feat(meta): Use the module system to directly create the admin list from the groups

2025-02-06 13:40:36 +01:00 · 2025-02-06 13:40:36 +01:00 · 7eef4e2661
commit 7eef4e2661
parent 0433a00636
6 changed files with 40 additions and 53 deletions
--- a/lib/keys/default.nix
+++ b/lib/keys/default.nix
@ -28,11 +28,7 @@ rec {
  rootKeys = getMemberKeys meta.organization.groups.root;

  # All admins for a node
-  getNodeAdmins =
-    node:
-    meta.organization.groups.root
-    ++ meta.nodes.${node}.admins
-    ++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups);
+  getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;

  # All keys needed for secret encryption
  getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
--- a/machines/nixos/compute01/kanidm/default.nix
+++ b/machines/nixos/compute01/kanidm/default.nix
@ -14,12 +14,10 @@ let
  inherit (lib)
    attrValues
    catAttrs
-    concatLists
    escapeRegex
    concatStringsSep
    mapAttrs'
    nameValuePair
-    unique
    ;

  domain = "sso.dgnum.eu";
@ -91,18 +89,7 @@ in
          name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
        ) meta.organization.groups)
        // (mapAttrs' (
-          name:
-          {
-            admins ? [ ],
-            adminGroups ? [ ],
-          }:
-          nameValuePair "grp-admin_${name}" {
-            members = unique (
-              builtins.map usernameFor (
-                admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups))
-              )
-            );
-          }
+          name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
        ) meta.organization.services);

      # INFO: The authentication resources declared here can only be for internal services,
--- a/meta/options.nix
+++ b/meta/options.nix
@ -8,11 +8,13 @@

 let
  inherit (lib)
+    concatMap
    mkEnableOption
    mkDefault
    mkIf
    mkOption
    optionalAttrs
+    unique
    ;

  inherit (lib.types)
@ -98,6 +100,7 @@ in

                sshKeys = lib.mkOption {
                  type = listOf singleLineStr;
+                  default = [ ];
                  description = ''
                    A list of verbatim OpenSSH public keys that should be added to the
                    authorized keys of the root user for the nodes where the member has
@ -148,25 +151,35 @@ in
      };

      services = mkOption {
-        type = attrsOf (submodule {
-          options = {
-            admins = mkOption {
-              type = listOf str;
-              default = [ ];
-              description = ''
-                List of administrators of the service.
-              '';
-            };
+        type = attrsOf (
+          submodule (
+            { config, ... }:
+            {
+              options = {
+                admins = mkOption {
+                  type = listOf str;
+                  default = [ ];
+                  description = ''
+                    List of administrators of the service.
+                  '';
+                  apply = unique;
+                };

-            adminGroups = mkOption {
-              type = listOf str;
-              default = [ ];
-              description = ''
-                List of administrator groups of the service.
-              '';
-            };
-          };
-        });
+                adminGroups = mkOption {
+                  type = listOf str;
+                  default = [ ];
+                  description = ''
+                    List of administrator groups of the service.
+                  '';
+                };
+              };
+
+              config = {
+                admins = concatMap (group: org.groups.${group}) config.adminGroups;
+              };
+            }
+          )
+        );
        description = ''
          Administrator access of the different DGNum services,
          it is mainly indicative as most services cannot configure this statically.
@ -243,6 +256,7 @@ in
                description = ''
                  List of members to be given root access to this node.
                '';
+                apply = unique;
              };

              adminGroups = mkOption {
@ -268,6 +282,8 @@ in
            };

            config = {
+              admins = concatMap (group: org.groups.${group}) config.adminGroups;
+
              deployment =
                {
                  tags = [
--- a/modules/liminix/dgn-access-control.nix
+++ b/modules/liminix/dgn-access-control.nix
@ -23,10 +23,7 @@ let
    types
    ;

-  admins =
-    meta.organization.groups.root
-    ++ nodeMeta.admins
-    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
+  admins = meta.organization.groups.root ++ nodeMeta.admins;

  cfg = config.dgn-access-control;
 in
--- a/modules/netconf/dgn-access-control.nix
+++ b/modules/netconf/dgn-access-control.nix
@ -24,10 +24,7 @@ let
    types
    ;

-  admins =
-    meta.organization.groups.root
-    ++ nodeMeta.admins
-    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
+  admins = meta.organization.groups.root ++ nodeMeta.admins;

  cfg = config.dgn-access-control;
 in
--- a/modules/nixos/dgn-notify/default.nix
+++ b/modules/nixos/dgn-notify/default.nix
@ -13,19 +13,13 @@

 let
  inherit (lib)
-    concatStringsSep
+    concatMapStringsSep
    mkEnableOption
    mkForce
    mkIf
    ;

-  emails = concatStringsSep ", " (
-    builtins.map (name: meta.organization.members.${name}.email) (
-      builtins.foldl' (
-        admins: group: admins ++ meta.organization.groups.${group}
-      ) nodeMeta.admins nodeMeta.adminGroups
-    )
-  );
+  emails = concatMapStringsSep ", " (name: meta.organization.members.${name}.email) nodeMeta.admins;

  cfg = config.dgn-notify;
 in