From 567b153c314df6408dd127b11cdac8a5d760b8eb Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sat, 25 Jan 2025 21:43:02 +0100 Subject: [PATCH] feat(kanidm): Add groups for service admins --- machines/nixos/compute01/kanidm/default.nix | 18 +++++++++++++++++- meta/organization.nix | 11 ++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/machines/nixos/compute01/kanidm/default.nix b/machines/nixos/compute01/kanidm/default.nix index 5e0129e..77df495 100644 --- a/machines/nixos/compute01/kanidm/default.nix +++ b/machines/nixos/compute01/kanidm/default.nix @@ -14,10 +14,12 @@ let inherit (lib) attrValues catAttrs + concatLists escapeRegex concatStringsSep mapAttrs' nameValuePair + unique ; domain = "sso.dgnum.eu"; @@ -86,7 +88,21 @@ in } // (mapAttrs' ( name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; } - ) meta.organization.groups); + ) meta.organization.groups) + // (mapAttrs' ( + name: + { + admins ? [ ], + adminGroups ? [ ], + }: + nameValuePair "grp-admin_${name}" { + members = unique ( + builtins.map usernameFor ( + admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups)) + ) + ); + } + ) meta.organization.services); # INFO: The authentication resources declared here can only be for internal services, # as regular members cannot be statically known. diff --git a/meta/organization.nix b/meta/organization.nix index 2376252..0633ba2 100644 --- a/meta/organization.nix +++ b/meta/organization.nix @@ -122,6 +122,13 @@ }; services = { + # DG·SI + dgsi.admins = [ + "mdebray" + "raito" + "thubrecht" + ]; + # Démarches Normaliennes ds-fr.admins = [ "thubrecht" @@ -130,8 +137,10 @@ # Cloud DGNum nextcloud.admins = [ - "thubrecht" + "jemagius" + "mdebray" "raito" + "thubrecht" ]; # Netbox DGNum