From 3c9bf80f245a19bf83b29d417554d8d453b5f1f2 Mon Sep 17 00:00:00 2001 From: catvayor Date: Sun, 15 Dec 2024 21:00:08 +0100 Subject: [PATCH] feat(netconf): use meta for access control --- hive.nix | 10 +++- machines/netconf/netcore02.nix | 12 ----- meta/nodes/netconf.nix | 4 +- modules/netconf/default.nix | 1 + modules/netconf/dgn-access-control.nix | 64 ++++++++++++++++++++++++++ 5 files changed, 76 insertions(+), 15 deletions(-) create mode 100644 modules/netconf/dgn-access-control.nix diff --git a/hive.nix b/hive.nix index 707fcd5..63db5c0 100644 --- a/hive.nix +++ b/hive.nix @@ -129,11 +129,17 @@ in evalConfig = nixpkgs.nixos.unstable.lib.evalModules; defaults = - { nodeMeta, nodePath, ... }: + { + name, + nodeMeta, + nodePath, + ... + }: { _module.args = { pkgs = nixpkgs.nixos.unstable; }; + # Import the default modules imports = [ # Import the base configuration for each node @@ -143,6 +149,8 @@ in "${sources.nixpkgs}/nixos/modules/misc/assertions.nix" ]; + system.host-name = name; + inherit (nodeMeta) deployment; }; }; diff --git a/machines/netconf/netcore02.nix b/machines/netconf/netcore02.nix index b104fbf..0eae2b9 100644 --- a/machines/netconf/netcore02.nix +++ b/machines/netconf/netcore02.nix @@ -26,20 +26,8 @@ let }; }; in -{ name, ... }: { vlans = vlansPlan; - system = { - # TODO: use meta, in default - host-name = name; - services.ssh.root-login = "deny-password"; - root-authentication = { - hashedPasswd = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0"; - ssh-keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor" - ]; - }; - }; dgn-hardware.model = "EX2300-48P"; dgn-interfaces = { # "ge-0/0/0" = AP-staging; diff --git a/meta/nodes/netconf.nix b/meta/nodes/netconf.nix index f867126..eb1a07b 100644 --- a/meta/nodes/netconf.nix +++ b/meta/nodes/netconf.nix @@ -4,7 +4,7 @@ hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0"; - stateVersion = "24.05"; # FIXME: meaningless + stateVersion = null; adminGroups = [ "fai" ]; @@ -26,7 +26,7 @@ # # hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0"; # - # stateVersion = "24.05"; # FIXME: meaningless + # stateVersion = null; # # adminGroups = [ "fai" ]; # diff --git a/modules/netconf/default.nix b/modules/netconf/default.nix index adb5dc0..bdd3266 100644 --- a/modules/netconf/default.nix +++ b/modules/netconf/default.nix @@ -3,5 +3,6 @@ # List of modules to import ./dgn-hardware ./dgn-interfaces.nix + ./dgn-access-control.nix ]; } diff --git a/modules/netconf/dgn-access-control.nix b/modules/netconf/dgn-access-control.nix new file mode 100644 index 0000000..4145400 --- /dev/null +++ b/modules/netconf/dgn-access-control.nix @@ -0,0 +1,64 @@ +# Copyright : +# SPDX-FileCopyrightText: 2024 Ryan Lahfa +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + config, + lib, + dgn-keys, + meta, + nodeMeta, + ... +}: + +let + inherit (lib) + mkDefault + mkEnableOption + mkIf + mkOption + + types + ; + + admins = + meta.organization.groups.root + ++ nodeMeta.admins + ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups); + + cfg = config.dgn-access-control; +in + +{ + options.dgn-access-control = { + enable = mkEnableOption "DGNum access control." // { + default = true; + }; + + root = mkOption { + type = with types; listOf str; + default = [ ]; + description = '' + List describing which member has access to root user on the node. + Members must be declared in `meta/members.nix`. + ''; + example = '' + [ "member1" "member2" ] + ''; + }; + }; + + config = mkIf cfg.enable { + # Admins have root access to the node + dgn-access-control.root = mkDefault admins; + system = { + root-authentication = { + ssh-keys = dgn-keys.getKeys cfg.root; + hashedPasswd = nodeMeta.hashedPassword; + }; + services.ssh.root-login = mkDefault "deny-password"; + }; + }; +}