{ config, lib, nix-lib, meta, name, ... }: let inherit (lib) mkDefault mkEnableOption mkIf mkOption types; nodeMeta = meta.nodes.${name}; inherit (nodeMeta) admins; cfg = config.krz-access-control; in { options.krz-access-control = { enable = mkEnableOption "DGNum access control." // { default = true; }; users = mkOption { type = with types; attrsOf (listOf str); default = { }; description = '' Attribute set describing which member has access to which user on the node. Members must be declared in `meta/members.nix`. ''; example = '' { user1 = [ "member1" "member2" ]; } ''; }; }; config = mkIf cfg.enable { # Admins have root access to the node krz-access-control.users.root = mkDefault admins; users.users = builtins.mapAttrs (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) cfg.users; }; }