# };
};
+ services.openssh.extraConfig = ''
+ AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
+ AuthorizedKeysCommandUser nobody
+ '';
+
+ # FIXME: after initial install, need to
+ # (1) copy rc file (adjust gitolite_ldap_groups.sh)
+ # (2) (mark old readonly and) sync repos except gitolite-admin
+ # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
+ # chown -R gitolite:gitolite /var/lib/gitolite
+ # (3) push force the gitolite-admin to new location (from external point)
+ # Don't use an existing key, it will take precedence over
+ # gitolite-admin
+ # (4) su -u gitolite gitolite setup
+ services.gitolite = {
+ enable = true;
+ # FIXME: key from ./ssh
+ adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
+ };
+
services.ympd = mypkgs.ympd.config // { enable = true; };
services.phpfpm = {
mkdir -p /run/redis
chown redis /run/redis
'';
+ gitolite =
+ assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+ let
+ gitolite_ldap_groups = mylibs.wrap {
+ name = "gitolite_ldap_groups.sh";
+ file = ./packages/gitolite_ldap_groups.sh;
+ vars = {
+ LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+ };
+ paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
+ };
+ in {
+ deps = [ "users" ];
+ text = ''
+ if [ -d /var/lib/gitolite ]; then
+ ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
+ fi
+ '';
+ };
+ };
+
+ environment.etc."ssh/ldap_authorized_keys" = let
+ ldap_authorized_keys =
+ assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+ mylibs.wrap {
+ name = "ldap_authorized_keys";
+ file = ./ldap_authorized_keys.sh;
+ vars = {
+ LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+ GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
+ ECHO = "${pkgs.coreutils}/bin/echo";
+ };
+ paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+ };
+ in {
+ enable = true;
+ mode = "0755";
+ user = "root";
+ source = ldap_authorized_keys;
};
services.httpd = let
--- /dev/null
+#!/usr/bin/env bash
+
+LDAPSEARCH=ldapsearch
+KEY="immaeSshKey"
+LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
+#LDAP_PASS="password taken from environment"
+LDAP_HOST="ldap.immae.eu"
+LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
+LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
+LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_BASE="dc=immae,dc=eu"
+
+suitable_for() {
+ type_for="$1"
+ key="$2"
+
+ if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+ echo "$key"
+ else
+ key_type=$(cut -d " " -f 1 <<< "$key")
+
+ if grep -q "\b-$type_for\b" <<< "$key_type"; then
+ echo ""
+ elif grep -q "\b$type_for\b" <<< "$key_type"; then
+ echo $(sed -e "s/^[^ ]* //g" <<< "$key")
+ else
+ echo ""
+ fi
+ fi
+}
+
+clean_key_line() {
+ type_for="$1"
+ line="$2"
+
+ if [[ "$line" == $KEY::* ]]; then
+ # base64 keys should't happen, unless wrong copy-pasting
+ key=""
+ else
+ key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
+ fi
+
+ suitable_for "$type_for" "$key"
+}
+
+ldap_search() {
+ $LDAPSEARCH -h $LDAP_HOST -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
+}
+
+ldap_keys() {
+ user=$1;
+ if [[ $user == gitolite ]]; then
+ ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \
+ while read line ;
+ do
+ if [ ! -z "$line" ]; then
+ if [[ $line == dn* ]]; then
+ user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+ if [ -n "$user" ]; then
+ if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
+ # Capitalize first letter (backward compatibility)
+ user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
+ fi
+ else
+ # Service fake user
+ user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line")
+ fi
+ elif [[ $line == $KEY* ]]; then
+ key=$(clean_key_line git "$line")
+ if [ ! -z "$key" ]; then
+ if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+ echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
+ echo $key
+ fi
+ fi
+ fi
+ fi
+ done
+ exit 0
+ elif [[ $user == pub ]]; then
+ ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
+ while read line ;
+ do
+ if [ ! -z "$line" ]; then
+ if [[ $line == dn* ]]; then
+ echo ""
+ user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+ echo "# $user"
+ elif [[ $line == $KEY* ]]; then
+ key=$(clean_key_line pub "$line")
+ key_forward=$(clean_key_line forward "$line")
+ if [ ! -z "$key" ]; then
+ if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+ echo -n 'command="$HOME/bin/restrict '$user'" '
+ echo $key
+ fi
+ elif [ ! -z "$key_forward" ]; then
+ if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
+ echo "# forward only"
+ echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+ echo $key_forward
+ fi
+ fi
+ fi
+ fi
+ done
+
+ echo ""
+ ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
+ while read line ;
+ do
+ if [ ! -z "$line" ]; then
+ if [[ $line == dn* ]]; then
+ echo ""
+ user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+ echo "# $user"
+ elif [[ $line == $KEY* ]]; then
+ key=$(clean_key_line forward "$line")
+ if [ ! -z "$key" ]; then
+ if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+ echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+ echo $key
+ fi
+ fi
+ fi
+ fi
+ done
+ exit 0
+ else
+ ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \
+ while read line ;
+ do
+ if [ ! -z "$line" ]; then
+ if [[ $line == dn* ]]; then
+ user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+ elif [[ $line == $KEY* ]]; then
+ key=$(clean_key_line ssh "$line")
+ if [ ! -z "$key" ]; then
+ if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+ echo $key
+ fi
+ fi
+ fi
+ fi
+ done
+ fi
+}
+
+ldap_keys $@