2023-12-22 23:53:55 +01:00
|
|
|
{ config, lib, meta, name, ... }:
|
2023-07-23 23:36:55 +02:00
|
|
|
|
|
|
|
let
|
|
|
|
inherit (lib)
|
|
|
|
mkDefault
|
|
|
|
mkEnableOption
|
|
|
|
mkIf
|
|
|
|
mkOption
|
|
|
|
|
|
|
|
types;
|
|
|
|
|
|
|
|
nodeMeta = meta.nodes.${name};
|
|
|
|
inherit (nodeMeta) admins;
|
|
|
|
|
|
|
|
cfg = config.krz-access-control;
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
options.krz-access-control = {
|
|
|
|
enable = mkEnableOption "DGNum access control." // { default = true; };
|
|
|
|
|
|
|
|
users = mkOption {
|
|
|
|
type = with types; attrsOf (listOf str);
|
|
|
|
default = { };
|
|
|
|
description = ''
|
|
|
|
Attribute set describing which member has access to which user on the node.
|
|
|
|
Members must be declared in `meta/members.nix`.
|
|
|
|
'';
|
|
|
|
example = ''
|
|
|
|
{
|
|
|
|
user1 = [ "member1" "member2" ];
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
# Admins have root access to the node
|
|
|
|
krz-access-control.users.root = mkDefault admins;
|
|
|
|
|
|
|
|
users.users = builtins.mapAttrs
|
2023-12-22 23:53:55 +01:00
|
|
|
(u: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; })
|
2023-07-23 23:36:55 +02:00
|
|
|
cfg.users;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|