[skip ci]: granted trainees permission to a server to test stuff out

applications/ldap/client.nix

@@ -20,6 +20,8 @@ with lib; let
 
   # thought you could escape racket?
   create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
+
+  sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x));
 in {
   # these are needed for teh program in question
   imports = [];
@@ -51,6 +53,13 @@ in {
       ];
       description = lib.mdDoc "Groups we want to allow access to the server";
     };
+    sudo_groups = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "skynet-admins-linux"
+      ];
+      description = lib.mdDoc "Groups we want to allow access to the server";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -59,7 +68,7 @@ in {
     security.sudo.extraRules = [
       # admin group has sudo access
       {
-        groups = ["skynet-admins-linux"];
+        groups = cfg.sudo_groups;
         commands = [
           {
             command = "ALL";
@@ -99,7 +108,8 @@ in {
         # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
         ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
         ldap_group_search_base = ou=groups,${cfg.base}
-        ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
+        # using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
+        ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups}
 
         ldap_group_nesting_level = 5