DGNum/infrastructure
10
6
Fork 3
Code Issues 24 Pull requests 24 Projects 1 Releases Packages Wiki Activity Actions

feat(meta): Use the module system to directly create the admin list from the groups
All checks were successful
Check meta / check_meta (pull_request) Successful in 15s
Details
Check meta / check_dns (pull_request) Successful in 15s
Details
Build all the nodes / netaccess01 (pull_request) Successful in 20s
Details
Build all the nodes / netcore01 (pull_request) Successful in 21s
Details
Build all the nodes / netcore02 (pull_request) Successful in 21s
Details
Check workflows / check_workflows (pull_request) Successful in 26s
Details
Build all the nodes / ap01 (pull_request) Successful in 32s
Details
Build the shell / build-shell (pull_request) Successful in 24s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 45s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m38s
Details
Build all the nodes / web01 (pull_request) Successful in 2m13s
Details
Build all the nodes / compute01 (pull_request) Successful in 2m44s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 3m4s
Details
Build all the nodes / rescue01 (pull_request) Successful in 3m10s
Details
Build all the nodes / build01 (pull_request) Successful in 3m15s
Details
Build all the nodes / bridge01 (pull_request) Successful in 3m16s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 3m22s
Details
Build all the nodes / geo01 (pull_request) Successful in 3m26s
Details
Build all the nodes / web02 (pull_request) Successful in 3m6s
Details
Build all the nodes / tower01 (pull_request) Successful in 3m16s
Details
Build all the nodes / geo02 (pull_request) Successful in 3m46s
Details
Build all the nodes / vault01 (pull_request) Successful in 3m36s
Details
Build all the nodes / storage01 (pull_request) Successful in 3m46s
Details
Build all the nodes / web03 (pull_request) Successful in 3m48s
Details
Check meta / check_meta (push) Successful in 15s
Details
Check meta / check_dns (push) Successful in 16s
Details
Check workflows / check_workflows (push) Successful in 16s
Details
Build all the nodes / netaccess01 (push) Successful in 20s
Details
Build all the nodes / ap01 (push) Successful in 31s
Details
Build all the nodes / netcore01 (push) Successful in 39s
Details
Build all the nodes / netcore02 (push) Successful in 39s
Details
Build the shell / build-shell (push) Successful in 44s
Details
Run pre-commit on all files / pre-commit (push) Successful in 49s
Details
Build all the nodes / hypervisor01 (push) Successful in 1m43s
Details
Build all the nodes / tower01 (push) Successful in 1m43s
Details
Build all the nodes / bridge01 (push) Successful in 1m46s
Details
Build all the nodes / build01 (push) Successful in 3m29s
Details
Build all the nodes / storage01 (push) Successful in 3m41s
Details
Build all the nodes / web02 (push) Successful in 3m25s
Details
Build all the nodes / geo01 (push) Successful in 3m46s
Details
Build all the nodes / rescue01 (push) Successful in 3m47s
Details
Build all the nodes / geo02 (push) Successful in 3m58s
Details
Build all the nodes / hypervisor03 (push) Successful in 4m1s
Details
Build all the nodes / web03 (push) Successful in 3m33s
Details
Build all the nodes / hypervisor02 (push) Successful in 4m16s
Details
Build all the nodes / web01 (push) Successful in 4m2s
Details
Build all the nodes / vault01 (push) Successful in 4m11s
Details
Build all the nodes / compute01 (push) Successful in 4m33s
Details

Browse source
This commit is contained in:
Tom Hubrecht 2025-02-06 13:40:36 +01:00
parent 0433a00636
commit 7eef4e2661
Signed by: thubrecht
SSH key fingerprint: SHA256:CYNvFo44Ar9qCNnWNnvJVhs0QXO9AZjOLlPeWcSij3Q
6 changed files with 40 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/keys/default.nix
View file

@ -28,11 +28,7 @@ rec {
rootKeys = getMemberKeys meta.organization.groups.root; rootKeys = getMemberKeys meta.organization.groups.root;
# All admins for a node # All admins for a node
getNodeAdmins = getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
node:
meta.organization.groups.root
++ meta.nodes.${node}.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups);
# All keys needed for secret encryption # All keys needed for secret encryption
getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]); getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);

