RFC: Nest Teams

[polypixeldev]

While Nest was originally made and designed for personal use, it is also very useful for organizational use, especially in things like Hack Clubs that might want to host a website or backend for the whole club to manage. Therefore, I propose a feature on Nest that allows for the creation of teams: shared accounts meant to be accessed by different people.

Nest teams would be stored in a new table in the Nest Bot database, and would consist of a username, description, and list of members. At least for the MVP, there will be no permissions, so each member would be able to modify the team. The Authentik password would be DM'ed to the team creator upon approval.

Nest teams would be setup in the same way as normal user accounts on Nest, except that they would use a special AuthorizedKeysCommand for SSH which will output the combination of all members' authorized_keys files.

There will be no limit as to how many teams a user can create or be a part of, but like user accounts, all teams will have to be approved by the Nest admin team to ensure that teams are not being abused to bypass resource limits on personal projects. They may also be subject to additional auditing for the same purpose.

[Ssmidge]

This seems like a great idea, however the point of Authentik is to remove the need of using multiple accounts, so needing to login to another Authentik account seems to be counterintuitive, wouldn't adding the users to a group be a better option?

[polypixeldev]

Having a shared user on Nest makes sense so that it can be separate from personal accounts and have it's own systemd daemon for team projects. Having it be a completely new Authentik account isn't ideal, but since accounts are managed through LDAP it's the only option.

[ajhalili2006]

Replied via Slack: Interested to test Nest teams once implemented since I plan to run some Docker containers for my open-source organization (@recaptime-dev), although it may not be qualified due to being one-man team (a.k.a me).

For the application process when this is implemented, does the organization required to be fiscally hosted on HCB, and only who signed the fiscal sponsorship agreement can request for a Nest team?

Speaking of autogenerated organizational admin account at Authentik side when approved, maybe we can generate a blank or some random password but block from signing in for SSO/SAML (other than being shell-only LDAP account).

[kcoderhtml]

A shell only account makes sense. Its probably also a good idea to attach a label or something to the account to denot that its a team account. An HCB requirement might make it easier on the approval side but harder for clubs. Maybe a hybrid system where hcb makes it faster to apply would work.

[polypixeldev]

Yeah I guess we could just create the account locally on Nest VM using Nest Bot. I agree w/ kieran, HCB wouldn't be required but would definitely help out. If there is no HCB account i'd say that it would have to either be a club or a github organization (but members would have to be teens).