Move ssh to its own module

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-03 10:21:20 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-03 10:28:10 +0200
commit: 7e6f1fb434797b4ffaf7eefa4a69825ce884fd20 (patch)
tree: 893278685ae318b918efbe474bd470a79df5d5af /nixops/modules/ssh/default.nix
parent: 33aa7e5c92daffce2f09639eb57cb995754fbd6b (diff)
download: Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.gz
Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.zst
Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.zip
1 files changed, 30 insertions, 0 deletions
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
new file mode 100644
index 0000000..b28f6ca
--- /dev/null
+++ b/nixops/modules/ssh/default.nix
@@ -0,0 +1,30 @@
+{ lib, pkgs, config, mylibs, myconfig, ... }:
+{
+  config = {
+    networking.firewall.allowedTCPPorts = [ 22 ];
+    services.openssh.extraConfig = ''
+      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
+      AuthorizedKeysCommandUser nobody
+      '';
+    environment.etc."ssh/ldap_authorized_keys" = let
+      ldap_authorized_keys =
+        mylibs.wrap {
+          name = "ldap_authorized_keys";
+          file = ./ldap_authorized_keys.sh;
+          vars = {
+            LDAP_PASS = myconfig.env.sshd.ldap.password;
+            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
+            ECHO = "${pkgs.coreutils}/bin/echo";
+          };
+          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+        };
+    in {
+      enable = true;
+      mode = "0755";
+      user = "root";
+      source = ldap_authorized_keys;
+    };
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-03 10:21:20 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-03 10:28:10 +0200
commit	7e6f1fb434797b4ffaf7eefa4a69825ce884fd20 (patch)
tree	893278685ae318b918efbe474bd470a79df5d5af /nixops/modules/ssh/default.nix
parent	33aa7e5c92daffce2f09639eb57cb995754fbd6b (diff)
download	Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.gz Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.tar.zst Nix-7e6f1fb434797b4ffaf7eefa4a69825ce884fd20.zip

diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix new file mode 100644 index 0000000..b28f6ca --- /dev/null +++ b/nixops/modules/ssh/default.nix
@@ -0,0 +1,30 @@
	1	{ lib, pkgs, config, mylibs, myconfig, ... }:
	2	{
	3	config = {
	4	networking.firewall.allowedTCPPorts = [ 22 ];
	5
	6	services.openssh.extraConfig = ''
	7	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
	8	AuthorizedKeysCommandUser nobody
	9	'';
	10
	11	environment.etc."ssh/ldap_authorized_keys" = let
	12	ldap_authorized_keys =
	13	mylibs.wrap {
	14	name = "ldap_authorized_keys";
	15	file = ./ldap_authorized_keys.sh;
	16	vars = {
	17	LDAP_PASS = myconfig.env.sshd.ldap.password;
	18	GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
	19	ECHO = "${pkgs.coreutils}/bin/echo";
	20	};
	21	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
	22	};
	23	in {
	24	enable = true;
	25	mode = "0755";
	26	user = "root";
	27	source = ldap_authorized_keys;
	28	};
	29	};
	30	}