forked from DGNum/infrastructure
modules: Init with access control
This commit is contained in:
parent
fa3bb51477
commit
24500ed369
2 changed files with 42 additions and 0 deletions
7
modules/default.nix
Normal file
7
modules/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ dgn-lib, ... }:
|
||||
|
||||
{
|
||||
imports = dgn-lib.mkImports ./. [
|
||||
"dgn-access-control"
|
||||
];
|
||||
}
|
35
modules/dgn-access-control.nix
Normal file
35
modules/dgn-access-control.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ config, lib, dgn-lib, meta, name, ... }:
|
||||
|
||||
let
|
||||
nodeMeta = meta.nodes.${name};
|
||||
admins = meta.members.groups.root ++ nodeMeta.admins
|
||||
++ (builtins.concatMap (g: meta.members.groups.${g}) nodeMeta.adminGroups);
|
||||
|
||||
cfg = config.dgn-access-control;
|
||||
in
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
options.dgn-access-control = {
|
||||
enable = mkEnableOption "DGNum access control." // { default = true; };
|
||||
|
||||
users = mkOption {
|
||||
type = with types; attrsOf (listOf str);
|
||||
default = { };
|
||||
description = ''
|
||||
Attribute set describing which member has access to which user on the node.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Admins have root access to the node
|
||||
dgn-access-control.users.root = mkDefault admins;
|
||||
|
||||
users.users = builtins.mapAttrs
|
||||
(u: members: { openssh.authorizedKeys.keys = dgn-lib.getKeyFiles members; })
|
||||
cfg.users;
|
||||
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue