config

NixOS config
Log | Files | Refs | README | LICENSE

commit 36bbceac032d890344a2f0d64b627ccbaea47abe (tree)
parent 471a5b43c58e44fc4cf0db8f25374e7df6844ea2
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date:   Sun, 30 Jul 2023 07:22:25 +0300

limit deployerbot-follower to our vpn

Diffstat:
Mdata.nix | 1+
Mmodules/services/deployerbot/default.nix | 5++++-
2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/data.nix b/data.nix @@ -48,6 +48,7 @@ rec { tailscale_subnet = { cidr = "100.89.176.0/20"; range = "100.89.176.0-100.89.191.255"; + pattern = "100.89.176.?"; # until we have more hosts }; jakstysLTZone = let diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + myData, ... }: { options.mj.services.deployerbot.main = with lib.types; { @@ -95,7 +96,9 @@ isSystemUser = true; createHome = true; uid = uidgid; - openssh.authorizedKeys.keys = [publicKey]; + openssh.authorizedKeys.keys = let + restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey; + in [restrictedPubKey]; }; }; users.groups.deployerbot-follower.gid = uidgid;