--- /dev/null
+{ lib, pkgs, config, myconfig, ... }:
+{
+ config = {
+ networking.firewall.allowedTCPPorts = [ 22 ];
+
+ services.openssh.extraConfig = ''
+ AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
+ AuthorizedKeysCommandUser nobody
+ '';
+
+ secrets.keys = [{
+ dest = "ssh-ldap";
+ user = "nobody";
+ group = "nogroup";
+ permissions = "0400";
+ text = myconfig.env.sshd.ldap.password;
+ }];
+ system.activationScripts.sshd = {
+ deps = [ "secrets" ];
+ text = ''
+ install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+ '';
+ };
+ # ssh is strict about parent directory having correct rights, don't
+ # move it in the nix store.
+ environment.etc."ssh/ldap_authorized_keys" = let
+ ldap_authorized_keys =
+ pkgs.mylibs.wrap {
+ name = "ldap_authorized_keys";
+ file = ./ldap_authorized_keys.sh;
+ paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+ };
+ in {
+ enable = true;
+ mode = "0755";
+ user = "root";
+ source = ldap_authorized_keys;
+ };
+ };
+}