Control user access to each machine
The users.jungleUsers configuration option behaves like the users.users option, but defines the list attribute `hosts` for each user, which filters users so that only the user can only access those hosts. Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
This commit is contained in:
		
							parent
							
								
									22cc1d33f7
								
							
						
					
					
						commit
						0e22d6def8
					
				| @ -1,6 +1,10 @@ | |||||||
| { pkgs, ... }: | { pkgs, ... }: | ||||||
| 
 | 
 | ||||||
| { | { | ||||||
|  |   imports = [ | ||||||
|  |     ../module/jungle-users.nix | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|   users = { |   users = { | ||||||
|     mutableUsers = false; |     mutableUsers = false; | ||||||
|     users = { |     users = { | ||||||
| @ -42,13 +46,16 @@ | |||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdphWxLAEekicZ/WBrvP7phMyxKSSuLAZBovNX+hZXQ aleix@kerneland" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdphWxLAEekicZ/WBrvP7phMyxKSSuLAZBovNX+hZXQ aleix@kerneland" | ||||||
|         ]; |         ]; | ||||||
|       }; |       }; | ||||||
|  |     }; | ||||||
| 
 | 
 | ||||||
|  |     jungleUsers = { | ||||||
|       rpenacob = { |       rpenacob = { | ||||||
|         uid = 2761; |         uid = 2761; | ||||||
|         isNormalUser = true; |         isNormalUser = true; | ||||||
|         home = "/home/Computational/rpenacob"; |         home = "/home/Computational/rpenacob"; | ||||||
|         description = "Raúl Peñacoba"; |         description = "Raúl Peñacoba"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|  |         hosts = [ "hut" ]; | ||||||
|         hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/"; |         hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc" | ||||||
| @ -61,6 +68,7 @@ | |||||||
|         home = "/home/Computational/anavarro"; |         home = "/home/Computational/anavarro"; | ||||||
|         description = "Antoni Navarro"; |         description = "Antoni Navarro"; | ||||||
|         group = "Computational"; |         group = "Computational"; | ||||||
|  |         hosts = [ "hut" "raccoon" ]; | ||||||
|         hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31"; |         hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31"; | ||||||
|         openssh.authorizedKeys.keys = [ |         openssh.authorizedKeys.keys = [ | ||||||
|           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead" |           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead" | ||||||
|  | |||||||
							
								
								
									
										24
									
								
								m/module/jungle-users.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								m/module/jungle-users.nix
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,24 @@ | |||||||
|  | { config, lib, ... }: | ||||||
|  | 
 | ||||||
|  | with lib; | ||||||
|  | 
 | ||||||
|  | { | ||||||
|  |   options = { | ||||||
|  |     users.jungleUsers = mkOption { | ||||||
|  |       type = types.attrsOf (types.anything // { check = (x: x ? "hosts"); }); | ||||||
|  |       description = '' | ||||||
|  |         Same as users.users but with the extra `hosts` attribute, which controls | ||||||
|  |         access to the nodes by `networking.hostName`. | ||||||
|  |       ''; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   config = let | ||||||
|  |     allowedUser = host: userConf: builtins.elem host userConf.hosts; | ||||||
|  |     filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users; | ||||||
|  |     removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users; | ||||||
|  |     currentHost = config.networking.hostName; | ||||||
|  |   in { | ||||||
|  |     users.users = removeHosts (filterUsers currentHost config.users.jungleUsers); | ||||||
|  |   }; | ||||||
|  | } | ||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user