infrastructure/modules/nixos/dgn-access-control.nix

# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{
  config,
  lib,
  dgn-keys,
  meta,
  nodeMeta,
  ...
}:

let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkIf
    mkOption
    optionalAttrs

    types
    ;

  admins =
    meta.organization.groups.root
    ++ nodeMeta.admins
    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);

  cfg = config.dgn-access-control;
in

{
  options.dgn-access-control = {
    enable = mkEnableOption "DGNum access control." // {
      default = true;
    };

    users = mkOption {
      type = with types; attrsOf (listOf str);
      default = { };
      description = ''
        Attribute set describing which member has access to which user on the node.
        Members must be declared in `meta/members.nix`.
      '';
      example = ''
        {
          user1 = [ "member1" "member2" ];
        }
      '';
    };
  };

  config = mkIf cfg.enable {
    # Admins have root access to the node
    dgn-access-control.users.root = mkDefault admins;
    users.mutableUsers = false;
    users.users = builtins.mapAttrs (
      username: members:
      {
        openssh.authorizedKeys.keys = dgn-keys.getKeys members;
      }
      // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; }
    ) cfg.users;
  };
}
chore: Add license and copyright information Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel. 2024-12-12 14:41:43 +01:00			`# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>`
modules/dgn-access-control: Add license 2023-06-30 18:39:38 +02:00			`#`
chore: Add license and copyright information Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel. 2024-12-12 14:41:43 +01:00			`# SPDX-License-Identifier: EUPL-1.2`
modules/dgn-access-control: Add license 2023-06-30 18:39:38 +02:00
feat(shell): Add pre-commit hooks and reformat the repo 2024-02-02 10:51:31 +01:00			`{`
			`config,`
			`lib,`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00			`dgn-keys,`
feat(shell): Add pre-commit hooks and reformat the repo 2024-02-02 10:51:31 +01:00			`meta,`
feat(infra): Add nodeMeta argument 2024-04-18 15:53:20 +02:00			`nodeMeta,`
feat(shell): Add pre-commit hooks and reformat the repo 2024-02-02 10:51:31 +01:00			`...`
			`}:`
modules: Init with access control 2023-05-22 15:07:03 +02:00
			`let`
modules: Use inherit instead of with 2023-07-18 17:00:51 +02:00			`inherit (lib)`
			`mkDefault`
			`mkEnableOption`
			`mkIf`
			`mkOption`
feat(modules/dgn-access-control): support Liminix systems Liminix are not totally aligned with their implementation of users. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu> 2024-12-07 16:19:59 +01:00			`optionalAttrs`
modules: Use inherit instead of with 2023-07-18 17:00:51 +02:00
feat(shell): Add pre-commit hooks and reformat the repo 2024-02-02 10:51:31 +01:00			`types`
			`;`
modules: Use inherit instead of with 2023-07-18 17:00:51 +02:00
feat(shell): Add pre-commit hooks and reformat the repo 2024-02-02 10:51:31 +01:00			`admins =`
feat(meta): Rework and use a module 2024-02-23 10:50:50 +01:00			`meta.organization.groups.root`
feat(shell): Add pre-commit hooks and reformat the repo 2024-02-02 10:51:31 +01:00			`++ nodeMeta.admins`
feat(meta): Rework and use a module 2024-02-23 10:50:50 +01:00			`++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);`
modules: Init with access control 2023-05-22 15:07:03 +02:00
			`cfg = config.dgn-access-control;`
			`in`

			`{`
			`options.dgn-access-control = {`
feat(shell): Add pre-commit hooks and reformat the repo 2024-02-02 10:51:31 +01:00			`enable = mkEnableOption "DGNum access control." // {`
			`default = true;`
			`};`
modules: Init with access control 2023-05-22 15:07:03 +02:00
			`users = mkOption {`
			`type = with types; attrsOf (listOf str);`
			`default = { };`
			`description = ''`
			`Attribute set describing which member has access to which user on the node.`
document access control 2023-05-22 17:24:42 +02:00			Members must be declared in `meta/members.nix`.
			`'';`
			`example = ''`
			`{`
			`user1 = [ "member1" "member2" ];`
			`}`
modules: Init with access control 2023-05-22 15:07:03 +02:00			`'';`
			`};`
			`};`

chore: Apply the abstraction to ap01 2024-12-08 15:41:24 +01:00			`config = mkIf cfg.enable {`
			`# Admins have root access to the node`
			`dgn-access-control.users.root = mkDefault admins;`
			`users.mutableUsers = false;`
			`users.users = builtins.mapAttrs (`
			`username: members:`
			`{`
feat(users): Add root passwords and deactivate mutableUsers 2024-10-10 09:23:09 +02:00			`openssh.authorizedKeys.keys = dgn-keys.getKeys members;`
chore: Apply the abstraction to ap01 2024-12-08 15:41:24 +01:00			`}`
			`// optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; }`
			`) cfg.users;`
			`};`
modules: Init with access control 2023-05-22 15:07:03 +02:00			`}`