cst1/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

feat(meta): Use the module system to directly create the admin list from the groups

Browse source
This commit is contained in:
Tom Hubrecht 2025-02-06 13:40:36 +01:00
parent 0433a00636
commit 7eef4e2661
Signed by: thubrecht
SSH key fingerprint: SHA256:CYNvFo44Ar9qCNnWNnvJVhs0QXO9AZjOLlPeWcSij3Q
6 changed files with 40 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/keys/default.nix
View file

@ -28,11 +28,7 @@ rec {
rootKeys = getMemberKeys meta.organization.groups.root; rootKeys = getMemberKeys meta.organization.groups.root;
# All admins for a node # All admins for a node
getNodeAdmins = getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
node:
meta.organization.groups.root
++ meta.nodes.${node}.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups);
# All keys needed for secret encryption # All keys needed for secret encryption
getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]); getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);

15
machines/nixos/compute01/kanidm/default.nix
View file

@ -14,12 +14,10 @@ let
inherit (lib) inherit (lib)
attrValues attrValues
catAttrs catAttrs
concatLists
escapeRegex escapeRegex
concatStringsSep concatStringsSep
mapAttrs' mapAttrs'
nameValuePair nameValuePair
unique
; ;
domain = "sso.dgnum.eu"; domain = "sso.dgnum.eu";
@ -91,18 +89,7 @@ in
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; } name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups) ) meta.organization.groups)
// (mapAttrs' ( // (mapAttrs' (
name: name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
{
admins ? [ ],
adminGroups ? [ ],
}:
nameValuePair "grp-admin_${name}" {
members = unique (
builtins.map usernameFor (
admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups))
)
);
}
) meta.organization.services); ) meta.organization.services);
# INFO: The authentication resources declared here can only be for internal services, # INFO: The authentication resources declared here can only be for internal services,

20
meta/options.nix
View file

@ -8,11 +8,13 @@
let let
inherit (lib) inherit (lib)
concatMap
mkEnableOption mkEnableOption
mkDefault mkDefault
mkIf mkIf
mkOption mkOption
optionalAttrs optionalAttrs
unique
; ;
inherit (lib.types) inherit (lib.types)
@ -98,6 +100,7 @@ in
sshKeys = lib.mkOption { sshKeys = lib.mkOption {
type = listOf singleLineStr; type = listOf singleLineStr;
default = [ ];
description = '' description = ''
A list of verbatim OpenSSH public keys that should be added to the A list of verbatim OpenSSH public keys that should be added to the
authorized keys of the root user for the nodes where the member has authorized keys of the root user for the nodes where the member has
@ -148,7 +151,10 @@ in
}; };
services = mkOption { services = mkOption {
type = attrsOf (submodule { type = attrsOf (
submodule (
{ config, ... }:
{
options = { options = {
admins = mkOption { admins = mkOption {
type = listOf str; type = listOf str;
@ -156,6 +162,7 @@ in
description = '' description = ''
List of administrators of the service. List of administrators of the service.
''; '';
apply = unique;
}; };
adminGroups = mkOption { adminGroups = mkOption {
@ -166,7 +173,13 @@ in
''; '';
}; };
}; };
});
config = {
admins = concatMap (group: org.groups.${group}) config.adminGroups;
};
}
)
);
description = '' description = ''
Administrator access of the different DGNum services, Administrator access of the different DGNum services,
it is mainly indicative as most services cannot configure this statically. it is mainly indicative as most services cannot configure this statically.
@ -243,6 +256,7 @@ in
description = '' description = ''
List of members to be given root access to this node. List of members to be given root access to this node.
''; '';
apply = unique;
}; };
adminGroups = mkOption { adminGroups = mkOption {
@ -268,6 +282,8 @@ in
}; };
config = { config = {
admins = concatMap (group: org.groups.${group}) config.adminGroups;
deployment = deployment =
{ {
tags = [ tags = [

5
modules/liminix/dgn-access-control.nix
View file

@ -23,10 +23,7 @@ let
types types
; ;
admins = admins = meta.organization.groups.root ++ nodeMeta.admins;
meta.organization.groups.root
++ nodeMeta.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
cfg = config.dgn-access-control; cfg = config.dgn-access-control;
in in

5
modules/netconf/dgn-access-control.nix
View file

@ -24,10 +24,7 @@ let
types types
; ;
admins = admins = meta.organization.groups.root ++ nodeMeta.admins;
meta.organization.groups.root
++ nodeMeta.admins
++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);
cfg = config.dgn-access-control; cfg = config.dgn-access-control;
in in

10
modules/nixos/dgn-notify/default.nix
View file

@ -13,19 +13,13 @@
let let
inherit (lib) inherit (lib)
concatStringsSep concatMapStringsSep
mkEnableOption mkEnableOption
mkForce mkForce
mkIf mkIf
; ;
emails = concatStringsSep ", " ( emails = concatMapStringsSep ", " (name: meta.organization.members.${name}.email) nodeMeta.admins;
builtins.map (name: meta.organization.members.${name}.email) (
builtins.foldl' (
admins: group: admins ++ meta.organization.groups.${group}
) nodeMeta.admins nodeMeta.adminGroups
)
);
cfg = config.dgn-notify; cfg = config.dgn-notify;
in in