[skip ci]: granted trainees permission to a server to test stuff out

2023-11-20 20:12:11 +00:00 · 2023-11-20 20:12:11 +00:00 · 03add8f999
commit 03add8f999
parent 21612fed13
2 changed files with 27 additions and 11 deletions
--- a/applications/ldap/client.nix
+++ b/applications/ldap/client.nix
@ -20,6 +20,8 @@ with lib; let

  # thought you could escape racket?
  create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
+
+  sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x));
 in {
  # these are needed for teh program in question
  imports = [];
@ -51,6 +53,13 @@ in {
      ];
      description = lib.mdDoc "Groups we want to allow access to the server";
    };
+    sudo_groups = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "skynet-admins-linux"
+      ];
+      description = lib.mdDoc "Groups we want to allow access to the server";
+    };
  };

  config = mkIf cfg.enable {
@ -59,7 +68,7 @@ in {
    security.sudo.extraRules = [
      # admin group has sudo access
      {
-        groups = ["skynet-admins-linux"];
+        groups = cfg.sudo_groups;
        commands = [
          {
            command = "ALL";
@ -99,7 +108,8 @@ in {
        # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
        ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
        ldap_group_search_base = ou=groups,${cfg.base}
-        ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
+        # using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
+        ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups}

        ldap_group_nesting_level = 5

--- a/machines/marvin.nix
+++ b/machines/marvin.nix
@ -17,6 +17,12 @@ Notes:
  name = "marvin";
  ip_pub = "193.1.99.81";
  hostname = "${name}.skynet.ie";
+
+  groups = [
+    "skynet-admins-linux"
+    "skynet-trainees-linux"
+  ];
+  groups_trusted = map (x: "@${x}") groups;
 in {
  imports = [
  ];
@ -31,17 +37,17 @@ in {
  };

  # allow trainees to deploy
-  nix.settings.trusted-users = [
-    "root"
-    "@skynet-admins-linux"
-    "@skynet-trainees-linux"
-  ];
+  nix.settings.trusted-users =
+    [
+      "root"
+    ]
+    ++ groups_trusted;

  # allow trainees access
-  services.skynet_ldap_client.groups = [
-    "skynet-admins-linux"
-    "skynet-trainees-linux"
-  ];
+  services.skynet_ldap_client = {
+    groups = groups;
+    sudo_groups = groups;
+  };

  skynet_dns.records = [
    {