Add specification for the private config file as a module.

[perso/Immae/Config/Nix.git] / modules / private / ssh / default.nix

diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
index beedaff594fd46550e857699f79da676af12d426..1699104a370f914a8885374dfff39983b3a1a4a4 100644 (file)
--- a/modules/private/ssh/default.nix
+++ b/modules/private/ssh/default.nix
@@ -1,7 +1,50 @@
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.myServices.ssh;
+in
 {
+  options.myServices.ssh = let
+    module = lib.types.submodule {
+      options = {
+        snippet = lib.mkOption {
+          type = lib.types.lines;
+          description = ''
+              Snippet to use
+          '';
+        };
+        dependencies = lib.mkOption {
+          type = lib.types.listOf lib.types.package;
+          default = [];
+          description = ''
+              Dependencies of the package
+          '';
+        };
+      };
+    };
+  in {
+    predefinedModules = lib.mkOption {
+      type = lib.types.attrsOf module;
+      default = {
+        regular = {
+          snippet = builtins.readFile ./ldap_regular.sh;
+        };
+      };
+      readOnly = true;
+      description = ''
+        Predefined modules
+        '';
+    };
+    modules = lib.mkOption {
+      type = lib.types.listOf module;
+      default = [];
+      description = ''
+        List of modules to enable
+        '';
+    };
+  };
   config = {
     networking.firewall.allowedTCPPorts = [ 22 ];
+  } // (lib.mkIf (builtins.length cfg.modules > 0) {
 
     services.openssh.extraConfig = ''
       AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
@@ -13,7 +56,7 @@
       user = "nobody";
       group = "nogroup";
       permissions = "0400";
-      text = myconfig.env.sshd.ldap.password;
+      text = config.myEnv.sshd.ldap.password;
     }];
     system.activationScripts.sshd = {
       deps = [ "secrets" ];
@@ -24,11 +67,21 @@
     # ssh is strict about parent directory having correct rights, don't
     # move it in the nix store.
     environment.etc."ssh/ldap_authorized_keys" = let
+      deps = lib.lists.unique (
+        [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
+        ++ lib.flatten (map (v: v.dependencies) cfg.modules)
+        );
+      fullScript = pkgs.runCommand "ldap_authorized_keys" {
+        snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
+      } ''
+        substituteAll ${./ldap_authorized_keys.sh} $out
+        chmod a+x $out
+        '';
       ldap_authorized_keys =
         pkgs.mylibs.wrap {
           name = "ldap_authorized_keys";
-          file = ./ldap_authorized_keys.sh;
-          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+          file = fullScript;
+          paths = deps;
         };
     in {
       enable = true;
@@ -36,5 +89,5 @@
       user = "root";
       source = ldap_authorized_keys;
     };
-  };
+  });
 }