diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 18:06:28 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 18:06:28 +0200 |
| commit | ea7bf00c5af841b6f3980cb8d957daec5e609422 (patch) | |
| tree | b59da1526fba49ccd56221f0c544ac90855e1379 /nixops | |
| parent | 926a4007ae464c08363c75aa177d978d803366a6 (diff) | |
| download | Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.tar.gz Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.tar.zst Nix-ea7bf00c5af841b6f3980cb8d957daec5e609422.zip | |
Move ssh ldap password to a secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
| -rw-r--r-- | nixops/modules/ssh/default.nix | 20 | ||||
| -rwxr-xr-x | nixops/modules/ssh/ldap_authorized_keys.sh | 4 |
2 files changed, 17 insertions, 7 deletions
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix index b28f6ca..924f86e 100644 --- a/nixops/modules/ssh/default.nix +++ b/nixops/modules/ssh/default.nix | |||
| @@ -8,17 +8,25 @@ | |||
| 8 | AuthorizedKeysCommandUser nobody | 8 | AuthorizedKeysCommandUser nobody |
| 9 | ''; | 9 | ''; |
| 10 | 10 | ||
| 11 | deployment.keys = { | ||
| 12 | ssh-ldap = { | ||
| 13 | user = "nobody"; | ||
| 14 | group = "nobody"; | ||
| 15 | permissions = "0400"; | ||
| 16 | text = myconfig.env.sshd.ldap.password; | ||
| 17 | }; | ||
| 18 | }; | ||
| 19 | system.activationScripts.sshd = '' | ||
| 20 | install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password | ||
| 21 | ''; | ||
| 22 | # ssh is strict about parent directory having correct rights, don't | ||
| 23 | # move it in the nix store. | ||
| 11 | environment.etc."ssh/ldap_authorized_keys" = let | 24 | environment.etc."ssh/ldap_authorized_keys" = let |
| 12 | ldap_authorized_keys = | 25 | ldap_authorized_keys = |
| 13 | mylibs.wrap { | 26 | mylibs.wrap { |
| 14 | name = "ldap_authorized_keys"; | 27 | name = "ldap_authorized_keys"; |
| 15 | file = ./ldap_authorized_keys.sh; | 28 | file = ./ldap_authorized_keys.sh; |
| 16 | vars = { | 29 | paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; |
| 17 | LDAP_PASS = myconfig.env.sshd.ldap.password; | ||
| 18 | GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; | ||
| 19 | ECHO = "${pkgs.coreutils}/bin/echo"; | ||
| 20 | }; | ||
| 21 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; | ||
| 22 | }; | 30 | }; |
| 23 | in { | 31 | in { |
| 24 | enable = true; | 32 | enable = true; |
diff --git a/nixops/modules/ssh/ldap_authorized_keys.sh b/nixops/modules/ssh/ldap_authorized_keys.sh index d869d74..d556452 100755 --- a/nixops/modules/ssh/ldap_authorized_keys.sh +++ b/nixops/modules/ssh/ldap_authorized_keys.sh | |||
| @@ -3,13 +3,15 @@ | |||
| 3 | LDAPSEARCH=ldapsearch | 3 | LDAPSEARCH=ldapsearch |
| 4 | KEY="immaeSshKey" | 4 | KEY="immaeSshKey" |
| 5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" | 5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" |
| 6 | #LDAP_PASS="password taken from environment" | 6 | LDAP_PASS=$(cat /etc/ssh/ldap_password) |
| 7 | LDAP_HOST="ldap.immae.eu" | 7 | LDAP_HOST="ldap.immae.eu" |
| 8 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" | 8 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" |
| 9 | LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" | 9 | LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" |
| 10 | LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" | 10 | LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" |
| 11 | LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" | 11 | LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" |
| 12 | LDAP_BASE="dc=immae,dc=eu" | 12 | LDAP_BASE="dc=immae,dc=eu" |
| 13 | GITOLITE_SHELL=$(which gitolite-shell) | ||
| 14 | ECHO=$(which echo) | ||
| 13 | 15 | ||
| 14 | suitable_for() { | 16 | suitable_for() { |
| 15 | type_for="$1" | 17 | type_for="$1" |