Move rest of the modules outside of nixops

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-22 20:55:28 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-22 20:55:28 +0200
commit: 8d213e2b1c934f6861f76aad5eb7c11097fa97de (patch)
tree: 23f8a2d5692deaeffffa1ab5f098b2d24b9e2217 /modules/private/ssh
parent: a1a8649a2be768685eb04c246c114fce36b8096f (diff)
download: Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.gz
Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.zst
Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.zip
2 files changed, 192 insertions, 0 deletions
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
new file mode 100644
index 0000000..beedaff
--- /dev/null
+++ b/modules/private/ssh/default.nix
@@ -0,0 +1,40 @@
+{ lib, pkgs, config, myconfig, ... }:
+{
+  config = {
+    networking.firewall.allowedTCPPorts = [ 22 ];
+    services.openssh.extraConfig = ''
+      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
+      AuthorizedKeysCommandUser nobody
+      '';
+    secrets.keys = [{
+      dest = "ssh-ldap";
+      user = "nobody";
+      group = "nogroup";
+      permissions = "0400";
+      text = myconfig.env.sshd.ldap.password;
+    }];
+    system.activationScripts.sshd = {
+      deps = [ "secrets" ];
+      text = ''
+      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+      '';
+    };
+    # ssh is strict about parent directory having correct rights, don't
+    # move it in the nix store.
+    environment.etc."ssh/ldap_authorized_keys" = let
+      ldap_authorized_keys =
+        pkgs.mylibs.wrap {
+          name = "ldap_authorized_keys";
+          file = ./ldap_authorized_keys.sh;
+          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+        };
+    in {
+      enable = true;
+      mode = "0755";
+      user = "root";
+      source = ldap_authorized_keys;
+    };
+  };
+}
diff --git a/modules/private/ssh/ldap_authorized_keys.sh b/modules/private/ssh/ldap_authorized_keys.sh
new file mode 100755
index 0000000..d556452
--- /dev/null
+++ b/modules/private/ssh/ldap_authorized_keys.sh
@@ -0,0 +1,152 @@
+#!/usr/bin/env bash
+LDAPSEARCH=ldapsearch
+KEY="immaeSshKey"
+LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
+LDAP_PASS=$(cat /etc/ssh/ldap_password)
+LDAP_HOST="ldap.immae.eu"
+LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
+LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
+LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_BASE="dc=immae,dc=eu"
+GITOLITE_SHELL=$(which gitolite-shell)
+ECHO=$(which echo)
+suitable_for() {
+  type_for="$1"
+  key="$2"
+  if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+    echo "$key"
+  else
+    key_type=$(cut -d " " -f 1 <<< "$key")
+    if grep -q "\b-$type_for\b" <<< "$key_type"; then
+      echo ""
+    elif grep -q "\b$type_for\b" <<< "$key_type"; then
+      echo $(sed -e "s/^[^ ]* //g" <<< "$key")
+    else
+      echo ""
+    fi
+  fi
+}
+clean_key_line() {
+  type_for="$1"
+  line="$2"
+  if [[ "$line" == $KEY::* ]]; then
+    # base64 keys should't happen, unless wrong copy-pasting
+    key=""
+  else
+    key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
+  fi
+  suitable_for "$type_for" "$key"
+}
+ldap_search() {
+  $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
+}
+ldap_keys() {
+  user=$1;
+  if [[ $user == gitolite ]]; then
+    ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            if [ -n "$user" ]; then
+              if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
+                # Capitalize first letter (backward compatibility)
+                user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
+              fi
+            else
+              # Service fake user
+              user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line")
+            fi
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line git "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+    exit 0
+  elif [[ $user == pub ]]; then
+    ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            echo ""
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            echo "# $user"
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line pub "$line")
+            key_forward=$(clean_key_line forward "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
+                echo $key
+              fi
+            elif [ ! -z "$key_forward" ]; then
+              if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
+                echo "# forward only"
+                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+                echo $key_forward
+              fi
+            fi
+          fi
+        fi
+      done
+    echo ""
+    ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            echo ""
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            echo "# $user"
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line forward "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+    exit 0
+  else
+    ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line ssh "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+  fi
+}
+ldap_keys $@
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-22 20:55:28 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-22 20:55:28 +0200
commit	8d213e2b1c934f6861f76aad5eb7c11097fa97de (patch)
tree	23f8a2d5692deaeffffa1ab5f098b2d24b9e2217 /modules/private/ssh
parent	a1a8649a2be768685eb04c246c114fce36b8096f (diff)
download	Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.gz Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.zst Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.zip

diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix new file mode 100644 index 0000000..beedaff --- /dev/null +++ b/modules/private/ssh/default.nix
@@ -0,0 +1,40 @@
	1	{ lib, pkgs, config, myconfig, ... }:
	2	{
	3	config = {
	4	networking.firewall.allowedTCPPorts = [ 22 ];
	5
	6	services.openssh.extraConfig = ''
	7	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
	8	AuthorizedKeysCommandUser nobody
	9	'';
	10
	11	secrets.keys = [{
	12	dest = "ssh-ldap";
	13	user = "nobody";
	14	group = "nogroup";
	15	permissions = "0400";
	16	text = myconfig.env.sshd.ldap.password;
	17	}];
	18	system.activationScripts.sshd = {
	19	deps = [ "secrets" ];
	20	text = ''
	21	install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
	22	'';
	23	};
	24	# ssh is strict about parent directory having correct rights, don't
	25	# move it in the nix store.
	26	environment.etc."ssh/ldap_authorized_keys" = let
	27	ldap_authorized_keys =
	28	pkgs.mylibs.wrap {
	29	name = "ldap_authorized_keys";
	30	file = ./ldap_authorized_keys.sh;
	31	paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
	32	};
	33	in {
	34	enable = true;
	35	mode = "0755";
	36	user = "root";
	37	source = ldap_authorized_keys;
	38	};
	39	};
	40	}


