infrastructure/modules/liminix/dgn-access-control.nix

# Copyright :
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{
  config,
  lib,
  dgn-keys,
  meta,
  nodeMeta,
  ...
}:

let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkIf
    mkOption

    types
    ;

  admins =
    meta.organization.groups.root
    ++ nodeMeta.admins
    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);

  cfg = config.dgn-access-control;
in

{
  options.dgn-access-control = {
    enable = mkEnableOption "DGNum access control." // {
      default = true;
    };

    users = mkOption {
      type = with types; attrsOf (listOf str);
      default = { };
      description = ''
        Attribute set describing which member has access to which user on the node.
        Members must be declared in `meta/members.nix`.
      '';
      example = ''
        {
          user1 = [ "member1" "member2" ];
        }
      '';
    };
  };

  config = mkIf cfg.enable {
    # Admins have root access to the node
    dgn-access-control.users.root = mkDefault admins;
    users = builtins.mapAttrs (_: members: {
      openssh.authorizedKeys.keys = dgn-keys.getKeys members;
    }) cfg.users;
  };
}
chore: Add license and copyright information Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel. 2024-12-12 14:41:43 +01:00			`# Copyright :`
			`# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>`
			`# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>`
chore: Apply the abstraction to ap01 2024-12-08 15:41:24 +01:00			`#`
chore: Add license and copyright information Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel. 2024-12-12 14:41:43 +01:00			`# SPDX-License-Identifier: EUPL-1.2`
chore: Apply the abstraction to ap01 2024-12-08 15:41:24 +01:00
			`{`
			`config,`
			`lib,`
			`dgn-keys,`
			`meta,`
			`nodeMeta,`
			`...`
			`}:`

			`let`
			`inherit (lib)`
			`mkDefault`
			`mkEnableOption`
			`mkIf`
			`mkOption`

			`types`
			`;`

			`admins =`
			`meta.organization.groups.root`
			`++ nodeMeta.admins`
			`++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);`

			`cfg = config.dgn-access-control;`
			`in`

			`{`
			`options.dgn-access-control = {`
			`enable = mkEnableOption "DGNum access control." // {`
			`default = true;`
			`};`

			`users = mkOption {`
			`type = with types; attrsOf (listOf str);`
			`default = { };`
			`description = ''`
			`Attribute set describing which member has access to which user on the node.`
			Members must be declared in `meta/members.nix`.
			`'';`
			`example = ''`
			`{`
			`user1 = [ "member1" "member2" ];`
			`}`
			`'';`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`# Admins have root access to the node`
			`dgn-access-control.users.root = mkDefault admins;`
			`users = builtins.mapAttrs (_: members: {`
			`openssh.authorizedKeys.keys = dgn-keys.getKeys members;`
			`}) cfg.users;`
			`};`
			`}`