AuthorizedKeysCommandUser nobody
'';
+ deployment.keys = {
+ ssh-ldap = {
+ user = "nobody";
+ group = "nobody";
+ permissions = "0400";
+ text = myconfig.env.sshd.ldap.password;
+ };
+ };
+ system.activationScripts.sshd = ''
+ install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password
+ '';
+ # ssh is strict about parent directory having correct rights, don't
+ # move it in the nix store.
environment.etc."ssh/ldap_authorized_keys" = let
ldap_authorized_keys =
mylibs.wrap {
name = "ldap_authorized_keys";
file = ./ldap_authorized_keys.sh;
- vars = {
- LDAP_PASS = myconfig.env.sshd.ldap.password;
- GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
- ECHO = "${pkgs.coreutils}/bin/echo";
- };
- paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+ paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
};
in {
enable = true;
LDAPSEARCH=ldapsearch
KEY="immaeSshKey"
LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
-#LDAP_PASS="password taken from environment"
+LDAP_PASS=$(cat /etc/ssh/ldap_password)
LDAP_HOST="ldap.immae.eu"
LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
LDAP_BASE="dc=immae,dc=eu"
+GITOLITE_SHELL=$(which gitolite-shell)
+ECHO=$(which echo)
suitable_for() {
type_for="$1"
projects / perso / Immae / Config / Nix.git / commitdiff