diff --git a/modules/private/ssh/ldap_authorized_keys.sh b/modules/private/ssh/ldap_authorized_keys.sh new file mode 100755 index 0000000..d556452 --- /dev/null +++ b/modules/private/ssh/ldap_authorized_keys.sh
@@ -0,0 +1,152 @@
	1	#!/usr/bin/env bash
	2
	3	LDAPSEARCH=ldapsearch
	4	KEY="immaeSshKey"
	5	LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
	6	LDAP_PASS=$(cat /etc/ssh/ldap_password)
	7	LDAP_HOST="ldap.immae.eu"
	8	LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
	9	LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
	10	LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
	11	LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
	12	LDAP_BASE="dc=immae,dc=eu"
	13	GITOLITE_SHELL=$(which gitolite-shell)
	14	ECHO=$(which echo)
	15
	16	suitable_for() {
	17	type_for="$1"
	18	key="$2"
	19
	20	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	21	echo "$key"
	22	else
	23	key_type=$(cut -d " " -f 1 <<< "$key")
	24
	25	if grep -q "\b-$type_for\b" <<< "$key_type"; then
	26	echo ""
	27	elif grep -q "\b$type_for\b" <<< "$key_type"; then
	28	echo $(sed -e "s/^[^ ]* //g" <<< "$key")
	29	else
	30	echo ""
	31	fi
	32	fi
	33	}
	34
	35	clean_key_line() {
	36	type_for="$1"
	37	line="$2"
	38
	39	if [[ "$line" == $KEY::* ]]; then
	40	# base64 keys should't happen, unless wrong copy-pasting
	41	key=""
	42	else
	43	key=$(sed -e "s/^$KEY: //" -e "s/ $//" <<< "$line")
	44	fi
	45
	46	suitable_for "$type_for" "$key"
	47	}
	48
	49	ldap_search() {
	50	$LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
	51	}
	52
	53	ldap_keys() {
	54	user=$1;
	55	if [[ $user == gitolite ]]; then
	56	ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY \| \
	57	while read line ;
	58	do
	59	if [ ! -z "$line" ]; then
	60	if [[ $line == dn* ]]; then
	61	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
	62	if [ -n "$user" ]; then
	63	if [[ $user == "immae" ]] \|\| [[ $user == "denise" ]]; then
	64	# Capitalize first letter (backward compatibility)
	65	user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
	66	fi
	67	else
	68	# Service fake user
	69	user=$(sed -n 's/.cn=\([^,]\).*/\1/p' <<< "$line")
	70	fi
	71	elif [[ $line == $KEY* ]]; then
	72	key=$(clean_key_line git "$line")
	73	if [ ! -z "$key" ]; then
	74	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	75	echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
	76	echo $key
	77	fi
	78	fi
	79	fi
	80	fi
	81	done
	82	exit 0
	83	elif [[ $user == pub ]]; then
	84	ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY \| \
	85	while read line ;
	86	do
	87	if [ ! -z "$line" ]; then
	88	if [[ $line == dn* ]]; then
	89	echo ""
	90	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
	91	echo "# $user"
	92	elif [[ $line == $KEY* ]]; then
	93	key=$(clean_key_line pub "$line")
	94	key_forward=$(clean_key_line forward "$line")
	95	if [ ! -z "$key" ]; then
	96	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	97	echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
	98	echo $key
	99	fi
	100	elif [ ! -z "$key_forward" ]; then
	101	if [[ $key_forward != $'\n' ]] && [[ $key_forward == ssh-* ]]; then
	102	echo "# forward only"
	103	echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
	104	echo $key_forward
	105	fi
	106	fi
	107	fi
	108	fi
	109	done
	110
	111	echo ""
	112	ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY \| \
	113	while read line ;
	114	do
	115	if [ ! -z "$line" ]; then
	116	if [[ $line == dn* ]]; then
	117	echo ""
	118	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
	119	echo "# $user"
	120	elif [[ $line == $KEY* ]]; then
	121	key=$(clean_key_line forward "$line")
	122	if [ ! -z "$key" ]; then
	123	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	124	echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
	125	echo $key
	126	fi
	127	fi
	128	fi
	129	fi
	130	done
	131	exit 0
	132	else
	133	ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY \| \
	134	while read line ;
	135	do
	136	if [ ! -z "$line" ]; then
	137	if [[ $line == dn* ]]; then
	138	user=$(sed -n 's/.uid=\([^,]\).*/\1/p' <<< "$line")
	139	elif [[ $line == $KEY* ]]; then
	140	key=$(clean_key_line ssh "$line")
	141	if [ ! -z "$key" ]; then
	142	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	143	echo $key
	144	fi
	145	fi
	146	fi
	147	fi
	148	done
	149	fi
	150	}
	151
	152	ldap_keys $@