diff options
Diffstat (limited to 'modules/private/ssh/default.nix')
-rw-r--r-- | modules/private/ssh/default.nix | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix new file mode 100644 index 00000000..beedaff5 --- /dev/null +++ b/modules/private/ssh/default.nix | |||
@@ -0,0 +1,40 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | networking.firewall.allowedTCPPorts = [ 22 ]; | ||
5 | |||
6 | services.openssh.extraConfig = '' | ||
7 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | ||
8 | AuthorizedKeysCommandUser nobody | ||
9 | ''; | ||
10 | |||
11 | secrets.keys = [{ | ||
12 | dest = "ssh-ldap"; | ||
13 | user = "nobody"; | ||
14 | group = "nogroup"; | ||
15 | permissions = "0400"; | ||
16 | text = myconfig.env.sshd.ldap.password; | ||
17 | }]; | ||
18 | system.activationScripts.sshd = { | ||
19 | deps = [ "secrets" ]; | ||
20 | text = '' | ||
21 | install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password | ||
22 | ''; | ||
23 | }; | ||
24 | # ssh is strict about parent directory having correct rights, don't | ||
25 | # move it in the nix store. | ||
26 | environment.etc."ssh/ldap_authorized_keys" = let | ||
27 | ldap_authorized_keys = | ||
28 | pkgs.mylibs.wrap { | ||
29 | name = "ldap_authorized_keys"; | ||
30 | file = ./ldap_authorized_keys.sh; | ||
31 | paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; | ||
32 | }; | ||
33 | in { | ||
34 | enable = true; | ||
35 | mode = "0755"; | ||
36 | user = "root"; | ||
37 | source = ldap_authorized_keys; | ||
38 | }; | ||
39 | }; | ||
40 | } | ||