modules: Init with access control

This commit is contained in:
Tom Hubrecht 2023-05-22 15:07:03 +02:00
parent fa3bb51477
commit 24500ed369
2 changed files with 42 additions and 0 deletions

7
modules/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ dgn-lib, ... }:
{
imports = dgn-lib.mkImports ./. [
"dgn-access-control"
];
}

View file

@ -0,0 +1,35 @@
{ config, lib, dgn-lib, meta, name, ... }:
let
nodeMeta = meta.nodes.${name};
admins = meta.members.groups.root ++ nodeMeta.admins
++ (builtins.concatMap (g: meta.members.groups.${g}) nodeMeta.adminGroups);
cfg = config.dgn-access-control;
in
with lib;
{
options.dgn-access-control = {
enable = mkEnableOption "DGNum access control." // { default = true; };
users = mkOption {
type = with types; attrsOf (listOf str);
default = { };
description = ''
Attribute set describing which member has access to which user on the node.
'';
};
};
config = mkIf cfg.enable {
# Admins have root access to the node
dgn-access-control.users.root = mkDefault admins;
users.users = builtins.mapAttrs
(u: members: { openssh.authorizedKeys.keys = dgn-lib.getKeyFiles members; })
cfg.users;
};
}