{ lib, pkgs, config, ... }: let cfg = config.myServices.ssh; in { options.myServices.ssh = let module = lib.types.submodule { options = { snippet = lib.mkOption { type = lib.types.lines; description = '' Snippet to use ''; }; dependencies = lib.mkOption { type = lib.types.listOf lib.types.package; default = []; description = '' Dependencies of the package ''; }; }; }; in { predefinedModules = lib.mkOption { type = lib.types.attrsOf module; default = { regular = { snippet = builtins.readFile ./ldap_regular.sh; }; }; readOnly = true; description = '' Predefined modules ''; }; modules = lib.mkOption { type = lib.types.listOf module; default = []; description = '' List of modules to enable ''; }; }; config = { networking.firewall.allowedTCPPorts = [ 22 ]; } // (lib.mkIf (builtins.length cfg.modules > 0) { services.openssh.extraConfig = '' AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys AuthorizedKeysCommandUser nobody ''; secrets.keys = [{ dest = "ssh-ldap"; user = "nobody"; group = "nogroup"; permissions = "0400"; text = config.myEnv.sshd.ldap.password; }]; system.activationScripts.sshd = { deps = [ "secrets" ]; text = '' install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password ''; }; # ssh is strict about parent directory having correct rights, don't # move it in the nix store. environment.etc."ssh/ldap_authorized_keys" = let deps = lib.lists.unique ( [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ] ++ lib.flatten (map (v: v.dependencies) cfg.modules) ); fullScript = pkgs.runCommand "ldap_authorized_keys" { snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules); } '' substituteAll ${./ldap_authorized_keys.sh} $out chmod a+x $out ''; ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" { buildInputs = [ pkgs.makeWrapper ]; } '' makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps} ''; in { enable = true; mode = "0755"; user = "root"; source = ldap_authorized_keys; }; }); }