blob: e8d606348bd41c41bf07c544ce730d3deba1d3ef (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
{ lib, pkgs, config, mylibs, myconfig, ... }:
{
config = {
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
AuthorizedKeysCommandUser nobody
'';
secrets.keys = [{
dest = "ssh-ldap";
user = "nobody";
group = "nogroup";
permissions = "0400";
text = myconfig.env.sshd.ldap.password;
}];
system.activationScripts.sshd = {
deps = [ "secrets" ];
text = ''
install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
'';
};
# ssh is strict about parent directory having correct rights, don't
# move it in the nix store.
environment.etc."ssh/ldap_authorized_keys" = let
ldap_authorized_keys =
mylibs.wrap {
name = "ldap_authorized_keys";
file = ./ldap_authorized_keys.sh;
paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
};
in {
enable = true;
mode = "0755";
user = "root";
source = ldap_authorized_keys;
};
};
}
|