DGNum/infrastructure
11
6
Fork 4
Code Issues 24 Pull requests 25 Projects 1 Releases Packages Wiki Activity Actions

feat(meta): Use the module system to directly create the admin list from the groups
All checks were successful
Check meta / check_meta (pull_request) Successful in 15s
Details
Check meta / check_dns (pull_request) Successful in 15s
Details
Build all the nodes / netaccess01 (pull_request) Successful in 20s
Details
Build all the nodes / netcore01 (pull_request) Successful in 21s
Details
Build all the nodes / netcore02 (pull_request) Successful in 21s
Details
Check workflows / check_workflows (pull_request) Successful in 26s
Details
Build all the nodes / ap01 (pull_request) Successful in 32s
Details
Build the shell / build-shell (pull_request) Successful in 24s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 45s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m38s
Details
Build all the nodes / web01 (pull_request) Successful in 2m13s
Details
Build all the nodes / compute01 (pull_request) Successful in 2m44s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 3m4s
Details
Build all the nodes / rescue01 (pull_request) Successful in 3m10s
Details
Build all the nodes / build01 (pull_request) Successful in 3m15s
Details
Build all the nodes / bridge01 (pull_request) Successful in 3m16s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 3m22s
Details
Build all the nodes / geo01 (pull_request) Successful in 3m26s
Details
Build all the nodes / web02 (pull_request) Successful in 3m6s
Details
Build all the nodes / tower01 (pull_request) Successful in 3m16s
Details
Build all the nodes / geo02 (pull_request) Successful in 3m46s
Details
Build all the nodes / vault01 (pull_request) Successful in 3m36s
Details
Build all the nodes / storage01 (pull_request) Successful in 3m46s
Details
Build all the nodes / web03 (pull_request) Successful in 3m48s
Details
Check meta / check_meta (push) Successful in 15s
Details
Check meta / check_dns (push) Successful in 16s
Details
Check workflows / check_workflows (push) Successful in 16s
Details
Build all the nodes / netaccess01 (push) Successful in 20s
Details
Build all the nodes / ap01 (push) Successful in 31s
Details
Build all the nodes / netcore01 (push) Successful in 39s
Details
Build all the nodes / netcore02 (push) Successful in 39s
Details
Build the shell / build-shell (push) Successful in 44s
Details
Run pre-commit on all files / pre-commit (push) Successful in 49s
Details
Build all the nodes / hypervisor01 (push) Successful in 1m43s
Details
Build all the nodes / tower01 (push) Successful in 1m43s
Details
Build all the nodes / bridge01 (push) Successful in 1m46s
Details
Build all the nodes / build01 (push) Successful in 3m29s
Details
Build all the nodes / storage01 (push) Successful in 3m41s
Details
Build all the nodes / web02 (push) Successful in 3m25s
Details
Build all the nodes / geo01 (push) Successful in 3m46s
Details
Build all the nodes / rescue01 (push) Successful in 3m47s
Details
Build all the nodes / geo02 (push) Successful in 3m58s
Details
Build all the nodes / hypervisor03 (push) Successful in 4m1s
Details
Build all the nodes / web03 (push) Successful in 3m33s
Details
Build all the nodes / hypervisor02 (push) Successful in 4m16s
Details
Build all the nodes / web01 (push) Successful in 4m2s
Details
Build all the nodes / vault01 (push) Successful in 4m11s
Details
Build all the nodes / compute01 (push) Successful in 4m33s
Details

Browse source
This commit is contained in:
Tom Hubrecht 2025-02-06 13:40:36 +01:00
parent 0433a00636
commit 7eef4e2661
Signed by: thubrecht
SSH key fingerprint: SHA256:CYNvFo44Ar9qCNnWNnvJVhs0QXO9AZjOLlPeWcSij3Q
6 changed files with 40 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/keys/default.nix
View file

@ -28,11 +28,7 @@ rec {
rootKeys = getMemberKeys meta.organization.groups.root;
# All admins for a node
getNodeAdmins =
node:
meta.organization.groups.root
++ meta.nodes.${node}.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups);
getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
# All keys needed for secret encryption
getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);

15
machines/nixos/compute01/kanidm/default.nix
View file

@ -14,12 +14,10 @@ let
inherit (lib)
attrValues
catAttrs
concatLists
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
unique
;
domain = "sso.dgnum.eu";
@ -91,18 +89,7 @@ in
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups)
// (mapAttrs' (
name:
{
admins ? [ ],
adminGroups ? [ ],
}:
nameValuePair "grp-admin_${name}" {
members = unique (
builtins.map usernameFor (
admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups))
)
);
}
name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
) meta.organization.services);
# INFO: The authentication resources declared here can only be for internal services,

52
meta/options.nix
View file

@ -8,11 +8,13 @@
let
inherit (lib)
concatMap
mkEnableOption
mkDefault
mkIf
mkOption
optionalAttrs
unique
;
inherit (lib.types)
@ -98,6 +100,7 @@ in
sshKeys = lib.mkOption {
type = listOf singleLineStr;
default = [ ];
description = ''
A list of verbatim OpenSSH public keys that should be added to the
authorized keys of the root user for the nodes where the member has
@ -148,25 +151,35 @@ in
};
services = mkOption {
type = attrsOf (submodule {
options = {
admins = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrators of the service.
'';
};
type = attrsOf (
submodule (
{ config, ... }:
{
options = {
admins = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrators of the service.
'';
apply = unique;
};
adminGroups = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrator groups of the service.
'';
};
};
});
adminGroups = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrator groups of the service.
'';
};
};
config = {
admins = concatMap (group: org.groups.${group}) config.adminGroups;
};
}
)
);
description = ''
Administrator access of the different DGNum services,
it is mainly indicative as most services cannot configure this statically.
@ -243,6 +256,7 @@ in
description = ''
List of members to be given root access to this node.
'';
apply = unique;
};
adminGroups = mkOption {
@ -268,6 +282,8 @@ in
};
config = {
admins = concatMap (group: org.groups.${group}) config.adminGroups;
deployment =
{
tags = [

5
modules/liminix/dgn-access-control.nix
View file

@ -23,10 +23,7 @@ let
types
;
admins =
meta.organization.groups.root
++ nodeMeta.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
admins = meta.organization.groups.root ++ nodeMeta.admins;
cfg = config.dgn-access-control;
in

5
modules/netconf/dgn-access-control.nix
View file

@ -24,10 +24,7 @@ let
types
;
admins =
meta.organization.groups.root
++ nodeMeta.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
admins = meta.organization.groups.root ++ nodeMeta.admins;
cfg = config.dgn-access-control;
in

10
modules/nixos/dgn-notify/default.nix
View file

@ -13,19 +13,13 @@
let
inherit (lib)
concatStringsSep
concatMapStringsSep
mkEnableOption
mkForce
mkIf
;
emails = concatStringsSep ", " (
builtins.map (name: meta.organization.members.${name}.email) (
builtins.foldl' (
admins: group: admins ++ meta.organization.groups.${group}
) nodeMeta.admins nodeMeta.adminGroups
)
);
emails = concatMapStringsSep ", " (name: meta.organization.members.${name}.email) nodeMeta.admins;
cfg = config.dgn-notify;
in