deployerbot: fwminex allows vno1

This commit is contained in:
Motiejus Jakštys 2023-09-18 20:49:17 +03:00
parent ceb7fe191e
commit 4973a1cdd4
6 changed files with 10 additions and 2 deletions

View File

@ -108,7 +108,10 @@ rec {
in
builtins.catAttrs "jakstIP" mHosts;
vno1.cidr = "192.168.189.0/24";
vno1 = {
cidr = "192.168.189.0/24";
sshPattern = "192.168.189.?";
};
vno3.cidr = "192.168.100.0/24";
};

View File

@ -58,6 +58,7 @@
deployerbot = {
follower = {
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
};

View File

@ -89,6 +89,7 @@ in {
enable = true;
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
sshAllowSubnets = with myData.subnets; [tailscale.sshPattern vno1.sshPattern];
};
};

View File

@ -196,6 +196,7 @@
follower = {
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
};

View File

@ -84,6 +84,7 @@
deployerbot = {
follower = {
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
};

View File

@ -41,6 +41,7 @@ in {
options.mj.services.deployerbot.follower = with lib.types; {
enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
sshAllowSubnets = lib.mkOption {type = listOf str;};
publicKey = lib.mkOption {type = str;};
uidgid = lib.mkOption {type = int;};
};
@ -126,7 +127,7 @@ in {
createHome = true;
uid = cfg.follower.uidgid;
openssh.authorizedKeys.keys = let
restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + cfg.follower.publicKey;
restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.follower.sshAllowSubnets}\" " + cfg.follower.publicKey;
in [restrictedPubKey];
};
};