From 5bc379c1d1a0f015dabddbd98b5ebdc260d96d49 Mon Sep 17 00:00:00 2001
From: sinavir <sinavir@sinavir.fr>
Date: Mon, 22 May 2023 17:24:42 +0200
Subject: [PATCH] document access control

---
 meta/default.nix               |  4 ++++
 meta/members.nix               |  6 ++++++
 meta/nodes.nix                 | 12 ++++++++++++
 modules/dgn-access-control.nix |  6 ++++++
 4 files changed, 28 insertions(+)

diff --git a/meta/default.nix b/meta/default.nix
index 54f88a0..d6e1690 100644
--- a/meta/default.nix
+++ b/meta/default.nix
@@ -1,3 +1,7 @@
+/*
+Metadata for the nodes. You can add custom attributes, they are
+accessible through the specialArg meta in the config.
+*/
 let
   members = import ./members.nix;
   nodes = import ./nodes.nix;
diff --git a/meta/members.nix b/meta/members.nix
index c3a94e9..7097ee7 100644
--- a/meta/members.nix
+++ b/meta/members.nix
@@ -1,3 +1,7 @@
+/*
+To add a new member add an attribute to `members`
+Then add the key to the required groups.
+*/
 let
   members = {
     mdebray = {
@@ -17,8 +21,10 @@ let
   };
 
   groups = {
+    # members of this group are root on all nodes
     root = [ "thubrecht" ];
 
+    # members of this group are root on web nodes
     web = [ "mdebray" "raito" ];
   };
 in
diff --git a/meta/nodes.nix b/meta/nodes.nix
index 6eb18fe..2fb1949 100644
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@@ -1,3 +1,15 @@
+/* File specifying all the deployement options for the nodes administrated by the dgnum.
+
+Node metadata template is:
+
+NODE_NAME = {
+  adminGroups = []; # List of groups that have root access
+  admins = []; # List of individuals that have root access
+  deployment = {}; # Colmena deployment options
+  nixpkgs = "unstable" or "22.11"; # nixpkgs version
+}
+*/
+
 {
   web-01 = {
     adminGroups = [ "web" ];
diff --git a/modules/dgn-access-control.nix b/modules/dgn-access-control.nix
index d99b8e5..dd9296f 100644
--- a/modules/dgn-access-control.nix
+++ b/modules/dgn-access-control.nix
@@ -19,6 +19,12 @@ with lib;
       default = { };
       description = ''
         Attribute set describing which member has access to which user on the node.
+        Members must be declared in `meta/members.nix`.
+      '';
+      example = ''
+        {
+          user1 = [ "member1" "member2" ];
+        }
       '';
     };
   };