nixops/modules/ssh/default.nix

   1 { lib, pkgs, config, mylibs, myconfig, ... }:
   2 {
   3   config = {
   4     networking.firewall.allowedTCPPorts = [ 22 ];
   5
   6     services.openssh.extraConfig = ''
   7       AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
   8       AuthorizedKeysCommandUser nobody
   9       '';
  10
  11     mySecrets.keys = [{
  12       dest = "ssh-ldap";
  13       user = "nobody";
  14       group = "nogroup";
  15       permissions = "0400";
  16       text = myconfig.env.sshd.ldap.password;
  17     }];
  18     system.activationScripts.sshd = ''
  19       install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
  20       '';
  21     # ssh is strict about parent directory having correct rights, don't
  22     # move it in the nix store.
  23     environment.etc."ssh/ldap_authorized_keys" = let
  24       ldap_authorized_keys =
  25         mylibs.wrap {
  26           name = "ldap_authorized_keys";
  27           file = ./ldap_authorized_keys.sh;
  28           paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
  29         };
  30     in {
  31       enable = true;
  32       mode = "0755";
  33       user = "root";
  34       source = ldap_authorized_keys;
  35     };
  36   };
  37 }