nixops/modules/ssh/default.nix

   1 { lib, pkgs, config, mylibs, myconfig, ... }:
   2 {
   3   config = {
   4     networking.firewall.allowedTCPPorts = [ 22 ];
   5
   6     services.openssh.extraConfig = ''
   7       AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
   8       AuthorizedKeysCommandUser nobody
   9       '';
  10
  11     environment.etc."ssh/ldap_authorized_keys" = let
  12       ldap_authorized_keys =
  13         mylibs.wrap {
  14           name = "ldap_authorized_keys";
  15           file = ./ldap_authorized_keys.sh;
  16           vars = {
  17             LDAP_PASS = myconfig.env.sshd.ldap.password;
  18             GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
  19             ECHO = "${pkgs.coreutils}/bin/echo";
  20           };
  21           paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
  22         };
  23     in {
  24       enable = true;
  25       mode = "0755";
  26       user = "root";
  27       source = ldap_authorized_keys;
  28     };
  29   };
  30 }