DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

feat: add access control for APs via our custom modules
Some checks failed
Check meta / check_meta (push) Failing after 17s
Details
Check meta / check_meta (pull_request) Failing after 18s
Details
lint / check (push) Successful in 24s
Details
build configuration / build_compute01 (pull_request) Failing after 38s
Details
build configuration / build_storage01 (pull_request) Failing after 35s
Details
Check meta / check_dns (push) Failing after 1m9s
Details
Check meta / check_dns (pull_request) Failing after 59s
Details
build configuration / build_vault01 (pull_request) Failing after 36s
Details
build configuration / build_web01 (pull_request) Failing after 35s
Details
build configuration / build_web02 (pull_request) Failing after 40s
Details
build configuration / build_rescue01 (pull_request) Failing after 33s
Details
build configuration / push_to_cache (pull_request) Has been skipped
Details

Browse source 
It works!

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
Ryan Lahfa 2024-08-22 18:45:40 +02:00
parent 3ed6ecba31
commit 8b66b2b7c3
4 changed files with 33 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
machines/ap01/_configuration.nix
View file

@ -14,11 +14,11 @@ let
# inherit (pkgs) writeText;
svc = config.system.service;
secrets-1 = {
ssid = "Zyxel 2G (N)";
ssid = "DGNum 2G prototype (N)";
wpa_passphrase = "diamond dogs";
};
secrets-2 = {
ssid = "Zyxel 5G (AX)";
ssid = "DGNum 5G prototype (AX)";
wpa_passphrase = "diamond dogs";
};
baseParams = {
@ -72,19 +72,20 @@ rec {
"${modulesPath}/ntp"
"${modulesPath}/vlan"
"${modulesPath}/bridge"
../../modules/dgn-access-control.nix
# TODO: god that's so a fucking hack.
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
];
hostname = "zyxel";
hostname = "ap01-prototype";
# SSH keys are handled by the access control module.
dgn-access-control.enable = true;
users.root = {
# EDIT: choose a root password and then use
# "mkpasswd -m sha512crypt" to determine the hash.
# It should start wirh $6$.
passwd = "$y$j9T$f8GhLiqYmr3lc58eKhgyD0$z7P/7S9u.kq/cANZExxhS98bze/6i7aBxU6tbl7RMi.";
openssh.authorizedKeys.keys = [
# EDIT: you can add your ssh pubkey here
# "ssh-rsa AAAAB3NzaC1....H6hKd user@example.com";
];
passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1";
};
services.int = svc.bridge.primary.build { ifname = "int"; };

1
meta/nodes.nix
View file

@ -90,6 +90,7 @@
# Access points definition
ap01 = {
site = "unknown";
adminGroups = [ "fai" ];
system = "zyxel-nwa50ax";
};

6
meta/organization.nix
View file

@ -87,6 +87,12 @@
"fai"
];
# AP administration DGNum
ap.adminGroups = [
"root"
"fai"
];
# Videos DGNum
peertube.admins = [ "thubrecht" ];
};

25
modules/dgn-access-control.nix
View file

@ -44,6 +44,7 @@ let
mkDefault
mkEnableOption
mkIf
mkMerge
mkOption
types
@ -78,12 +79,20 @@ in
};
};
config = mkIf cfg.enable {
# Admins have root access to the node
dgn-access-control.users.root = mkDefault admins;
users.users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
}) cfg.users;
};
config = mkIf cfg.enable (mkMerge [
{
# Admins have root access to the node
dgn-access-control.users.root = mkDefault admins;
}
(mkIf (nodeMeta.system == "nixos") {
users.users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
}) cfg.users;
})
(mkIf (nodeMeta.system == "zyxel-nwa50ax") {
users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
}) cfg.users;
})
]);
}