aboutsummaryrefslogtreecommitdiff
path: root/flakes/private/ssh/flake.nix
blob: 0ca6d67b91d99926e09f92b87773987eef2fc417 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
{
  inputs.environment.url = "path:../environment";
  inputs.secrets.url = "path:../../secrets";
  outputs = { self, environment, secrets }: {
    nixosModule = self.nixosModules.ssh;
    nixosModules.ssh = { lib, pkgs, config, ... }:
      let
        cfg = config.myServices.ssh;
      in
      {
        imports = [
          environment.nixosModule
          secrets.nixosModule
        ];
        options.myServices.ssh = let
          module = lib.types.submodule {
            options = {
              vars = lib.mkOption {
                type = lib.types.attrsOf lib.types.lines;
                default = {};
                description = ''
                  variables to interpolate in the script. A `name_` prefix will be prepended
                '';
              };
              snippet = lib.mkOption {
                type = lib.types.lines;
                description = ''
                    Snippet to use
                '';
              };
              dependencies = lib.mkOption {
                type = lib.types.listOf lib.types.package;
                default = [];
                description = ''
                    Dependencies of the package
                '';
              };
            };
          };
        in {
          modules = lib.mkOption {
            type = lib.types.attrsOf module;
            default = {};
            description = ''
              List of modules to enable
              '';
          };
        };
        config = lib.mkIf (builtins.length (builtins.attrValues cfg.modules) > 0) {

          services.openssh.extraConfig = ''
            AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
            AuthorizedKeysCommandUser nobody
            '';

          secrets.keys."ssh-ldap" = {
            user = "nobody";
            group = "nogroup";
            permissions = "0400";
            text = config.myEnv.sshd.ldap.password;
          };
          secrets.keys."ssh-psql" = {
            user = "nobody";
            group = "nogroup";
            permissions = "0400";
            text = config.myEnv.sshd.psql.password;
          };
          system.activationScripts.sshd = {
            deps = [ "secrets" ];
            text = ''
            install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
            install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-psql"} /etc/ssh/psql_password
            '';
          };
          # ssh is strict about parent directory having correct rights, don't
          # move it in the nix store.
          environment.etc."ssh/ldap_authorized_keys" = let
            deps = lib.lists.unique (
              [ pkgs.which pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.postgresql ]
              ++ lib.flatten (map (v: v.dependencies) (builtins.attrValues cfg.modules))
              );
            vars = lib.concatMapAttrs (n: v: (
              lib.mapAttrs' (n': lib.nameValuePair "${n}_${n'}") v.vars
            )) cfg.modules;
            fullScript = pkgs.runCommand "ldap_authorized_keys" (vars // {
              snippets = builtins.concatStringsSep "\n" (map (v: v.snippet) (builtins.attrValues cfg.modules));
            }) ''
              substituteAll ${./ldap_authorized_keys.sh} $out
              # Second call for the included snippets
              substituteAllInPlace $out
              chmod a+x $out
              '';
            ldap_authorized_keys = pkgs.runCommand "ldap_authorized_keys" {
              buildInputs = [ pkgs.makeWrapper ];
            } ''
              makeWrapper "${fullScript}" "$out" --prefix PATH : ${lib.makeBinPath deps}
              '';
          in {
            enable = true;
            mode = "0755";
            user = "root";
            source = ldap_authorized_keys;
          };
        };
      };
  };
}