jungle/m/module/jungle-users.nix

{ config, lib, ... }:

with lib;

{
  options = {
    users.jungleUsers = mkOption {
      type = types.attrsOf (types.anything // { check = (x: x ? "hosts"); });
      description = ''
        Same as users.users but with the extra `hosts` attribute, which controls
        access to the nodes by `networking.hostName`.
      '';
    };
  };

  config = let
    allowedUser = host: userConf: builtins.elem host userConf.hosts;
    filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users;
    removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users;
    currentHost = config.networking.hostName;
  in {
    users.users = removeHosts (filterUsers currentHost config.users.jungleUsers);
  };
}
Control user access to each machine The users.jungleUsers configuration option behaves like the users.users option, but defines the list attribute `hosts` for each user, which filters users so that only the user can only access those hosts. Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es> 2024-06-06 14:06:33 +02:00			`{ config, lib, ... }:`

			`with lib;`

			`{`
			`options = {`
			`users.jungleUsers = mkOption {`
			`type = types.attrsOf (types.anything // { check = (x: x ? "hosts"); });`
			`description = ''`
			Same as users.users but with the extra `hosts` attribute, which controls
			access to the nodes by `networking.hostName`.
			`'';`
			`};`
			`};`

			`config = let`
			`allowedUser = host: userConf: builtins.elem host userConf.hosts;`
			`filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users;`
			`removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users;`
			`currentHost = config.networking.hostName;`
			`in {`
			`users.users = removeHosts (filterUsers currentHost config.users.jungleUsers);`
			`};`
			`}`