Move ssh to its own module

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-03 10:21:20 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-03 10:28:10 +0200
commit: 7e6f1fb434797b4ffaf7eefa4a69825ce884fd20 (patch)
tree: 893278685ae318b918efbe474bd470a79df5d5af
parent: 33aa7e5c92daffce2f09639eb57cb995754fbd6b (diff)
download: Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.gz
Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.zst
Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.zip
3 files changed, 32 insertions, 31 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 752ef0a..9d32bb3 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -6,7 +6,6 @@
  };
  eldiron = { config, pkgs, mylibs, myconfig, ... }:
-    with mylibs;
  {
    _module.args = {
      pkgsNext = import <nixpkgsNext> {};
@@ -25,6 +24,7 @@
    };
    imports = [
+      ./modules/ssh
      ./modules/certificates.nix
      ./modules/gitolite
      ./modules/databases
@@ -52,12 +52,7 @@
      MaxLevelStore="warning"
      MaxRetentionSec="1year"
      '';
-    networking = {
+    networking.firewall.enable = true;
-      firewall = {
-        enable = true;
-        allowedTCPPorts = [ 22 ];
-      };
-    };
    deployment = {
      targetEnv = "hetzner";
@@ -85,30 +80,6 @@
      pkgs.vim
    ];
-    services.openssh.extraConfig = ''
-      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
-      AuthorizedKeysCommandUser nobody
-      '';
-    environment.etc."ssh/ldap_authorized_keys" = let
-      ldap_authorized_keys =
-        wrap {
-          name = "ldap_authorized_keys";
-          file = ./ldap_authorized_keys.sh;
-          vars = {
-            LDAP_PASS = myconfig.env.sshd.ldap.password;
-            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
-            ECHO = "${pkgs.coreutils}/bin/echo";
-          };
-          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
-        };
-    in {
-      enable = true;
-      mode = "0755";
-      user = "root";
-      source = ldap_authorized_keys;
-    };
    services.cron = {
      enable = true;
      systemCronJobs = [
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
new file mode 100644
index 0000000..b28f6ca
--- /dev/null
+++ b/nixops/modules/ssh/default.nix
@@ -0,0 +1,30 @@
+{ lib, pkgs, config, mylibs, myconfig, ... }:
+{
+  config = {
+    networking.firewall.allowedTCPPorts = [ 22 ];
+    services.openssh.extraConfig = ''
+      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
+      AuthorizedKeysCommandUser nobody
+      '';
+    environment.etc."ssh/ldap_authorized_keys" = let
+      ldap_authorized_keys =
+        mylibs.wrap {
+          name = "ldap_authorized_keys";
+          file = ./ldap_authorized_keys.sh;
+          vars = {
+            LDAP_PASS = myconfig.env.sshd.ldap.password;
+            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
+            ECHO = "${pkgs.coreutils}/bin/echo";
+          };
+          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+        };
+    in {
+      enable = true;
+      mode = "0755";
+      user = "root";
+      source = ldap_authorized_keys;
+    };
+  };
+}
diff --git a/nixops/ldap_authorized_keys.sh b/nixops/modules/ssh/ldap_authorized_keys.sh
index d869d74..d869d74 100755
--- a/nixops/ldap_authorized_keys.sh
+++ b/nixops/modules/ssh/ldap_authorized_keys.sh
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-03 10:21:20 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-03 10:28:10 +0200
commit	7e6f1fb434797b4ffaf7eefa4a69825ce884fd20 (patch)
tree	893278685ae318b918efbe474bd470a79df5d5af
parent	33aa7e5c92daffce2f09639eb57cb995754fbd6b (diff)
download	Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.gz Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.zst Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.zip