feat: add access control for APs via our custom modules
Some checks failed
Check meta / check_meta (push) Failing after 17s
Check meta / check_meta (pull_request) Failing after 18s
lint / check (push) Successful in 24s
build configuration / build_compute01 (pull_request) Failing after 38s
build configuration / build_storage01 (pull_request) Failing after 35s
Check meta / check_dns (push) Failing after 1m9s
Check meta / check_dns (pull_request) Failing after 59s
build configuration / build_vault01 (pull_request) Failing after 36s
build configuration / build_web01 (pull_request) Failing after 35s
build configuration / build_web02 (pull_request) Failing after 40s
build configuration / build_rescue01 (pull_request) Failing after 33s
build configuration / push_to_cache (pull_request) Has been skipped

It works!

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
Ryan Lahfa 2024-08-22 18:45:40 +02:00
parent 3ed6ecba31
commit 8b66b2b7c3
4 changed files with 33 additions and 16 deletions

View file

@ -14,11 +14,11 @@ let
# inherit (pkgs) writeText; # inherit (pkgs) writeText;
svc = config.system.service; svc = config.system.service;
secrets-1 = { secrets-1 = {
ssid = "Zyxel 2G (N)"; ssid = "DGNum 2G prototype (N)";
wpa_passphrase = "diamond dogs"; wpa_passphrase = "diamond dogs";
}; };
secrets-2 = { secrets-2 = {
ssid = "Zyxel 5G (AX)"; ssid = "DGNum 5G prototype (AX)";
wpa_passphrase = "diamond dogs"; wpa_passphrase = "diamond dogs";
}; };
baseParams = { baseParams = {
@ -72,19 +72,20 @@ rec {
"${modulesPath}/ntp" "${modulesPath}/ntp"
"${modulesPath}/vlan" "${modulesPath}/vlan"
"${modulesPath}/bridge" "${modulesPath}/bridge"
../../modules/dgn-access-control.nix
# TODO: god that's so a fucking hack.
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
]; ];
hostname = "zyxel"; hostname = "ap01-prototype";
# SSH keys are handled by the access control module.
dgn-access-control.enable = true;
users.root = { users.root = {
# EDIT: choose a root password and then use # EDIT: choose a root password and then use
# "mkpasswd -m sha512crypt" to determine the hash. # "mkpasswd -m sha512crypt" to determine the hash.
# It should start wirh $6$. # It should start wirh $6$.
passwd = "$y$j9T$f8GhLiqYmr3lc58eKhgyD0$z7P/7S9u.kq/cANZExxhS98bze/6i7aBxU6tbl7RMi."; passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1";
openssh.authorizedKeys.keys = [
# EDIT: you can add your ssh pubkey here
# "ssh-rsa AAAAB3NzaC1....H6hKd user@example.com";
];
}; };
services.int = svc.bridge.primary.build { ifname = "int"; }; services.int = svc.bridge.primary.build { ifname = "int"; };

View file

@ -90,6 +90,7 @@
# Access points definition # Access points definition
ap01 = { ap01 = {
site = "unknown"; site = "unknown";
adminGroups = [ "fai" ];
system = "zyxel-nwa50ax"; system = "zyxel-nwa50ax";
}; };

View file

@ -87,6 +87,12 @@
"fai" "fai"
]; ];
# AP administration DGNum
ap.adminGroups = [
"root"
"fai"
];
# Videos DGNum # Videos DGNum
peertube.admins = [ "thubrecht" ]; peertube.admins = [ "thubrecht" ];
}; };

View file

@ -44,6 +44,7 @@ let
mkDefault mkDefault
mkEnableOption mkEnableOption
mkIf mkIf
mkMerge
mkOption mkOption
types types
@ -78,12 +79,20 @@ in
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable (mkMerge [
{
# Admins have root access to the node # Admins have root access to the node
dgn-access-control.users.root = mkDefault admins; dgn-access-control.users.root = mkDefault admins;
}
(mkIf (nodeMeta.system == "nixos") {
users.users = builtins.mapAttrs (_: members: { users.users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = lib.extra.getAllKeys members; openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
}) cfg.users; }) cfg.users;
}; })
(mkIf (nodeMeta.system == "zyxel-nwa50ax") {
users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
}) cfg.users;
})
]);
} }