# Copyright : # SPDX-FileCopyrightText: 2024 Lubin Bailly # SPDX-FileCopyrightText: 2024 Ryan Lahfa # SPDX-FileCopyrightText: 2024 Tom Hubrecht # # SPDX-License-Identifier: EUPL-1.2 { config, lib, dgn-keys, meta, nodeMeta, ... }: let inherit (lib) mkDefault mkEnableOption mkIf mkOption types ; admins = meta.organization.groups.root ++ nodeMeta.admins ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups); cfg = config.dgn-access-control; in { options.dgn-access-control = { enable = mkEnableOption "DGNum access control." // { default = true; }; root = mkOption { type = with types; listOf str; default = [ ]; description = '' List describing which member has access to root user on the node. Members must be declared in `meta/members.nix`. ''; example = '' [ "member1" "member2" ] ''; }; }; config = mkIf cfg.enable { # Admins have root access to the node dgn-access-control.root = mkDefault admins; system = { root-authentication = { ssh-keys = dgn-keys.getKeys cfg.root; hashedPasswd = nodeMeta.hashedPassword; }; services.ssh.root-login = mkDefault "deny-password"; }; }; }