limit deployerbot-follower to our vpn

2023-07-30 07:22:25 +03:00 · 2023-07-30 07:22:25 +03:00 · 36bbceac03
commit 36bbceac03
parent 471a5b43c5
2 changed files with 5 additions and 1 deletions
--- a/data.nix
+++ b/data.nix
@ -48,6 +48,7 @@ rec {
  tailscale_subnet = {
    cidr = "100.89.176.0/20";
    range = "100.89.176.0-100.89.191.255";
+    pattern = "100.89.176.?"; # until we have more hosts
  };

  jakstysLTZone = let
--- a/modules/services/deployerbot/default.nix
+++ b/modules/services/deployerbot/default.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  myData,
  ...
 }: {
  options.mj.services.deployerbot.main = with lib.types; {
@ -95,7 +96,9 @@
            isSystemUser = true;
            createHome = true;
            uid = uidgid;
-            openssh.authorizedKeys.keys = [publicKey];
+            openssh.authorizedKeys.keys = let
+              restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey;
+            in [restrictedPubKey];
          };
        };
        users.groups.deployerbot-follower.gid = uidgid;