Don't launch if it's not enabled

2024-06-01 09:18:28 -07:00 · 2024-06-01 09:18:28 -07:00 · e9e7d25ba8
parent d387167dec
commit e9e7d25ba8
1 changed files with 54 additions and 35 deletions
--- a/paris-container.nix
+++ b/paris-container.nix
@ -25,6 +25,12 @@ in {
      default = [ ];
    };

+    ssh-keys = mkOption {
+      type = listOf str;
+      description = "List of SSH keys to use.";
+      default = [ ];
+    };
+
    ldap = {
      image = mkOption {
        type = str;
@ -126,7 +132,7 @@ in {
    };
  };

-  config = {
+  config = mkIf cfg.enable {
    systemd.tmpfiles.rules =
      [ "d ${cfg.state-directory}/home 0700 root root - -" ];

@ -168,7 +174,18 @@ in {

        environment.systemPackages = packages;

-        services.sssd = {
+        services = {
+          opensssh = {
+            enable = true;
+            startWhenNeeded = true;
+            hostKeys = FIXME;
+            settings = {
+              UseDns = true;
+              PermitRootLogin = "no";
+            };
+          };
+
+          sssd = {
            enable = true;
            kcm = true;
            environmentFile = hostSecrets.parisSssdEnv.target-file;
@ -201,7 +218,8 @@ in {

                ldap_search_base = cfg.ldap.base;
                ldap_user_search_base = "${cfg.ldap.user-ou},${cfg.ldap.base}";
-              ldap_group_search_base = "${cfg.ldap.group-ou},${cfg.ldap.base}";
+                ldap_group_search_base =
+                  "${cfg.ldap.group-ou},${cfg.ldap.base}";

                ladp_user_object_class = "user";
                ldap_user_cn = "cn";
@ -213,6 +231,7 @@ in {
              };
            };
          };
+        };

        networking = {
          defaultGateway = {