From ea7bf00c5af841b6f3980cb8d957daec5e609422 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sat, 20 Apr 2019 18:06:28 +0200
Subject: [PATCH] Move ssh ldap password to a secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
---
 nixops/modules/ssh/default.nix             | 20 ++++++++++++++------
 nixops/modules/ssh/ldap_authorized_keys.sh |  4 +++-
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
index b28f6ca..924f86e 100644
--- a/nixops/modules/ssh/default.nix
+++ b/nixops/modules/ssh/default.nix
@@ -8,17 +8,25 @@
       AuthorizedKeysCommandUser nobody
       '';
 
+    deployment.keys = {
+      ssh-ldap = {
+        user = "nobody";
+        group = "nobody";
+        permissions = "0400";
+        text = myconfig.env.sshd.ldap.password;
+      };
+    };
+    system.activationScripts.sshd = ''
+      install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password
+      '';
+    # ssh is strict about parent directory having correct rights, don't
+    # move it in the nix store.
     environment.etc."ssh/ldap_authorized_keys" = let
       ldap_authorized_keys =
         mylibs.wrap {
           name = "ldap_authorized_keys";
           file = ./ldap_authorized_keys.sh;
-          vars = {
-            LDAP_PASS = myconfig.env.sshd.ldap.password;
-            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
-            ECHO = "${pkgs.coreutils}/bin/echo";
-          };
-          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
         };
     in {
       enable = true;
diff --git a/nixops/modules/ssh/ldap_authorized_keys.sh b/nixops/modules/ssh/ldap_authorized_keys.sh
index d869d74..d556452 100755
--- a/nixops/modules/ssh/ldap_authorized_keys.sh
+++ b/nixops/modules/ssh/ldap_authorized_keys.sh
@@ -3,13 +3,15 @@
 LDAPSEARCH=ldapsearch
 KEY="immaeSshKey"
 LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
-#LDAP_PASS="password taken from environment"
+LDAP_PASS=$(cat /etc/ssh/ldap_password)
 LDAP_HOST="ldap.immae.eu"
 LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
 LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
 LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
 LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
 LDAP_BASE="dc=immae,dc=eu"
+GITOLITE_SHELL=$(which gitolite-shell)
+ECHO=$(which echo)
 
 suitable_for() {
   type_for="$1"
-- 
2.41.0