AuthorizedKeysCommandUser nobody
'';
- secrets.keys = [{
- dest = "ssh-ldap";
+ secrets.keys."ssh-ldap" = {
user = "nobody";
group = "nogroup";
permissions = "0400";
text = config.myEnv.sshd.ldap.password;
- }];
+ };
system.activationScripts.sshd = {
deps = [ "secrets" ];
text = ''
- install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+ install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
'';
};
# ssh is strict about parent directory having correct rights, don't
substituteAll ${./ldap_authorized_keys.sh} $out
chmod a+x $out
'';
- ldap_authorized_keys =
- pkgs.mylibs.wrap {
- name = "ldap_authorized_keys";
- file = fullScript;
- paths = deps;
- };
+ ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" {
+ buildInputs = [ pkgs.makeWrapper ];
+ } ''
+ makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps}
+ '';
in {
enable = true;
mode = "0755";