diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 18:06:28 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 18:06:28 +0200 |
commit | ea7bf00c5af841b6f3980cb8d957daec5e609422 (patch) | |
tree | b59da1526fba49ccd56221f0c544ac90855e1379 | |
parent | 926a4007ae464c08363c75aa177d978d803366a6 (diff) | |
download | Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.tar.gz Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.tar.zst Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.zip |
Move ssh ldap password to a secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
-rw-r--r-- | nixops/modules/ssh/default.nix | 20 | ||||
-rwxr-xr-x | nixops/modules/ssh/ldap_authorized_keys.sh | 4 |
2 files changed, 17 insertions, 7 deletions
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix index b28f6ca..924f86e 100644 --- a/nixops/modules/ssh/default.nix +++ b/nixops/modules/ssh/default.nix | |||
@@ -8,17 +8,25 @@ | |||
8 | AuthorizedKeysCommandUser nobody | 8 | AuthorizedKeysCommandUser nobody |
9 | ''; | 9 | ''; |
10 | 10 | ||
11 | deployment.keys = { | ||
12 | ssh-ldap = { | ||
13 | user = "nobody"; | ||
14 | group = "nobody"; | ||
15 | permissions = "0400"; | ||
16 | text = myconfig.env.sshd.ldap.password; | ||
17 | }; | ||
18 | }; | ||
19 | system.activationScripts.sshd = '' | ||
20 | install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password | ||
21 | ''; | ||
22 | # ssh is strict about parent directory having correct rights, don't | ||
23 | # move it in the nix store. | ||
11 | environment.etc."ssh/ldap_authorized_keys" = let | 24 | environment.etc."ssh/ldap_authorized_keys" = let |
12 | ldap_authorized_keys = | 25 | ldap_authorized_keys = |
13 | mylibs.wrap { | 26 | mylibs.wrap { |
14 | name = "ldap_authorized_keys"; | 27 | name = "ldap_authorized_keys"; |
15 | file = ./ldap_authorized_keys.sh; | 28 | file = ./ldap_authorized_keys.sh; |
16 | vars = { | 29 | paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; |
17 | LDAP_PASS = myconfig.env.sshd.ldap.password; | ||
18 | GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; | ||
19 | ECHO = "${pkgs.coreutils}/bin/echo"; | ||
20 | }; | ||
21 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; | ||
22 | }; | 30 | }; |
23 | in { | 31 | in { |
24 | enable = true; | 32 | enable = true; |
diff --git a/nixops/modules/ssh/ldap_authorized_keys.sh b/nixops/modules/ssh/ldap_authorized_keys.sh index d869d74..d556452 100755 --- a/nixops/modules/ssh/ldap_authorized_keys.sh +++ b/nixops/modules/ssh/ldap_authorized_keys.sh | |||
@@ -3,13 +3,15 @@ | |||
3 | LDAPSEARCH=ldapsearch | 3 | LDAPSEARCH=ldapsearch |
4 | KEY="immaeSshKey" | 4 | KEY="immaeSshKey" |
5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" | 5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" |
6 | #LDAP_PASS="password taken from environment" | 6 | LDAP_PASS=$(cat /etc/ssh/ldap_password) |
7 | LDAP_HOST="ldap.immae.eu" | 7 | LDAP_HOST="ldap.immae.eu" |
8 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" | 8 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" |
9 | LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" | 9 | LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" |
10 | LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" | 10 | LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" |
11 | LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" | 11 | LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" |
12 | LDAP_BASE="dc=immae,dc=eu" | 12 | LDAP_BASE="dc=immae,dc=eu" |
13 | GITOLITE_SHELL=$(which gitolite-shell) | ||
14 | ECHO=$(which echo) | ||
13 | 15 | ||
14 | suitable_for() { | 16 | suitable_for() { |
15 | type_for="$1" | 17 | type_for="$1" |