[skip ci]: granted trainees permission to a server to test stuff out

This commit is contained in:
silver 2023-11-20 20:12:11 +00:00
parent 21612fed13
commit 03add8f999
2 changed files with 27 additions and 11 deletions

View file

@ -20,6 +20,8 @@ with lib; let
# thought you could escape racket? # thought you could escape racket?
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x)); create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x));
in { in {
# these are needed for teh program in question # these are needed for teh program in question
imports = []; imports = [];
@ -51,6 +53,13 @@ in {
]; ];
description = lib.mdDoc "Groups we want to allow access to the server"; description = lib.mdDoc "Groups we want to allow access to the server";
}; };
sudo_groups = mkOption {
type = types.listOf types.str;
default = [
"skynet-admins-linux"
];
description = lib.mdDoc "Groups we want to allow access to the server";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -59,7 +68,7 @@ in {
security.sudo.extraRules = [ security.sudo.extraRules = [
# admin group has sudo access # admin group has sudo access
{ {
groups = ["skynet-admins-linux"]; groups = cfg.sudo_groups;
commands = [ commands = [
{ {
command = "ALL"; command = "ALL";
@ -99,7 +108,8 @@ in {
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base} ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} # using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups}
ldap_group_nesting_level = 5 ldap_group_nesting_level = 5

View file

@ -17,6 +17,12 @@ Notes:
name = "marvin"; name = "marvin";
ip_pub = "193.1.99.81"; ip_pub = "193.1.99.81";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
groups = [
"skynet-admins-linux"
"skynet-trainees-linux"
];
groups_trusted = map (x: "@${x}") groups;
in { in {
imports = [ imports = [
]; ];
@ -31,17 +37,17 @@ in {
}; };
# allow trainees to deploy # allow trainees to deploy
nix.settings.trusted-users = [ nix.settings.trusted-users =
[
"root" "root"
"@skynet-admins-linux" ]
"@skynet-trainees-linux" ++ groups_trusted;
];
# allow trainees access # allow trainees access
services.skynet_ldap_client.groups = [ services.skynet_ldap_client = {
"skynet-admins-linux" groups = groups;
"skynet-trainees-linux" sudo_groups = groups;
]; };
skynet_dns.records = [ skynet_dns.records = [
{ {