deployerbot: allow fwminex too
This commit is contained in:
parent
846ec80d9f
commit
38311119f9
@ -73,7 +73,10 @@
|
|||||||
|
|
||||||
deployerbot = {
|
deployerbot = {
|
||||||
follower = {
|
follower = {
|
||||||
inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey;
|
publicKeys = [
|
||||||
|
myData.hosts."vno1-oh2.servers.jakst".publicKey
|
||||||
|
myData.hosts."fwminex.motiejus.jakst".publicKey
|
||||||
|
];
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
||||||
|
@ -102,7 +102,10 @@ in {
|
|||||||
|
|
||||||
deployerbot = {
|
deployerbot = {
|
||||||
follower = {
|
follower = {
|
||||||
inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey;
|
publicKeys = [
|
||||||
|
myData.hosts."vno1-oh2.servers.jakst".publicKey
|
||||||
|
myData.hosts."fwminex.motiejus.jakst".publicKey
|
||||||
|
];
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
uidgid = myData.uidgid.updaterbot-deployee;
|
uidgid = myData.uidgid.updaterbot-deployee;
|
||||||
|
@ -97,7 +97,10 @@ in {
|
|||||||
|
|
||||||
deployerbot = {
|
deployerbot = {
|
||||||
follower = {
|
follower = {
|
||||||
inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey;
|
publicKeys = [
|
||||||
|
myData.hosts."vno1-oh2.servers.jakst".publicKey
|
||||||
|
myData.hosts."fwminex.motiejus.jakst".publicKey
|
||||||
|
];
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
uidgid = myData.uidgid.updaterbot-deployee;
|
uidgid = myData.uidgid.updaterbot-deployee;
|
||||||
|
@ -222,7 +222,10 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
follower = {
|
follower = {
|
||||||
inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey;
|
publicKeys = [
|
||||||
|
myData.hosts."vno1-oh2.servers.jakst".publicKey
|
||||||
|
myData.hosts."fwminex.motiejus.jakst".publicKey
|
||||||
|
];
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
||||||
|
@ -94,7 +94,10 @@
|
|||||||
|
|
||||||
deployerbot = {
|
deployerbot = {
|
||||||
follower = {
|
follower = {
|
||||||
inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey;
|
publicKeys = [
|
||||||
|
myData.hosts."vno1-oh2.servers.jakst".publicKey
|
||||||
|
myData.hosts."fwminex.motiejus.jakst".publicKey
|
||||||
|
];
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
||||||
|
@ -23,7 +23,7 @@
|
|||||||
options.mj.services.deployerbot.follower = with lib.types; {
|
options.mj.services.deployerbot.follower = with lib.types; {
|
||||||
enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
|
enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
|
||||||
sshAllowSubnets = lib.mkOption {type = listOf str;};
|
sshAllowSubnets = lib.mkOption {type = listOf str;};
|
||||||
publicKey = lib.mkOption {type = str;};
|
publicKeys = lib.mkOption {type = listOf str;};
|
||||||
uidgid = lib.mkOption {type = int;};
|
uidgid = lib.mkOption {type = int;};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -129,9 +129,9 @@
|
|||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
uid = cfg.uidgid;
|
uid = cfg.uidgid;
|
||||||
openssh.authorizedKeys.keys = let
|
openssh.authorizedKeys.keys =
|
||||||
restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey;
|
map (k: "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + k)
|
||||||
in [restrictedPubKey];
|
cfg.publicKeys;
|
||||||
};
|
};
|
||||||
users.groups.deployerbot-follower.gid = cfg.uidgid;
|
users.groups.deployerbot-follower.gid = cfg.uidgid;
|
||||||
nix.settings.trusted-users = ["deployerbot-follower"];
|
nix.settings.trusted-users = ["deployerbot-follower"];
|
||||||
|
Loading…
Reference in New Issue
Block a user