-{ lib, pkgs, config, mylibs, myconfig, ... }:
+{ lib, pkgs, config, myconfig, ... }:
{
config = {
networking.firewall.allowedTCPPorts = [ 22 ];
AuthorizedKeysCommandUser nobody
'';
- mySecrets.keys = [{
+ secrets.keys = [{
dest = "ssh-ldap";
user = "nobody";
- group = "nobody";
+ group = "nogroup";
permissions = "0400";
text = myconfig.env.sshd.ldap.password;
}];
- system.activationScripts.sshd = ''
- install -Dm400 -o nobody -g nobody -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+ system.activationScripts.sshd = {
+ deps = [ "secrets" ];
+ text = ''
+ install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
'';
+ };
# ssh is strict about parent directory having correct rights, don't
# move it in the nix store.
environment.etc."ssh/ldap_authorized_keys" = let
ldap_authorized_keys =
- mylibs.wrap {
+ pkgs.mylibs.wrap {
name = "ldap_authorized_keys";
file = ./ldap_authorized_keys.sh;
paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
projects / perso / Immae / Config / Nix.git / blobdiff