forked from DGNum/infrastructure
41 lines
1,017 B
Nix
41 lines
1,017 B
Nix
{ config, lib, dgn-lib, meta, name, ... }:
|
|
|
|
let
|
|
nodeMeta = meta.nodes.${name};
|
|
admins = meta.members.groups.root ++ nodeMeta.admins
|
|
++ (builtins.concatMap (g: meta.members.groups.${g}) nodeMeta.adminGroups);
|
|
|
|
cfg = config.dgn-access-control;
|
|
in
|
|
|
|
with lib;
|
|
|
|
{
|
|
options.dgn-access-control = {
|
|
enable = mkEnableOption "DGNum access control." // { default = true; };
|
|
|
|
users = mkOption {
|
|
type = with types; attrsOf (listOf str);
|
|
default = { };
|
|
description = ''
|
|
Attribute set describing which member has access to which user on the node.
|
|
Members must be declared in `meta/members.nix`.
|
|
'';
|
|
example = ''
|
|
{
|
|
user1 = [ "member1" "member2" ];
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
# Admins have root access to the node
|
|
dgn-access-control.users.root = mkDefault admins;
|
|
|
|
users.users = builtins.mapAttrs
|
|
(u: members: { openssh.authorizedKeys.keys = dgn-lib.getAllKeys members; })
|
|
cfg.users;
|
|
|
|
};
|
|
}
|