15
machines/nixos/compute01/kanidm/default.nix
View file

@ -14,12 +14,10 @@ let
inherit (lib) inherit (lib)
attrValues attrValues
catAttrs catAttrs
concatLists
escapeRegex escapeRegex
concatStringsSep concatStringsSep
mapAttrs' mapAttrs'
nameValuePair nameValuePair
unique
; ;
domain = "sso.dgnum.eu"; domain = "sso.dgnum.eu";
@ -91,18 +89,7 @@ in
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; } name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups) ) meta.organization.groups)
// (mapAttrs' ( // (mapAttrs' (
name: name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
{
admins ? [ ],
adminGroups ? [ ],
}:
nameValuePair "grp-admin_${name}" {
members = unique (
builtins.map usernameFor (
admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups))
)
);
}
) meta.organization.services); ) meta.organization.services);
# INFO: The authentication resources declared here can only be for internal services, # INFO: The authentication resources declared here can only be for internal services,

20
meta/options.nix
View file

@ -8,11 +8,13 @@
let let
inherit (lib) inherit (lib)
concatMap
mkEnableOption mkEnableOption
mkDefault mkDefault
mkIf mkIf
mkOption mkOption
optionalAttrs optionalAttrs
unique
; ;
inherit (lib.types) inherit (lib.types)
@ -98,6 +100,7 @@ in
sshKeys = lib.mkOption { sshKeys = lib.mkOption {
type = listOf singleLineStr; type = listOf singleLineStr;
default = [ ];
description = '' description = ''
A list of verbatim OpenSSH public keys that should be added to the A list of verbatim OpenSSH public keys that should be added to the
authorized keys of the root user for the nodes where the member has authorized keys of the root user for the nodes where the member has
@ -148,7 +151,10 @@ in
}; };
services = mkOption { services = mkOption {
type = attrsOf (submodule { type = attrsOf (
submodule (
{ config, ... }:
{
options = { options = {
admins = mkOption { admins = mkOption {
type = listOf str; type = listOf str;
@ -156,6 +162,7 @@ in
description = '' description = ''
List of administrators of the service. List of administrators of the service.
''; '';
apply = unique;
}; };
adminGroups = mkOption { adminGroups = mkOption {
@ -166,7 +173,13 @@ in
''; '';
}; };
}; };
});
config = {
admins = concatMap (group: org.groups.${group}) config.adminGroups;
};
}
)
);
description = '' description = ''
Administrator access of the different DGNum services, Administrator access of the different DGNum services,
it is mainly indicative as most services cannot configure this statically. it is mainly indicative as most services cannot configure this statically.
@ -243,6 +256,7 @@ in
description = '' description = ''
List of members to be given root access to this node. List of members to be given root access to this node.
''; '';
apply = unique;
}; };
adminGroups = mkOption { adminGroups = mkOption {
@ -268,6 +282,8 @@ in
}; };
config = { config = {
admins = concatMap (group: org.groups.${group}) config.adminGroups;
deployment = deployment =
{ {
tags = [ tags = [

5
modules/liminix/dgn-access-control.nix
View file

@ -23,10 +23,7 @@ let
types types
; ;
admins = admins = meta.organization.groups.root ++ nodeMeta.admins;
meta.organization.groups.root
++ nodeMeta.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
cfg = config.dgn-access-control; cfg = config.dgn-access-control;
in in

5
modules/netconf/dgn-access-control.nix
View file

@ -24,10 +24,7 @@ let
types types
; ;
admins = admins = meta.organization.groups.root ++ nodeMeta.admins;
meta.organization.groups.root
++ nodeMeta.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
cfg = config.dgn-access-control; cfg = config.dgn-access-control;
in in

10
modules/nixos/dgn-notify/default.nix
View file

@ -13,19 +13,13 @@
let let
inherit (lib) inherit (lib)
concatStringsSep concatMapStringsSep
mkEnableOption mkEnableOption
mkForce mkForce
mkIf mkIf
; ;
emails = concatStringsSep ", " ( emails = concatMapStringsSep ", " (name: meta.organization.members.${name}.email) nodeMeta.admins;
builtins.map (name: meta.organization.members.${name}.email) (
builtins.foldl' (
admins: group: admins ++ meta.organization.groups.${group}
) nodeMeta.admins nodeMeta.adminGroups
)
);
cfg = config.dgn-notify; cfg = config.dgn-notify;
in in