]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - flakes/private/ssh/flake.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Squash changes containing private information
[perso/Immae/Config/Nix.git] / flakes / private / ssh / flake.nix
1 {
2 inputs.environment.url = "path:../environment";
3 inputs.secrets.url = "path:../../secrets";
4 outputs = { self, environment, secrets }: {
5 nixosModule = self.nixosModules.ssh;
6 nixosModules.ssh = { lib, pkgs, config, ... }:
7 let
8 cfg = config.myServices.ssh;
9 in
10 {
11 imports = [
12 environment.nixosModule
13 secrets.nixosModule
14 ];
15 options.myServices.ssh = let
16 module = lib.types.submodule {
17 options = {
18 vars = lib.mkOption {
19 type = lib.types.attrsOf lib.types.lines;
20 default = {};
21 description = ''
22 variables to interpolate in the script. A `name_` prefix will be prepended
23 '';
24 };
25 snippet = lib.mkOption {
26 type = lib.types.lines;
27 description = ''
28 Snippet to use
29 '';
30 };
31 dependencies = lib.mkOption {
32 type = lib.types.listOf lib.types.package;
33 default = [];
34 description = ''
35 Dependencies of the package
36 '';
37 };
38 };
39 };
40 in {
41 modules = lib.mkOption {
42 type = lib.types.attrsOf module;
43 default = {};
44 description = ''
45 List of modules to enable
46 '';
47 };
48 };
49 config = lib.mkIf (builtins.length (builtins.attrValues cfg.modules) > 0) {
50
51 services.openssh.extraConfig = ''
52 AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
53 AuthorizedKeysCommandUser nobody
54 '';
55
56 secrets.keys."ssh-ldap" = {
57 user = "nobody";
58 group = "nogroup";
59 permissions = "0400";
60 text = config.myEnv.sshd.ldap.password;
61 };
62 secrets.keys."ssh-psql" = {
63 user = "nobody";
64 group = "nogroup";
65 permissions = "0400";
66 text = config.myEnv.sshd.psql.password;
67 };
68 system.activationScripts.sshd = {
69 deps = [ "secrets" ];
70 text = ''
71 install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
72 install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-psql"} /etc/ssh/psql_password
73 '';
74 };
75 # ssh is strict about parent directory having correct rights, don't
76 # move it in the nix store.
77 environment.etc."ssh/ldap_authorized_keys" = let
78 deps = lib.lists.unique (
79 [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.postgresql ]
80 ++ lib.flatten (map (v: v.dependencies) (builtins.attrValues cfg.modules))
81 );
82 vars = lib.concatMapAttrs (n: v: (
83 lib.mapAttrs' (n': lib.nameValuePair "${n}_${n'}") v.vars
84 )) cfg.modules;
85 fullScript = pkgs.runCommand "ldap_authorized_keys" (vars // {
86 snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) (builtins.attrValues cfg.modules));
87 }) ''
88 substituteAll ${./ldap_authorized_keys.sh} $out
89 # Second call for the included snippets
90 substituteAllInPlace $out
91 chmod a+x $out
92 '';
93 ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" {
94 buildInputs = [ pkgs.makeWrapper ];
95 } ''
96 makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps}
97 '';
98 in {
99 enable = true;
100 mode = "0755";
101 user = "root";
102 source = ldap_authorized_keys;
103 };
104 };
105 };
106 };
107 }
My infrastructure configuration