motiejus
/
config
1
Fork 0
Code Packages Releases Activity

limit deployerbot-follower to our vpn

This commit is contained in:
Motiejus Jakštys 2023-07-30 07:22:25 +03:00
parent 471a5b43c5
commit 36bbceac03
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
data.nix
View File

@ -48,6 +48,7 @@ rec {
tailscale_subnet = { tailscale_subnet = {
cidr = "100.89.176.0/20"; cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255"; range = "100.89.176.0-100.89.191.255";
pattern = "100.89.176.?"; # until we have more hosts
}; };
jakstysLTZone = let jakstysLTZone = let

5
modules/services/deployerbot/default.nix
View File

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
myData,
... ...
}: { }: {
options.mj.services.deployerbot.main = with lib.types; { options.mj.services.deployerbot.main = with lib.types; {
@ -95,7 +96,9 @@
isSystemUser = true; isSystemUser = true;
createHome = true; createHome = true;
uid = uidgid; uid = uidgid;
openssh.authorizedKeys.keys = [publicKey]; openssh.authorizedKeys.keys = let
restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey;
in [restrictedPubKey];
}; };
}; };
users.groups.deployerbot-follower.gid = uidgid; users.groups.deployerbot-follower.gid = uidgid;