feat(netconf): use meta for access control

2024-12-15 21:00:08 +01:00 · 2024-12-15 21:00:08 +01:00 · 3c9bf80f24
commit 3c9bf80f24
parent e8cdd06706
5 changed files with 76 additions and 15 deletions
--- a/hive.nix
+++ b/hive.nix
@ -129,11 +129,17 @@ in
      evalConfig = nixpkgs.nixos.unstable.lib.evalModules;

      defaults =
-        { nodeMeta, nodePath, ... }:
+        {
+          name,
+          nodeMeta,
+          nodePath,
+          ...
+        }:
        {
          _module.args = {
            pkgs = nixpkgs.nixos.unstable;
          };
+
          # Import the default modules
          imports = [
            # Import the base configuration for each node
@ -143,6 +149,8 @@ in
            "${sources.nixpkgs}/nixos/modules/misc/assertions.nix"
          ];

+          system.host-name = name;
+
          inherit (nodeMeta) deployment;
        };
    };
--- a/machines/netconf/netcore02.nix
+++ b/machines/netconf/netcore02.nix
@ -26,20 +26,8 @@ let
    };
  };
 in
-{ name, ... }:
 {
  vlans = vlansPlan;
-  system = {
-    # TODO: use meta, in default
-    host-name = name;
-    services.ssh.root-login = "deny-password";
-    root-authentication = {
-      hashedPasswd = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
-      ssh-keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
-      ];
-    };
-  };
  dgn-hardware.model = "EX2300-48P";
  dgn-interfaces = {
    # "ge-0/0/0" = AP-staging;
--- a/meta/nodes/netconf.nix
+++ b/meta/nodes/netconf.nix
@ -4,7 +4,7 @@

    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";

-    stateVersion = "24.05"; # FIXME: meaningless
+    stateVersion = null;

    adminGroups = [ "fai" ];

@ -26,7 +26,7 @@
  #
  #    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
  #
-  #    stateVersion = "24.05"; # FIXME: meaningless
+  #    stateVersion = null;
  #
  #    adminGroups = [ "fai" ];
  #
--- a/modules/netconf/default.nix
+++ b/modules/netconf/default.nix
@ -3,5 +3,6 @@
    # List of modules to import
    ./dgn-hardware
    ./dgn-interfaces.nix
+    ./dgn-access-control.nix
  ];
 }
--- a/modules/netconf/dgn-access-control.nix
+++ b/modules/netconf/dgn-access-control.nix
@ -0,0 +1,64 @@
+# Copyright :
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  dgn-keys,
+  meta,
+  nodeMeta,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkOption
+
+    types
+    ;
+
+  admins =
+    meta.organization.groups.root
+    ++ nodeMeta.admins
+    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
+
+  cfg = config.dgn-access-control;
+in
+
+{
+  options.dgn-access-control = {
+    enable = mkEnableOption "DGNum access control." // {
+      default = true;
+    };
+
+    root = mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      description = ''
+        List describing which member has access to root user on the node.
+        Members must be declared in `meta/members.nix`.
+      '';
+      example = ''
+        [ "member1" "member2" ]
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Admins have root access to the node
+    dgn-access-control.root = mkDefault admins;
+    system = {
+      root-authentication = {
+        ssh-keys = dgn-keys.getKeys cfg.root;
+        hashedPasswd = nodeMeta.hashedPassword;
+      };
+      services.ssh.root-login = mkDefault "deny-password";
+    };
+  };
+}