Control user access to each machine

The users.jungleUsers configuration option behaves like the users.users option, but defines the list attribute `hosts` for each user, which filters users so that only the user can only access those hosts. Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
2024-06-06 14:06:33 +02:00 · 2024-06-06 14:06:33 +02:00 · 0e22d6def8
commit 0e22d6def8
parent 22cc1d33f7
2 changed files with 32 additions and 0 deletions
--- a/m/common/users.nix
+++ b/m/common/users.nix
@ -1,6 +1,10 @@
 { pkgs, ... }:

 {
+  imports = [
+    ../module/jungle-users.nix
+  ];
+
  users = {
    mutableUsers = false;
    users = {
@ -42,13 +46,16 @@
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdphWxLAEekicZ/WBrvP7phMyxKSSuLAZBovNX+hZXQ aleix@kerneland"
        ];
      };
+    };

+    jungleUsers = {
      rpenacob = {
        uid = 2761;
        isNormalUser = true;
        home = "/home/Computational/rpenacob";
        description = "Raúl Peñacoba";
        group = "Computational";
+        hosts = [ "hut" ];
        hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc"
@ -61,6 +68,7 @@
        home = "/home/Computational/anavarro";
        description = "Antoni Navarro";
        group = "Computational";
+        hosts = [ "hut" "raccoon" ];
        hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead"
--- a/m/module/jungle-users.nix
+++ b/m/module/jungle-users.nix
@ -0,0 +1,24 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options = {
+    users.jungleUsers = mkOption {
+      type = types.attrsOf (types.anything // { check = (x: x ? "hosts"); });
+      description = ''
+        Same as users.users but with the extra `hosts` attribute, which controls
+        access to the nodes by `networking.hostName`.
+      '';
+    };
+  };
+
+  config = let
+    allowedUser = host: userConf: builtins.elem host userConf.hosts;
+    filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users;
+    removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users;
+    currentHost = config.networking.hostName;
+  in {
+    users.users = removeHosts (filterUsers currentHost config.users.jungleUsers);
+  };
+}