diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /modules/private/ssh | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'modules/private/ssh')
-rw-r--r-- | modules/private/ssh/default.nix | 91 | ||||
-rwxr-xr-x | modules/private/ssh/ldap_authorized_keys.sh | 52 | ||||
-rw-r--r-- | modules/private/ssh/ldap_regular.sh | 19 |
3 files changed, 0 insertions, 162 deletions
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix deleted file mode 100644 index ee5dda5..0000000 --- a/modules/private/ssh/default.nix +++ /dev/null | |||
@@ -1,91 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.ssh; | ||
4 | in | ||
5 | { | ||
6 | options.myServices.ssh = let | ||
7 | module = lib.types.submodule { | ||
8 | options = { | ||
9 | snippet = lib.mkOption { | ||
10 | type = lib.types.lines; | ||
11 | description = '' | ||
12 | Snippet to use | ||
13 | ''; | ||
14 | }; | ||
15 | dependencies = lib.mkOption { | ||
16 | type = lib.types.listOf lib.types.package; | ||
17 | default = []; | ||
18 | description = '' | ||
19 | Dependencies of the package | ||
20 | ''; | ||
21 | }; | ||
22 | }; | ||
23 | }; | ||
24 | in { | ||
25 | predefinedModules = lib.mkOption { | ||
26 | type = lib.types.attrsOf module; | ||
27 | default = { | ||
28 | regular = { | ||
29 | snippet = builtins.readFile ./ldap_regular.sh; | ||
30 | }; | ||
31 | }; | ||
32 | readOnly = true; | ||
33 | description = '' | ||
34 | Predefined modules | ||
35 | ''; | ||
36 | }; | ||
37 | modules = lib.mkOption { | ||
38 | type = lib.types.listOf module; | ||
39 | default = []; | ||
40 | description = '' | ||
41 | List of modules to enable | ||
42 | ''; | ||
43 | }; | ||
44 | }; | ||
45 | config = { | ||
46 | networking.firewall.allowedTCPPorts = [ 22 ]; | ||
47 | } // (lib.mkIf (builtins.length cfg.modules > 0) { | ||
48 | |||
49 | services.openssh.extraConfig = '' | ||
50 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | ||
51 | AuthorizedKeysCommandUser nobody | ||
52 | ''; | ||
53 | |||
54 | secrets.keys."ssh-ldap" = { | ||
55 | user = "nobody"; | ||
56 | group = "nogroup"; | ||
57 | permissions = "0400"; | ||
58 | text = config.myEnv.sshd.ldap.password; | ||
59 | }; | ||
60 | system.activationScripts.sshd = { | ||
61 | deps = [ "secrets" ]; | ||
62 | text = '' | ||
63 | install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password | ||
64 | ''; | ||
65 | }; | ||
66 | # ssh is strict about parent directory having correct rights, don't | ||
67 | # move it in the nix store. | ||
68 | environment.etc."ssh/ldap_authorized_keys" = let | ||
69 | deps = lib.lists.unique ( | ||
70 | [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ] | ||
71 | ++ lib.flatten (map (v: v.dependencies) cfg.modules) | ||
72 | ); | ||
73 | fullScript = pkgs.runCommand "ldap_authorized_keys" { | ||
74 | snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) cfg.modules); | ||
75 | } '' | ||
76 | substituteAll ${./ldap_authorized_keys.sh} $out | ||
77 | chmod a+x $out | ||
78 | ''; | ||
79 | ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" { | ||
80 | buildInputs = [ pkgs.makeWrapper ]; | ||
81 | } '' | ||
82 | makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps} | ||
83 | ''; | ||
84 | in { | ||
85 | enable = true; | ||
86 | mode = "0755"; | ||
87 | user = "root"; | ||
88 | source = ldap_authorized_keys; | ||
89 | }; | ||
90 | }); | ||
91 | } | ||
diff --git a/modules/private/ssh/ldap_authorized_keys.sh b/modules/private/ssh/ldap_authorized_keys.sh deleted file mode 100755 index 402f283..0000000 --- a/modules/private/ssh/ldap_authorized_keys.sh +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | |||
3 | LDAPSEARCH=ldapsearch | ||
4 | KEY="immaeSshKey" | ||
5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" | ||
6 | LDAP_PASS=$(cat /etc/ssh/ldap_password) | ||
7 | LDAP_HOST="ldap.immae.eu" | ||
8 | LDAP_BASE="dc=immae,dc=eu" | ||
9 | |||
10 | suitable_for() { | ||
11 | type_for="$1" | ||
12 | key="$2" | ||
13 | |||
14 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
15 | echo "$key" | ||
16 | else | ||
17 | key_type=$(cut -d " " -f 1 <<< "$key") | ||
18 | |||
19 | if grep -q "\b-$type_for\b" <<< "$key_type"; then | ||
20 | echo "" | ||
21 | elif grep -q "\b$type_for\b" <<< "$key_type"; then | ||
22 | echo $(sed -e "s/^[^ ]* //g" <<< "$key") | ||
23 | else | ||
24 | echo "" | ||
25 | fi | ||
26 | fi | ||
27 | } | ||
28 | |||
29 | clean_key_line() { | ||
30 | type_for="$1" | ||
31 | line="$2" | ||
32 | |||
33 | if [[ "$line" == $KEY::* ]]; then | ||
34 | # base64 keys should't happen, unless wrong copy-pasting | ||
35 | key="" | ||
36 | else | ||
37 | key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") | ||
38 | fi | ||
39 | |||
40 | suitable_for "$type_for" "$key" | ||
41 | } | ||
42 | |||
43 | ldap_search() { | ||
44 | $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" | ||
45 | } | ||
46 | |||
47 | ldap_keys() { | ||
48 | user=$1; | ||
49 | @snippets@ | ||
50 | } | ||
51 | |||
52 | ldap_keys $@ | ||
diff --git a/modules/private/ssh/ldap_regular.sh b/modules/private/ssh/ldap_regular.sh deleted file mode 100644 index 4c2f47e..0000000 --- a/modules/private/ssh/ldap_regular.sh +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | ### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh | ||
2 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" | ||
3 | |||
4 | ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ | ||
5 | while read line ; | ||
6 | do | ||
7 | if [ ! -z "$line" ]; then | ||
8 | if [[ $line == dn* ]]; then | ||
9 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
10 | elif [[ $line == $KEY* ]]; then | ||
11 | key=$(clean_key_line ssh "$line") | ||
12 | if [ ! -z "$key" ]; then | ||
13 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
14 | echo $key | ||
15 | fi | ||
16 | fi | ||
17 | fi | ||
18 | fi | ||
19 | done | ||