forked from DGNum/infrastructure
feat: add access control for APs via our custom modules
It works! Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
parent
3ed6ecba31
commit
8b66b2b7c3
4 changed files with 33 additions and 16 deletions
|
@ -14,11 +14,11 @@ let
|
||||||
# inherit (pkgs) writeText;
|
# inherit (pkgs) writeText;
|
||||||
svc = config.system.service;
|
svc = config.system.service;
|
||||||
secrets-1 = {
|
secrets-1 = {
|
||||||
ssid = "Zyxel 2G (N)";
|
ssid = "DGNum 2G prototype (N)";
|
||||||
wpa_passphrase = "diamond dogs";
|
wpa_passphrase = "diamond dogs";
|
||||||
};
|
};
|
||||||
secrets-2 = {
|
secrets-2 = {
|
||||||
ssid = "Zyxel 5G (AX)";
|
ssid = "DGNum 5G prototype (AX)";
|
||||||
wpa_passphrase = "diamond dogs";
|
wpa_passphrase = "diamond dogs";
|
||||||
};
|
};
|
||||||
baseParams = {
|
baseParams = {
|
||||||
|
@ -72,19 +72,20 @@ rec {
|
||||||
"${modulesPath}/ntp"
|
"${modulesPath}/ntp"
|
||||||
"${modulesPath}/vlan"
|
"${modulesPath}/vlan"
|
||||||
"${modulesPath}/bridge"
|
"${modulesPath}/bridge"
|
||||||
|
../../modules/dgn-access-control.nix
|
||||||
|
# TODO: god that's so a fucking hack.
|
||||||
|
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
|
||||||
];
|
];
|
||||||
|
|
||||||
hostname = "zyxel";
|
hostname = "ap01-prototype";
|
||||||
|
|
||||||
|
# SSH keys are handled by the access control module.
|
||||||
|
dgn-access-control.enable = true;
|
||||||
users.root = {
|
users.root = {
|
||||||
# EDIT: choose a root password and then use
|
# EDIT: choose a root password and then use
|
||||||
# "mkpasswd -m sha512crypt" to determine the hash.
|
# "mkpasswd -m sha512crypt" to determine the hash.
|
||||||
# It should start wirh $6$.
|
# It should start wirh $6$.
|
||||||
passwd = "$y$j9T$f8GhLiqYmr3lc58eKhgyD0$z7P/7S9u.kq/cANZExxhS98bze/6i7aBxU6tbl7RMi.";
|
passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1";
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
# EDIT: you can add your ssh pubkey here
|
|
||||||
# "ssh-rsa AAAAB3NzaC1....H6hKd user@example.com";
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.int = svc.bridge.primary.build { ifname = "int"; };
|
services.int = svc.bridge.primary.build { ifname = "int"; };
|
||||||
|
|
|
@ -90,6 +90,7 @@
|
||||||
# Access points definition
|
# Access points definition
|
||||||
ap01 = {
|
ap01 = {
|
||||||
site = "unknown";
|
site = "unknown";
|
||||||
|
adminGroups = [ "fai" ];
|
||||||
|
|
||||||
system = "zyxel-nwa50ax";
|
system = "zyxel-nwa50ax";
|
||||||
};
|
};
|
||||||
|
|
|
@ -87,6 +87,12 @@
|
||||||
"fai"
|
"fai"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# AP administration DGNum
|
||||||
|
ap.adminGroups = [
|
||||||
|
"root"
|
||||||
|
"fai"
|
||||||
|
];
|
||||||
|
|
||||||
# Videos DGNum
|
# Videos DGNum
|
||||||
peertube.admins = [ "thubrecht" ];
|
peertube.admins = [ "thubrecht" ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -44,6 +44,7 @@ let
|
||||||
mkDefault
|
mkDefault
|
||||||
mkEnableOption
|
mkEnableOption
|
||||||
mkIf
|
mkIf
|
||||||
|
mkMerge
|
||||||
mkOption
|
mkOption
|
||||||
|
|
||||||
types
|
types
|
||||||
|
@ -78,12 +79,20 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable (mkMerge [
|
||||||
|
{
|
||||||
# Admins have root access to the node
|
# Admins have root access to the node
|
||||||
dgn-access-control.users.root = mkDefault admins;
|
dgn-access-control.users.root = mkDefault admins;
|
||||||
|
}
|
||||||
|
(mkIf (nodeMeta.system == "nixos") {
|
||||||
users.users = builtins.mapAttrs (_: members: {
|
users.users = builtins.mapAttrs (_: members: {
|
||||||
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
|
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
|
||||||
}) cfg.users;
|
}) cfg.users;
|
||||||
};
|
})
|
||||||
|
(mkIf (nodeMeta.system == "zyxel-nwa50ax") {
|
||||||
|
users = builtins.mapAttrs (_: members: {
|
||||||
|
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
|
||||||
|
}) cfg.users;
|
||||||
|
})
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue