infrastructure/modules/netconf/dgn-access-control.nix

66 lines
1.3 KiB
Nix
Raw Normal View History

# Copyright :
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
dgn-keys,
meta,
nodeMeta,
...
}:
let
inherit (lib)
mkDefault
mkEnableOption
mkIf
mkOption
types
;
admins =
meta.organization.groups.root
++ nodeMeta.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
cfg = config.dgn-access-control;
in
{
options.dgn-access-control = {
enable = mkEnableOption "DGNum access control." // {
default = true;
};
root = mkOption {
type = with types; listOf str;
default = [ ];
description = ''
List describing which member has access to root user on the node.
Members must be declared in `meta/members.nix`.
'';
example = ''
[ "member1" "member2" ]
'';
};
};
config = mkIf cfg.enable {
# Admins have root access to the node
dgn-access-control.root = mkDefault admins;
system = {
root-authentication = {
ssh-keys = dgn-keys.getKeys cfg.root;
hashedPasswd = nodeMeta.hashedPassword;
};
services.ssh.root-login = mkDefault "deny-password";
};
};
}