diff --git a/applications/ldap/client.nix b/applications/ldap/client.nix index d172b42..b1102ad 100644 --- a/applications/ldap/client.nix +++ b/applications/ldap/client.nix @@ -20,6 +20,8 @@ with lib; let # thought you could escape racket? create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x)); + + sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x)); in { # these are needed for teh program in question imports = []; @@ -51,6 +53,13 @@ in { ]; description = lib.mdDoc "Groups we want to allow access to the server"; }; + sudo_groups = mkOption { + type = types.listOf types.str; + default = [ + "skynet-admins-linux" + ]; + description = lib.mdDoc "Groups we want to allow access to the server"; + }; }; config = mkIf cfg.enable { @@ -59,7 +68,7 @@ in { security.sudo.extraRules = [ # admin group has sudo access { - groups = ["skynet-admins-linux"]; + groups = cfg.sudo_groups; commands = [ { command = "ALL"; @@ -99,7 +108,8 @@ in { # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) ldap_group_search_base = ou=groups,${cfg.base} - ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} + # using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US + ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups} ldap_group_nesting_level = 5 diff --git a/machines/marvin.nix b/machines/marvin.nix index 89e61df..1c4f57b 100644 --- a/machines/marvin.nix +++ b/machines/marvin.nix @@ -17,6 +17,12 @@ Notes: name = "marvin"; ip_pub = "193.1.99.81"; hostname = "${name}.skynet.ie"; + + groups = [ + "skynet-admins-linux" + "skynet-trainees-linux" + ]; + groups_trusted = map (x: "@${x}") groups; in { imports = [ ]; @@ -31,17 +37,17 @@ in { }; # allow trainees to deploy - nix.settings.trusted-users = [ - "root" - "@skynet-admins-linux" - "@skynet-trainees-linux" - ]; + nix.settings.trusted-users = + [ + "root" + ] + ++ groups_trusted; # allow trainees access - services.skynet_ldap_client.groups = [ - "skynet-admins-linux" - "skynet-trainees-linux" - ]; + services.skynet_ldap_client = { + groups = groups; + sudo_groups = groups; + }; skynet_dns.records = [ {