AuthorizedKeysCommandUser nobody
'';
- deployment.keys = {
- ssh-ldap = {
- user = "nobody";
- group = "nobody";
- permissions = "0400";
- text = myconfig.env.sshd.ldap.password;
- };
- };
- system.activationScripts.sshd = ''
- install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password
+ secrets.keys = [{
+ dest = "ssh-ldap";
+ user = "nobody";
+ group = "nogroup";
+ permissions = "0400";
+ text = myconfig.env.sshd.ldap.password;
+ }];
+ system.activationScripts.sshd = {
+ deps = [ "secrets" ];
+ text = ''
+ install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
'';
+ };
# ssh is strict about parent directory having correct rights, don't
# move it in the nix store.
environment.etc."ssh/ldap_authorized_keys" = let