diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix index c29ee3e..5b62474 100644 --- a/hosts/fra1-a/configuration.nix +++ b/hosts/fra1-a/configuration.nix @@ -73,7 +73,10 @@ deployerbot = { follower = { - inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey; + publicKeys = [ + myData.hosts."vno1-oh2.servers.jakst".publicKey + myData.hosts."fwminex.motiejus.jakst".publicKey + ]; enable = true; sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index 1f077d9..d1bd081 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -102,7 +102,10 @@ in { deployerbot = { follower = { - inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey; + publicKeys = [ + myData.hosts."vno1-oh2.servers.jakst".publicKey + myData.hosts."fwminex.motiejus.jakst".publicKey + ]; enable = true; uidgid = myData.uidgid.updaterbot-deployee; diff --git a/hosts/mtworx/configuration.nix b/hosts/mtworx/configuration.nix index b7ba786..0a2b8a0 100644 --- a/hosts/mtworx/configuration.nix +++ b/hosts/mtworx/configuration.nix @@ -97,7 +97,10 @@ in { deployerbot = { follower = { - inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey; + publicKeys = [ + myData.hosts."vno1-oh2.servers.jakst".publicKey + myData.hosts."fwminex.motiejus.jakst".publicKey + ]; enable = true; uidgid = myData.uidgid.updaterbot-deployee; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index 489d39a..43d5bfa 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -222,7 +222,10 @@ }; follower = { - inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey; + publicKeys = [ + myData.hosts."vno1-oh2.servers.jakst".publicKey + myData.hosts."fwminex.motiejus.jakst".publicKey + ]; enable = true; sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; diff --git a/hosts/vno3-rp3b/configuration.nix b/hosts/vno3-rp3b/configuration.nix index 63c0031..d94d3de 100644 --- a/hosts/vno3-rp3b/configuration.nix +++ b/hosts/vno3-rp3b/configuration.nix @@ -94,7 +94,10 @@ deployerbot = { follower = { - inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey; + publicKeys = [ + myData.hosts."vno1-oh2.servers.jakst".publicKey + myData.hosts."fwminex.motiejus.jakst".publicKey + ]; enable = true; sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix index c75e73b..34cd298 100644 --- a/modules/services/deployerbot/default.nix +++ b/modules/services/deployerbot/default.nix @@ -23,7 +23,7 @@ options.mj.services.deployerbot.follower = with lib.types; { enable = lib.mkEnableOption "Allow system to be deployed with deployerbot"; sshAllowSubnets = lib.mkOption {type = listOf str;}; - publicKey = lib.mkOption {type = str;}; + publicKeys = lib.mkOption {type = listOf str;}; uidgid = lib.mkOption {type = int;}; }; @@ -129,9 +129,9 @@ isSystemUser = true; createHome = true; uid = cfg.uidgid; - openssh.authorizedKeys.keys = let - restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey; - in [restrictedPubKey]; + openssh.authorizedKeys.keys = + map (k: "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + k) + cfg.publicKeys; }; users.groups.deployerbot-follower.gid = cfg.uidgid; nix.settings.trusted-users = ["deployerbot-follower"];