This repository has no description
module: use security.wrappers for authkeys command
author
Cassie Cheung
date
(Mar 14, 2025, 1:48 PM +0800)
commit
19b1b50f
19b1b50ff4fdbb1ce088b5705809998a1d7d770b
parent
429f166a
429f166a23be59162d819ef311afb4e2a6ba6667
+18
-10
+18
-10
module.nix
+18
-10
module.nix
···
154
154
155
155
users.groups.${cfg.gitUser} = { };
156
156
157
-
services.openssh = {
158
-
enable = true;
159
-
extraConfig = ''
160
-
Match User ${cfg.gitUser}
161
-
AuthorizedKeysCommand ${lib.getExe' wrapped-packages "keyfetch"}
162
-
AuthorizedKeysCommandUser nobody
163
-
${cfg.extraSshdConfig}
164
-
'';
165
-
};
166
-
167
157
systemd.services.knotserver = {
168
158
description = "knotserver service";
169
159
after = [
···
193
183
KNOT_SERVER_LISTEN_ADDR = cfg.server.listenAddr;
194
184
KNOT_SERVER_HOSTNAME = cfg.server.hostname;
195
185
} // cfg.extraConfig;
186
+
};
187
+
188
+
services.openssh = {
189
+
enable = true;
190
+
extraConfig = ''
191
+
Match User ${cfg.gitUser}
192
+
AuthorizedKeysCommand ${config.security.wrapperDir}/keyfetch
193
+
AuthorizedKeysCommandUser nobody
194
+
${cfg.extraSshdConfig}
195
+
'';
196
+
};
197
+
198
+
# get around openssh restrictions
199
+
security.wrappers.keyfetch = {
200
+
owner = "root";
201
+
group = config.users.groups.${cfg.gitUser}.name;
202
+
permissions = "u+rx,go+x";
203
+
source = lib.getExe' wrapped-packages "keyfetch";
196
204
};
197
205
};
198
206
}