554ae9908b
be able to find the LDAP NSS module, which is normally installed in Glibc's prefix (under /lib/libnss_ldap...). Of course, we can't do that; it wouldn't be pure. As a workaround, we simply add nss_ldap to the LD_LIBRARY_PATH of the nscd daemon, which every other program uses for lookups. So we don't have to put nss_ldap in the LD_LIBRARY_PATH of every program. svn path=/nixos/trunk/; revision=7684
57 lines
1.1 KiB
Nix
57 lines
1.1 KiB
Nix
{ writeText, openssh, glibc, pwdutils, xauth
|
|
, nssModulesPath
|
|
, forwardX11, allowSFTP
|
|
}:
|
|
|
|
let
|
|
|
|
sshdConfig = writeText "sshd_config" "
|
|
UsePAM yes
|
|
|
|
${if forwardX11 then "
|
|
X11Forwarding yes
|
|
XAuthLocation ${xauth}/bin/xauth
|
|
" else "
|
|
X11Forwarding no
|
|
"}
|
|
|
|
${if allowSFTP then "
|
|
Subsystem sftp ${openssh}/libexec/sftp-server
|
|
" else "
|
|
"}
|
|
|
|
";
|
|
|
|
in
|
|
|
|
{
|
|
name = "sshd";
|
|
|
|
job = "
|
|
description \"SSH server\"
|
|
|
|
start on network-interfaces/started
|
|
stop on network-interfaces/stop
|
|
|
|
env LD_LIBRARY_PATH=${nssModulesPath}
|
|
|
|
start script
|
|
mkdir -m 0555 -p /var/empty
|
|
|
|
mkdir -m 0755 -p /etc/ssh
|
|
|
|
if ! test -f /etc/ssh/ssh_host_dsa_key; then
|
|
${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
|
|
fi
|
|
|
|
if ! ${glibc}/bin/getent passwd sshd > /dev/null; then
|
|
${pwdutils}/sbin/useradd -g nogroup -d /var/empty -s /noshell \\
|
|
-c 'SSH privilege separation user' sshd
|
|
fi
|
|
end script
|
|
|
|
respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}
|
|
";
|
|
|
|
}
|