modules: Init with access control

2023-05-22 15:07:03 +02:00 · 2023-05-22 15:07:03 +02:00 · 24500ed369
commit 24500ed369
parent fa3bb51477
2 changed files with 42 additions and 0 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,7 @@
+{ dgn-lib, ... }:
+
+{
+  imports = dgn-lib.mkImports ./. [
+    "dgn-access-control"
+  ];
+}
--- a/modules/dgn-access-control.nix
+++ b/modules/dgn-access-control.nix
@ -0,0 +1,35 @@
+{ config, lib, dgn-lib, meta, name, ... }:
+
+let
+  nodeMeta = meta.nodes.${name};
+  admins = meta.members.groups.root ++ nodeMeta.admins
+    ++ (builtins.concatMap (g: meta.members.groups.${g}) nodeMeta.adminGroups);
+
+  cfg = config.dgn-access-control;
+in
+
+with lib;
+
+{
+  options.dgn-access-control = {
+    enable = mkEnableOption "DGNum access control." // { default = true; };
+
+    users = mkOption {
+      type = with types; attrsOf (listOf str);
+      default = { };
+      description = ''
+        Attribute set describing which member has access to which user on the node.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Admins have root access to the node
+    dgn-access-control.users.root = mkDefault admins;
+
+    users.users = builtins.mapAttrs
+      (u: members: { openssh.authorizedKeys.keys = dgn-lib.getKeyFiles members; })
+      cfg.users;
+
+  };
+}