From 4b3c5dde1151edc6f7cdb63e09bbaf5e2c0d9aac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleix=20Bon=C3=A9?= <aleix.boneribo@bsc.es>
Date: Fri, 13 Mar 2026 11:55:19 +0100
Subject: [PATCH] Limit slurm partition users with AllowGroups

Fixes: https://jungle.bsc.es/git/rarias/jungle/issues/245
---
 m/common/base/users.nix   | 2 ++
 m/module/jungle-users.nix | 7 ++++++-
 m/module/slurm-common.nix | 4 ++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/m/common/base/users.nix b/m/common/base/users.nix
index f65616c1..539b5b0e 100644
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -224,6 +224,8 @@
 
     groups = {
       Computational = { gid = 564; };
+      fox = { gid = 565; };
+      owl = { gid = 566; };
       tracing = { };
     };
   };
diff --git a/m/module/jungle-users.nix b/m/module/jungle-users.nix
index 9601d299..900dfad5 100644
--- a/m/module/jungle-users.nix
+++ b/m/module/jungle-users.nix
@@ -17,8 +17,13 @@ with lib;
     allowedUser = host: userConf: builtins.elem host userConf.hosts;
     filterUsers = host: users: filterAttrs (n: v: allowedUser host v) users;
     removeHosts = users: mapAttrs (n: v: builtins.removeAttrs v [ "hosts" ]) users;
+    addExtraGroups = mapAttrs (_: user: user // {
+        extraGroups = (user.extraGroups or [ ])
+          ++ (lib.optionals (allowedUser "fox" user) [ "fox" ])
+          ++ (lib.optionals (allowedUser "owl1" user || allowedUser "owl2" user) [ "owl" ]);
+      });
     currentHost = config.networking.hostName;
   in {
-    users.users = removeHosts (filterUsers currentHost config.users.jungleUsers);
+    users.users = removeHosts (addExtraGroups (filterUsers currentHost config.users.jungleUsers));
   };
 }
diff --git a/m/module/slurm-common.nix b/m/module/slurm-common.nix
index 70dbf6cf..8c48dd6e 100644
--- a/m/module/slurm-common.nix
+++ b/m/module/slurm-common.nix
@@ -10,8 +10,8 @@
     ];
 
     partitionName = [
-      "owl Nodes=owl[1-2]     Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
-      "fox Nodes=fox          Default=NO  DefaultTime=01:00:00 MaxTime=INFINITE State=UP"
+      "owl Nodes=owl[1-2]     Default=YES DefaultTime=01:00:00 MaxTime=INFINITE State=UP AllowGroups=wheel,owl"
+      "fox Nodes=fox          Default=NO  DefaultTime=01:00:00 MaxTime=INFINITE State=UP AllowGroups=wheel,fox"
     ];
 
     # See slurm.conf(5) for more details about these options.
-- 
2.51.2