+++ /dev/null
-{ lib, pkgs, config, ... }:
-let
- cfg = config.myServices.ssh;
-in
-{
- options.myServices.ssh = let
- module = lib.types.submodule {
- options = {
- snippet = lib.mkOption {
- type = lib.types.lines;
- description = ''
- Snippet to use
- '';
- };
- dependencies = lib.mkOption {
- type = lib.types.listOf lib.types.package;
- default = [];
- description = ''
- Dependencies of the package
- '';
- };
- };
- };
- in {
- predefinedModules = lib.mkOption {
- type = lib.types.attrsOf module;
- default = {
- regular = {
- snippet = builtins.readFile ./ldap_regular.sh;
- };
- };
- readOnly = true;
- description = ''
- Predefined modules
- '';
- };
- modules = lib.mkOption {
- type = lib.types.listOf module;
- default = [];
- description = ''
- List of modules to enable
- '';
- };
- };
- config = {
- networking.firewall.allowedTCPPorts = [ 22 ];
- } // (lib.mkIf (builtins.length cfg.modules > 0) {
-
- services.openssh.extraConfig = ''
- AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
- AuthorizedKeysCommandUser nobody
- '';
-
- secrets.keys."ssh-ldap" = {
- user = "nobody";
- group = "nogroup";
- permissions = "0400";
- text = config.myEnv.sshd.ldap.password;
- };
- system.activationScripts.sshd = {
- deps = [ "secrets" ];
- text = ''
- install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
- '';
- };
- # ssh is strict about parent directory having correct rights, don't
- # move it in the nix store.
- environment.etc."ssh/ldap_authorized_keys" = let
- deps = lib.lists.unique (
- [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
- ++ lib.flatten (map (v: v.dependencies) cfg.modules)
- );
- fullScript = pkgs.runCommand "ldap_authorized_keys" {
- snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
- } ''
- substituteAll ${./ldap_authorized_keys.sh} $out
- chmod a+x $out
- '';
- ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" {
- buildInputs = [ pkgs.makeWrapper ];
- } ''
- makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps}
- '';
- in {
- enable = true;
- mode = "0755";
- user = "root";
- source = ldap_authorized_keys;
- };
- });
-}