Okay, set an access filter

2024-06-05 23:11:35 -07:00 · 2024-06-05 23:11:35 -07:00 · 58b406465c
parent faf888ddaf
commit 58b406465c
1 changed files with 10 additions and 1 deletions
--- a/paris-container.nix
+++ b/paris-container.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }@toplevel:

 with lib;
 let
@ -65,6 +65,13 @@ in {
        default = 4389;
      };

+      access-group = mkOption {
+        type = str;
+        description = "Group to which users must belong for access.";
+        default = let ldapCfg = toplevel.config.fudo.paris-container.ldap;
+        in "cn=shell,${ldapCfg.group-ou},${ldapCfg.base}";
+      };
+
      domain = mkOption {
        type = str;
        description =
@ -340,6 +347,8 @@ in {
                ldap_group_object_class = "group";
                ldap_group_name = "cn";

+                ldap_access_filter = "memberOf=${cfg.ldap.access-group}";
+
                ldap_default_bind_dn = cfg.ldap.bind-dn;
                ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN";
              };