From 0e22d6def847f5bdf6204e6fb8cc7c1507f862f1 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 6 Jun 2024 14:06:33 +0200 Subject: [PATCH] Control user access to each machine The users.jungleUsers configuration option behaves like the users.users option, but defines the list attribute `hosts` for each user, which filters users so that only the user can only access those hosts. Reviewed-by: Aleix Roca Nonell --- m/common/users.nix | 8 ++++++++ m/module/jungle-users.nix | 24 ++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 m/module/jungle-users.nix diff --git a/m/common/users.nix b/m/common/users.nix index 8451196..02680fc 100644 --- a/m/common/users.nix +++ b/m/common/users.nix @@ -1,6 +1,10 @@ { pkgs, ... }: { + imports = [ + ../module/jungle-users.nix + ]; + users = { mutableUsers = false; users = { @@ -42,13 +46,16 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdphWxLAEekicZ/WBrvP7phMyxKSSuLAZBovNX+hZXQ aleix@kerneland" ]; }; + }; + jungleUsers = { rpenacob = { uid = 2761; isNormalUser = true; home = "/home/Computational/rpenacob"; description = "Raúl Peñacoba"; group = "Computational"; + hosts = [ "hut" ]; hashedPassword = "$6$TZm3bDIFyPrMhj1E$uEDXoYYd1z2Wd5mMPfh3DZAjP7ztVjJ4ezIcn82C0ImqafPA.AnTmcVftHEzLB3tbe2O4SxDyPSDEQgJ4GOtj/"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYfXg37mauGeurqsLpedgA2XQ9d4Nm0ZGo/hI1f7wwH rpenacob@bsc" @@ -61,6 +68,7 @@ home = "/home/Computational/anavarro"; description = "Antoni Navarro"; group = "Computational"; + hosts = [ "hut" "raccoon" ]; hashedPassword = "$6$QdNDsuLehoZTYZlb$CDhCouYDPrhoiB7/seu7RF.Gqg4zMQz0n5sA4U1KDgHaZOxy2as9pbIGeF8tOHJKRoZajk5GiaZv0rZMn7Oq31"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWjRSlKgzBPZQhIeEtk6Lvws2XNcYwHcwPv4osSgst5 anavarro@ssfhead" diff --git a/m/module/jungle-users.nix b/m/module/jungle-users.nix new file mode 100644 index 0000000..9601d29 --- /dev/null +++ b/m/module/jungle-users.nix @@ -0,0 +1,24 @@ +{ config, lib, ... }: + +with lib; + +{ + options = { + users.jungleUsers = mkOption { + type = types.attrsOf (types.anything // { check = (x: x ? "hosts"); }); + description = '' + Same as users.users but with the extra `hosts` attribute, which controls + access to the nodes by `networking.hostName`. + ''; + }; + }; + + config = let + allowedUser = host: userConf: builtins.elem host userConf.hosts; + filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users; + removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users; + currentHost = config.networking.hostName; + in { + users.users = removeHosts (filterUsers currentHost config.users.jungleUsers); + }; +}