deployerbot: fwminex allows vno1

2023-09-18 20:49:17 +03:00 · 2023-09-18 20:49:17 +03:00 · 4973a1cdd4
parent ceb7fe191e
commit 4973a1cdd4
6 changed files with 10 additions and 2 deletions
--- a/data.nix
+++ b/data.nix
@ -108,7 +108,10 @@ rec {
    in
      builtins.catAttrs "jakstIP" mHosts;

-    vno1.cidr = "192.168.189.0/24";
+    vno1 = {
+      cidr = "192.168.189.0/24";
+      sshPattern = "192.168.189.?";
+    };
    vno3.cidr = "192.168.100.0/24";
  };

--- a/hosts/fra1-a/configuration.nix
+++ b/hosts/fra1-a/configuration.nix
@ -58,6 +58,7 @@
      deployerbot = {
        follower = {
          enable = true;
+          sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
          uidgid = myData.uidgid.updaterbot-deployee;
          publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
        };
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@ -89,6 +89,7 @@ in {
          enable = true;
          uidgid = myData.uidgid.updaterbot-deployee;
          publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
+          sshAllowSubnets = with myData.subnets; [tailscale.sshPattern vno1.sshPattern];
        };
      };

--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@ -196,6 +196,7 @@

        follower = {
          enable = true;
+          sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
          uidgid = myData.uidgid.updaterbot-deployee;
          publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
        };
--- a/hosts/vno3-rp3b/configuration.nix
+++ b/hosts/vno3-rp3b/configuration.nix
@ -84,6 +84,7 @@
      deployerbot = {
        follower = {
          enable = true;
+          sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
          uidgid = myData.uidgid.updaterbot-deployee;
          publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
        };
--- a/modules/services/deployerbot/default.nix
+++ b/modules/services/deployerbot/default.nix
@ -41,6 +41,7 @@ in {

  options.mj.services.deployerbot.follower = with lib.types; {
    enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
+    sshAllowSubnets = lib.mkOption {type = listOf str;};
    publicKey = lib.mkOption {type = str;};
    uidgid = lib.mkOption {type = int;};
  };
@ -126,7 +127,7 @@ in {
          createHome = true;
          uid = cfg.follower.uidgid;
          openssh.authorizedKeys.keys = let
-            restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + cfg.follower.publicKey;
+            restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.follower.sshAllowSubnets}\" " + cfg.follower.publicKey;
          in [restrictedPubKey];
        };
      };