diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 18:06:28 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 18:06:28 +0200 |
commit | ea7bf00c5af841b6f3980cb8d957daec5e609422 (patch) | |
tree | b59da1526fba49ccd56221f0c544ac90855e1379 /nixops/modules/ssh/default.nix | |
parent | 926a4007ae464c08363c75aa177d978d803366a6 (diff) | |
download | Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.tar.gz Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.tar.zst Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.zip |
Move ssh ldap password to a secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/ssh/default.nix')
-rw-r--r-- | nixops/modules/ssh/default.nix | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix index b28f6ca..924f86e 100644 --- a/nixops/modules/ssh/default.nix +++ b/nixops/modules/ssh/default.nix | |||
@@ -8,17 +8,25 @@ | |||
8 | AuthorizedKeysCommandUser nobody | 8 | AuthorizedKeysCommandUser nobody |
9 | ''; | 9 | ''; |
10 | 10 | ||
11 | deployment.keys = { | ||
12 | ssh-ldap = { | ||
13 | user = "nobody"; | ||
14 | group = "nobody"; | ||
15 | permissions = "0400"; | ||
16 | text = myconfig.env.sshd.ldap.password; | ||
17 | }; | ||
18 | }; | ||
19 | system.activationScripts.sshd = '' | ||
20 | install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password | ||
21 | ''; | ||
22 | # ssh is strict about parent directory having correct rights, don't | ||
23 | # move it in the nix store. | ||
11 | environment.etc."ssh/ldap_authorized_keys" = let | 24 | environment.etc."ssh/ldap_authorized_keys" = let |
12 | ldap_authorized_keys = | 25 | ldap_authorized_keys = |
13 | mylibs.wrap { | 26 | mylibs.wrap { |
14 | name = "ldap_authorized_keys"; | 27 | name = "ldap_authorized_keys"; |
15 | file = ./ldap_authorized_keys.sh; | 28 | file = ./ldap_authorized_keys.sh; |
16 | vars = { | 29 | paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; |
17 | LDAP_PASS = myconfig.env.sshd.ldap.password; | ||
18 | GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; | ||
19 | ECHO = "${pkgs.coreutils}/bin/echo"; | ||
20 | }; | ||
21 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; | ||
22 | }; | 30 | }; |
23 | in { | 31 | in { |
24 | enable = true; | 32 | enable = true; |