};
eldiron = { config, pkgs, mylibs, myconfig, ... }:
- with mylibs;
{
_module.args = {
pkgsNext = import <nixpkgsNext> {};
};
imports = [
+ ./modules/ssh
./modules/certificates.nix
./modules/gitolite
./modules/databases
MaxLevelStore="warning"
MaxRetentionSec="1year"
'';
- networking = {
- firewall = {
- enable = true;
- allowedTCPPorts = [ 22 ];
- };
- };
+ networking.firewall.enable = true;
deployment = {
targetEnv = "hetzner";
pkgs.vim
];
- services.openssh.extraConfig = ''
- AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
- AuthorizedKeysCommandUser nobody
- '';
-
- environment.etc."ssh/ldap_authorized_keys" = let
- ldap_authorized_keys =
- wrap {
- name = "ldap_authorized_keys";
- file = ./ldap_authorized_keys.sh;
- vars = {
- LDAP_PASS = myconfig.env.sshd.ldap.password;
- GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
- ECHO = "${pkgs.coreutils}/bin/echo";
- };
- paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
- };
- in {
- enable = true;
- mode = "0755";
- user = "root";
- source = ldap_authorized_keys;
- };
-
services.cron = {
enable = true;
systemCronJobs = [
--- /dev/null
+{ lib, pkgs, config, mylibs, myconfig, ... }:
+{
+ config = {
+ networking.firewall.allowedTCPPorts = [ 22 ];
+
+ services.openssh.extraConfig = ''
+ AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
+ AuthorizedKeysCommandUser nobody
+ '';
+
+ environment.etc."ssh/ldap_authorized_keys" = let
+ ldap_authorized_keys =
+ mylibs.wrap {
+ name = "ldap_authorized_keys";
+ file = ./ldap_authorized_keys.sh;
+ vars = {
+ LDAP_PASS = myconfig.env.sshd.ldap.password;
+ GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
+ ECHO = "${pkgs.coreutils}/bin/echo";
+ };
+ paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+ };
+ in {
+ enable = true;
+ mode = "0755";
+ user = "root";
+ source = ldap_authorized_keys;
+ };
+ };
+}