depot/cluster/services/idm/policies/infra-admins.nix

{ lib, ... }:

{
  services.kanidm.unixSettings = {
    pam_allowed_login_groups = [
      "infra_admins"
    ];
  };

  security.sudo.extraRules = lib.singleton {
    groups = [ "infra_admins" ];
    commands = lib.singleton {
      command = "ALL";
      options = [ "SETENV" ];
    };
  };

  idm.tmpfiles.rules = [
    "a+ /run/log/journal/%m - - - - d:group:infra_admins:r-x"
    "a+ /run/log/journal/%m - - - - group:infra_admins:r-x"
    "a+ /run/log/journal/%m/*.journal* - - - - d:group:infra_admins:r--"
  ];
}