
	74	fullScript = pkgs.runCommand "ldap_authorized_keys" {
	75	snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
	76	} ''
	77	substituteAll ${./ldap_authorized_keys.sh} $out
	78	chmod a+x $out
	79	'';
7e6f1fb4	80	ldap_authorized_keys =
a1a8649a	81	pkgs.mylibs.wrap {
7e6f1fb4	82	name = "ldap_authorized_keys";
1b9150a5 IB	83	file = fullScript;
1b9150a5 IB	84	paths = deps;
7e6f1fb4 IB	85	};
	86	in {
	87	enable = true;
	88	mode = "0755";
	89	user = "root";
	90	source = ldap_authorized_keys;
	91	};
1b9150a5	92	});
7e6f1fb4	93	}