2024-12-15 21:00:08 +01:00
|
|
|
# Copyright :
|
2024-12-16 09:34:15 +01:00
|
|
|
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
|
2024-12-15 21:00:08 +01:00
|
|
|
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
|
|
|
|
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
|
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
dgn-keys,
|
|
|
|
meta,
|
|
|
|
nodeMeta,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
|
|
|
|
let
|
|
|
|
inherit (lib)
|
|
|
|
mkDefault
|
|
|
|
mkEnableOption
|
|
|
|
mkIf
|
|
|
|
mkOption
|
|
|
|
|
|
|
|
types
|
|
|
|
;
|
|
|
|
|
|
|
|
admins =
|
|
|
|
meta.organization.groups.root
|
|
|
|
++ nodeMeta.admins
|
|
|
|
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
|
|
|
|
|
|
|
|
cfg = config.dgn-access-control;
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
options.dgn-access-control = {
|
|
|
|
enable = mkEnableOption "DGNum access control." // {
|
|
|
|
default = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
root = mkOption {
|
|
|
|
type = with types; listOf str;
|
|
|
|
default = [ ];
|
|
|
|
description = ''
|
|
|
|
List describing which member has access to root user on the node.
|
|
|
|
Members must be declared in `meta/members.nix`.
|
|
|
|
'';
|
|
|
|
example = ''
|
|
|
|
[ "member1" "member2" ]
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
# Admins have root access to the node
|
|
|
|
dgn-access-control.root = mkDefault admins;
|
|
|
|
system = {
|
|
|
|
root-authentication = {
|
|
|
|
ssh-keys = dgn-keys.getKeys cfg.root;
|
|
|
|
hashedPasswd = nodeMeta.hashedPassword;
|
|
|
|
};
|
|
|
|
services.ssh.root-login = mkDefault "deny-password";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|