Squash changes containing private information

[perso/Immae/Config/Nix.git] / modules / private / ssh / default.nix

diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
deleted file mode 100644 (file)
index ee5dda5..0000000
--- a/modules/private/ssh/default.nix
+++ /dev/null
@@ -1,91 +0,0 @@
-{ lib, pkgs, config, ... }:
-let
-  cfg = config.myServices.ssh;
-in
-{
-  options.myServices.ssh = let
-    module = lib.types.submodule {
-      options = {
-        snippet = lib.mkOption {
-          type = lib.types.lines;
-          description = ''
-              Snippet to use
-          '';
-        };
-        dependencies = lib.mkOption {
-          type = lib.types.listOf lib.types.package;
-          default = [];
-          description = ''
-              Dependencies of the package
-          '';
-        };
-      };
-    };
-  in {
-    predefinedModules = lib.mkOption {
-      type = lib.types.attrsOf module;
-      default = {
-        regular = {
-          snippet = builtins.readFile ./ldap_regular.sh;
-        };
-      };
-      readOnly = true;
-      description = ''
-        Predefined modules
-        '';
-    };
-    modules = lib.mkOption {
-      type = lib.types.listOf module;
-      default = [];
-      description = ''
-        List of modules to enable
-        '';
-    };
-  };
-  config = {
-    networking.firewall.allowedTCPPorts = [ 22 ];
-  } // (lib.mkIf (builtins.length cfg.modules > 0) {
-
-    services.openssh.extraConfig = ''
-      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
-      AuthorizedKeysCommandUser nobody
-      '';
-
-    secrets.keys."ssh-ldap" = {
-      user = "nobody";
-      group = "nogroup";
-      permissions = "0400";
-      text = config.myEnv.sshd.ldap.password;
-    };
-    system.activationScripts.sshd = {
-      deps = [ "secrets" ];
-      text = ''
-      install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
-      '';
-    };
-    # ssh is strict about parent directory having correct rights, don't
-    # move it in the nix store.
-    environment.etc."ssh/ldap_authorized_keys" = let
-      deps = lib.lists.unique (
-        [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
-        ++ lib.flatten (map (v: v.dependencies) cfg.modules)
-        );
-      fullScript = pkgs.runCommand "ldap_authorized_keys" {
-        snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
-      } ''
-        substituteAll ${./ldap_authorized_keys.sh} $out
-        chmod a+x $out
-        '';
-      ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" {
-        buildInputs = [ pkgs.makeWrapper ];
-      } ''
-        makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps}
-        '';
-    in {
-      enable = true;
-      mode = "0755";
-      user = "root";
-      source = ldap_authorized_keys;
-    };
-  });
-}