feat(netconf): use meta for access control

hive.nix

@@ -129,11 +129,17 @@ in
       evalConfig = nixpkgs.nixos.unstable.lib.evalModules;
 
       defaults =
-        { nodeMeta, nodePath, ... }:
+        {
+          name,
+          nodeMeta,
+          nodePath,
+          ...
+        }:
         {
           _module.args = {
             pkgs = nixpkgs.nixos.unstable;
           };
+
           # Import the default modules
           imports = [
             # Import the base configuration for each node
@@ -143,6 +149,8 @@ in
             "${sources.nixpkgs}/nixos/modules/misc/assertions.nix"
           ];
 
+          system.host-name = name;
+
           inherit (nodeMeta) deployment;
         };
     };

machines/netconf/netcore02.nix

@@ -26,20 +26,8 @@ let
     };
   };
 in
-{ name, ... }:
 {
   vlans = vlansPlan;
-  system = {
-    # TODO: use meta, in default
-    host-name = name;
-    services.ssh.root-login = "deny-password";
-    root-authentication = {
-      hashedPasswd = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
-      ssh-keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
-      ];
-    };
-  };
   dgn-hardware.model = "EX2300-48P";
   dgn-interfaces = {
     # "ge-0/0/0" = AP-staging;

meta/nodes/netconf.nix

@@ -4,7 +4,7 @@
 
     hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
 
-    stateVersion = "24.05"; # FIXME: meaningless
+    stateVersion = null;
 
     adminGroups = [ "fai" ];
 
@@ -26,7 +26,7 @@
   #
   #    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
   #
-  #    stateVersion = "24.05"; # FIXME: meaningless
+  #    stateVersion = null;
   #
   #    adminGroups = [ "fai" ];
   #

modules/netconf/default.nix

@@ -3,5 +3,6 @@
     # List of modules to import
     ./dgn-hardware
     ./dgn-interfaces.nix
+    ./dgn-access-control.nix
   ];
 }

modules/netconf/dgn-access-control.nix

@@ -0,0 +1,64 @@
+# Copyright :
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  dgn-keys,
+  meta,
+  nodeMeta,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkOption
+
+    types
+    ;
+
+  admins =
+    meta.organization.groups.root
+    ++ nodeMeta.admins
+    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
+
+  cfg = config.dgn-access-control;
+in
+
+{
+  options.dgn-access-control = {
+    enable = mkEnableOption "DGNum access control." // {
+      default = true;
+    };
+
+    root = mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      description = ''
+        List describing which member has access to root user on the node.
+        Members must be declared in `meta/members.nix`.
+      '';
+      example = ''
+        [ "member1" "member2" ]
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Admins have root access to the node
+    dgn-access-control.root = mkDefault admins;
+    system = {
+      root-authentication = {
+        ssh-keys = dgn-keys.getKeys cfg.root;
+        hashedPasswd = nodeMeta.hashedPassword;
+      };
+      services.ssh.root-login = mkDefault "deny-password";
+    };
+  };
+}