diff options
Diffstat (limited to 'virtual/eldiron.nix')
-rw-r--r-- | virtual/eldiron.nix | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 36b765c..292b31a 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix | |||
@@ -86,6 +86,26 @@ | |||
86 | # }; | 86 | # }; |
87 | }; | 87 | }; |
88 | 88 | ||
89 | services.openssh.extraConfig = '' | ||
90 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | ||
91 | AuthorizedKeysCommandUser nobody | ||
92 | ''; | ||
93 | |||
94 | # FIXME: after initial install, need to | ||
95 | # (1) copy rc file (adjust gitolite_ldap_groups.sh) | ||
96 | # (2) (mark old readonly and) sync repos except gitolite-admin | ||
97 | # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/ | ||
98 | # chown -R gitolite:gitolite /var/lib/gitolite | ||
99 | # (3) push force the gitolite-admin to new location (from external point) | ||
100 | # Don't use an existing key, it will take precedence over | ||
101 | # gitolite-admin | ||
102 | # (4) su -u gitolite gitolite setup | ||
103 | services.gitolite = { | ||
104 | enable = true; | ||
105 | # FIXME: key from ./ssh | ||
106 | adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu"; | ||
107 | }; | ||
108 | |||
89 | services.ympd = mypkgs.ympd.config // { enable = true; }; | 109 | services.ympd = mypkgs.ympd.config // { enable = true; }; |
90 | 110 | ||
91 | services.phpfpm = { | 111 | services.phpfpm = { |
@@ -118,6 +138,45 @@ | |||
118 | mkdir -p /run/redis | 138 | mkdir -p /run/redis |
119 | chown redis /run/redis | 139 | chown redis /run/redis |
120 | ''; | 140 | ''; |
141 | gitolite = | ||
142 | assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; | ||
143 | let | ||
144 | gitolite_ldap_groups = mylibs.wrap { | ||
145 | name = "gitolite_ldap_groups.sh"; | ||
146 | file = ./packages/gitolite_ldap_groups.sh; | ||
147 | vars = { | ||
148 | LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; | ||
149 | }; | ||
150 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ]; | ||
151 | }; | ||
152 | in { | ||
153 | deps = [ "users" ]; | ||
154 | text = '' | ||
155 | if [ -d /var/lib/gitolite ]; then | ||
156 | ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh | ||
157 | fi | ||
158 | ''; | ||
159 | }; | ||
160 | }; | ||
161 | |||
162 | environment.etc."ssh/ldap_authorized_keys" = let | ||
163 | ldap_authorized_keys = | ||
164 | assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; | ||
165 | mylibs.wrap { | ||
166 | name = "ldap_authorized_keys"; | ||
167 | file = ./ldap_authorized_keys.sh; | ||
168 | vars = { | ||
169 | LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD"; | ||
170 | GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; | ||
171 | ECHO = "${pkgs.coreutils}/bin/echo"; | ||
172 | }; | ||
173 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; | ||
174 | }; | ||
175 | in { | ||
176 | enable = true; | ||
177 | mode = "0755"; | ||
178 | user = "root"; | ||
179 | source = ldap_authorized_keys; | ||
121 | }; | 180 | }; |
122 | 181 | ||
123 | services.httpd = let | 182 | services.httpd = let |