blob: 1699104a370f914a8885374dfff39983b3a1a4a4 (
plain) (
tree)
|
|
{ lib, pkgs, config, ... }:
let
cfg = config.myServices.ssh;
in
{
options.myServices.ssh = let
module = lib.types.submodule {
options = {
snippet = lib.mkOption {
type = lib.types.lines;
description = ''
Snippet to use
'';
};
dependencies = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [];
description = ''
Dependencies of the package
'';
};
};
};
in {
predefinedModules = lib.mkOption {
type = lib.types.attrsOf module;
default = {
regular = {
snippet = builtins.readFile ./ldap_regular.sh;
};
};
readOnly = true;
description = ''
Predefined modules
'';
};
modules = lib.mkOption {
type = lib.types.listOf module;
default = [];
description = ''
List of modules to enable
'';
};
};
config = {
networking.firewall.allowedTCPPorts = [ 22 ];
} // (lib.mkIf (builtins.length cfg.modules > 0) {
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
AuthorizedKeysCommandUser nobody
'';
secrets.keys = [{
dest = "ssh-ldap";
user = "nobody";
group = "nogroup";
permissions = "0400";
text = config.myEnv.sshd.ldap.password;
}];
system.activationScripts.sshd = {
deps = [ "secrets" ];
text = ''
install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
'';
};
# ssh is strict about parent directory having correct rights, don't
# move it in the nix store.
environment.etc."ssh/ldap_authorized_keys" = let
deps = lib.lists.unique (
[ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]
++ lib.flatten (map (v: v.dependencies) cfg.modules)
);
fullScript = pkgs.runCommand "ldap_authorized_keys" {
snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules);
} ''
substituteAll ${./ldap_authorized_keys.sh} $out
chmod a+x $out
'';
ldap_authorized_keys =
pkgs.mylibs.wrap {
name = "ldap_authorized_keys";
file = fullScript;
paths = deps;
};
in {
enable = true;
mode = "0755";
user = "root";
source = ldap_authorized_keys;
};
});
}
|
