[skip ci]: granted trainees permission to a server to test stuff out
This commit is contained in:
parent
21612fed13
commit
03add8f999
2 changed files with 27 additions and 11 deletions
|
|
@ -20,6 +20,8 @@ with lib; let
|
|||
|
||||
# thought you could escape racket?
|
||||
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
|
||||
|
||||
sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x));
|
||||
in {
|
||||
# these are needed for teh program in question
|
||||
imports = [];
|
||||
|
|
@ -51,6 +53,13 @@ in {
|
|||
];
|
||||
description = lib.mdDoc "Groups we want to allow access to the server";
|
||||
};
|
||||
sudo_groups = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
"skynet-admins-linux"
|
||||
];
|
||||
description = lib.mdDoc "Groups we want to allow access to the server";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
|
@ -59,7 +68,7 @@ in {
|
|||
security.sudo.extraRules = [
|
||||
# admin group has sudo access
|
||||
{
|
||||
groups = ["skynet-admins-linux"];
|
||||
groups = cfg.sudo_groups;
|
||||
commands = [
|
||||
{
|
||||
command = "ALL";
|
||||
|
|
@ -99,7 +108,8 @@ in {
|
|||
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
|
||||
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
|
||||
ldap_group_search_base = ou=groups,${cfg.base}
|
||||
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
|
||||
# using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
|
||||
ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups}
|
||||
|
||||
ldap_group_nesting_level = 5
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,12 @@ Notes:
|
|||
name = "marvin";
|
||||
ip_pub = "193.1.99.81";
|
||||
hostname = "${name}.skynet.ie";
|
||||
|
||||
groups = [
|
||||
"skynet-admins-linux"
|
||||
"skynet-trainees-linux"
|
||||
];
|
||||
groups_trusted = map (x: "@${x}") groups;
|
||||
in {
|
||||
imports = [
|
||||
];
|
||||
|
|
@ -31,17 +37,17 @@ in {
|
|||
};
|
||||
|
||||
# allow trainees to deploy
|
||||
nix.settings.trusted-users = [
|
||||
nix.settings.trusted-users =
|
||||
[
|
||||
"root"
|
||||
"@skynet-admins-linux"
|
||||
"@skynet-trainees-linux"
|
||||
];
|
||||
]
|
||||
++ groups_trusted;
|
||||
|
||||
# allow trainees access
|
||||
services.skynet_ldap_client.groups = [
|
||||
"skynet-admins-linux"
|
||||
"skynet-trainees-linux"
|
||||
];
|
||||
services.skynet_ldap_client = {
|
||||
groups = groups;
|
||||
sudo_groups = groups;
|
||||
};
|
||||
|
||||
skynet_dns.records = [
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue