From 54565aefebb0554ea4532986e391d2d908b012d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sat, 1 Jul 2023 23:44:17 +0200
Subject: [PATCH] ldap: add new option to generate group filter in search
 filters

---
 lib/ldap.nix     |  9 +++++++++
 modules/ldap.nix | 11 +++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 lib/ldap.nix

diff --git a/lib/ldap.nix b/lib/ldap.nix
new file mode 100644
index 00000000..c954574
--- /dev/null
+++ b/lib/ldap.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+  mkUserGroupOption = lib.mkOption {
+    type = with lib.types; nullOr str;
+    default = null;
+    description = lib.mdDoc "Restrict logins to users in this group";
+  };
+}
diff --git a/modules/ldap.nix b/modules/ldap.nix
index 0df9c0f..117e776 100644
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@@ -94,6 +94,17 @@ in
           description = lib.mdDoc "The uid of the service user used by services, often referred as search user.";
         };
 
+        searchFilterWithGroupFilter = lib.mkOption {
+          type = with lib.types; functionTo (functionTo str);
+          example = lib.literalExpression ''userFilterGroup: userFilter: if (userFilterGroup != null) then "(&''${config.security.ldap.groupFilter userFilterGroup})" else userFilter'';
+          description = lib.mdDoc ''
+            A function that returns a search filter that may include a group filter.
+            The first argument may be the group that is filtered upon or null.
+            If set to null no additional filtering is done. If set the supplied filter is combined with the user filter.
+            The second argument must be the user filter including the applications placeholders or ideally the userFilter option.
+          '';
+        };
+
         sshPublicKeyField = lib.mkOption {
           type = lib.types.str;
           example = "sshPublicKey";