From 7eef4e2661f6a9430b489e7506a5f369f0c94c64 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Thu, 6 Feb 2025 13:40:36 +0100 Subject: [PATCH] feat(meta): Use the module system to directly create the admin list from the groups --- lib/keys/default.nix | 6 +-- machines/nixos/compute01/kanidm/default.nix | 15 +----- meta/options.nix | 52 ++++++++++++++------- modules/liminix/dgn-access-control.nix | 5 +- modules/netconf/dgn-access-control.nix | 5 +- modules/nixos/dgn-notify/default.nix | 10 +--- 6 files changed, 40 insertions(+), 53 deletions(-) diff --git a/lib/keys/default.nix b/lib/keys/default.nix index 4d845a8..cace4d0 100644 --- a/lib/keys/default.nix +++ b/lib/keys/default.nix @@ -28,11 +28,7 @@ rec { rootKeys = getMemberKeys meta.organization.groups.root; # All admins for a node - getNodeAdmins = - node: - meta.organization.groups.root - ++ meta.nodes.${node}.admins - ++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups); + getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins; # All keys needed for secret encryption getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]); diff --git a/machines/nixos/compute01/kanidm/default.nix b/machines/nixos/compute01/kanidm/default.nix index d27cc28..bcde7aa 100644 --- a/machines/nixos/compute01/kanidm/default.nix +++ b/machines/nixos/compute01/kanidm/default.nix @@ -14,12 +14,10 @@ let inherit (lib) attrValues catAttrs - concatLists escapeRegex concatStringsSep mapAttrs' nameValuePair - unique ; domain = "sso.dgnum.eu"; @@ -91,18 +89,7 @@ in name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; } ) meta.organization.groups) // (mapAttrs' ( - name: - { - admins ? [ ], - adminGroups ? [ ], - }: - nameValuePair "grp-admin_${name}" { - members = unique ( - builtins.map usernameFor ( - admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups)) - ) - ); - } + name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; } ) meta.organization.services); # INFO: The authentication resources declared here can only be for internal services, diff --git a/meta/options.nix b/meta/options.nix index 29a03c8..9d4b9d3 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -8,11 +8,13 @@ let inherit (lib) + concatMap mkEnableOption mkDefault mkIf mkOption optionalAttrs + unique ; inherit (lib.types) @@ -98,6 +100,7 @@ in sshKeys = lib.mkOption { type = listOf singleLineStr; + default = [ ]; description = '' A list of verbatim OpenSSH public keys that should be added to the authorized keys of the root user for the nodes where the member has @@ -148,25 +151,35 @@ in }; services = mkOption { - type = attrsOf (submodule { - options = { - admins = mkOption { - type = listOf str; - default = [ ]; - description = '' - List of administrators of the service. - ''; - }; + type = attrsOf ( + submodule ( + { config, ... }: + { + options = { + admins = mkOption { + type = listOf str; + default = [ ]; + description = '' + List of administrators of the service. + ''; + apply = unique; + }; - adminGroups = mkOption { - type = listOf str; - default = [ ]; - description = '' - List of administrator groups of the service. - ''; - }; - }; - }); + adminGroups = mkOption { + type = listOf str; + default = [ ]; + description = '' + List of administrator groups of the service. + ''; + }; + }; + + config = { + admins = concatMap (group: org.groups.${group}) config.adminGroups; + }; + } + ) + ); description = '' Administrator access of the different DGNum services, it is mainly indicative as most services cannot configure this statically. @@ -243,6 +256,7 @@ in description = '' List of members to be given root access to this node. ''; + apply = unique; }; adminGroups = mkOption { @@ -268,6 +282,8 @@ in }; config = { + admins = concatMap (group: org.groups.${group}) config.adminGroups; + deployment = { tags = [ diff --git a/modules/liminix/dgn-access-control.nix b/modules/liminix/dgn-access-control.nix index 0c74f6e..f68ca3d 100644 --- a/modules/liminix/dgn-access-control.nix +++ b/modules/liminix/dgn-access-control.nix @@ -23,10 +23,7 @@ let types ; - admins = - meta.organization.groups.root - ++ nodeMeta.admins - ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups); + admins = meta.organization.groups.root ++ nodeMeta.admins; cfg = config.dgn-access-control; in diff --git a/modules/netconf/dgn-access-control.nix b/modules/netconf/dgn-access-control.nix index b8b381a..5e98023 100644 --- a/modules/netconf/dgn-access-control.nix +++ b/modules/netconf/dgn-access-control.nix @@ -24,10 +24,7 @@ let types ; - admins = - meta.organization.groups.root - ++ nodeMeta.admins - ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups); + admins = meta.organization.groups.root ++ nodeMeta.admins; cfg = config.dgn-access-control; in diff --git a/modules/nixos/dgn-notify/default.nix b/modules/nixos/dgn-notify/default.nix index 3149907..dcc3fe3 100644 --- a/modules/nixos/dgn-notify/default.nix +++ b/modules/nixos/dgn-notify/default.nix @@ -13,19 +13,13 @@ let inherit (lib) - concatStringsSep + concatMapStringsSep mkEnableOption mkForce mkIf ; - emails = concatStringsSep ", " ( - builtins.map (name: meta.organization.members.${name}.email) ( - builtins.foldl' ( - admins: group: admins ++ meta.organization.groups.${group} - ) nodeMeta.admins nodeMeta.adminGroups - ) - ); + emails = concatMapStringsSep ", " (name: meta.organization.members.${name}.email) nodeMeta.admins; cfg = config.dgn-notify; in