limit deployerbot-follower to our vpn - config

commit 36bbceac032d890344a2f0d64b627ccbaea47abe (tree)
parent 471a5b43c58e44fc4cf0db8f25374e7df6844ea2
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date:   Sun, 30 Jul 2023 07:22:25 +0300

limit deployerbot-follower to our vpn

Diffstat:
M data.nix  | 1 +
M modules/services/deployerbot/default.nix  | 5 ++++-

2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/data.nix b/data.nix
@@ -48,6 +48,7 @@ rec {
   tailscale_subnet = {
     cidr = "100.89.176.0/20";
     range = "100.89.176.0-100.89.191.255";
+    pattern = "100.89.176.?"; # until we have more hosts
   };
 
   jakstysLTZone = let
diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  myData,
   ...
 }: {
   options.mj.services.deployerbot.main = with lib.types; {
@@ -95,7 +96,9 @@
             isSystemUser = true;
             createHome = true;
             uid = uidgid;
-            openssh.authorizedKeys.keys = [publicKey];
+            openssh.authorizedKeys.keys = let
+              restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey;
+            in [restrictedPubKey];
           };
         };
         users.groups.deployerbot-follower.gid = uidgid;

M	data.nix	\|	1	+
M	modules/services/deployerbot/default.nix	\|	5	++++-

	config NixOS config
	Log \| Files \| Refs \| README \| LICENSE