[skip ci]: granted trainees permission to a server to test stuff out
This commit is contained in:
parent
21612fed13
commit
03add8f999
2 changed files with 27 additions and 11 deletions
|
@ -20,6 +20,8 @@ with lib; let
|
||||||
|
|
||||||
# thought you could escape racket?
|
# thought you could escape racket?
|
||||||
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
|
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
|
||||||
|
|
||||||
|
sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x));
|
||||||
in {
|
in {
|
||||||
# these are needed for teh program in question
|
# these are needed for teh program in question
|
||||||
imports = [];
|
imports = [];
|
||||||
|
@ -51,6 +53,13 @@ in {
|
||||||
];
|
];
|
||||||
description = lib.mdDoc "Groups we want to allow access to the server";
|
description = lib.mdDoc "Groups we want to allow access to the server";
|
||||||
};
|
};
|
||||||
|
sudo_groups = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [
|
||||||
|
"skynet-admins-linux"
|
||||||
|
];
|
||||||
|
description = lib.mdDoc "Groups we want to allow access to the server";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
@ -59,7 +68,7 @@ in {
|
||||||
security.sudo.extraRules = [
|
security.sudo.extraRules = [
|
||||||
# admin group has sudo access
|
# admin group has sudo access
|
||||||
{
|
{
|
||||||
groups = ["skynet-admins-linux"];
|
groups = cfg.sudo_groups;
|
||||||
commands = [
|
commands = [
|
||||||
{
|
{
|
||||||
command = "ALL";
|
command = "ALL";
|
||||||
|
@ -99,7 +108,8 @@ in {
|
||||||
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
|
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
|
||||||
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
|
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
|
||||||
ldap_group_search_base = ou=groups,${cfg.base}
|
ldap_group_search_base = ou=groups,${cfg.base}
|
||||||
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
|
# using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
|
||||||
|
ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups}
|
||||||
|
|
||||||
ldap_group_nesting_level = 5
|
ldap_group_nesting_level = 5
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,12 @@ Notes:
|
||||||
name = "marvin";
|
name = "marvin";
|
||||||
ip_pub = "193.1.99.81";
|
ip_pub = "193.1.99.81";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
|
||||||
|
groups = [
|
||||||
|
"skynet-admins-linux"
|
||||||
|
"skynet-trainees-linux"
|
||||||
|
];
|
||||||
|
groups_trusted = map (x: "@${x}") groups;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
];
|
];
|
||||||
|
@ -31,17 +37,17 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# allow trainees to deploy
|
# allow trainees to deploy
|
||||||
nix.settings.trusted-users = [
|
nix.settings.trusted-users =
|
||||||
|
[
|
||||||
"root"
|
"root"
|
||||||
"@skynet-admins-linux"
|
]
|
||||||
"@skynet-trainees-linux"
|
++ groups_trusted;
|
||||||
];
|
|
||||||
|
|
||||||
# allow trainees access
|
# allow trainees access
|
||||||
services.skynet_ldap_client.groups = [
|
services.skynet_ldap_client = {
|
||||||
"skynet-admins-linux"
|
groups = groups;
|
||||||
"skynet-trainees-linux"
|
sudo_groups = groups;
|
||||||
];
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue