From 4973a1cdd4ba1e5927af6f035113933e6bb3ba9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Mon, 18 Sep 2023 20:49:17 +0300 Subject: [PATCH] deployerbot: fwminex allows vno1 --- data.nix | 5 ++++- hosts/fra1-a/configuration.nix | 1 + hosts/fwminex/configuration.nix | 1 + hosts/vno1-oh2/configuration.nix | 1 + hosts/vno3-rp3b/configuration.nix | 1 + modules/services/deployerbot/default.nix | 3 ++- 6 files changed, 10 insertions(+), 2 deletions(-) diff --git a/data.nix b/data.nix index d48952d..dbfc003 100644 --- a/data.nix +++ b/data.nix @@ -108,7 +108,10 @@ rec { in builtins.catAttrs "jakstIP" mHosts; - vno1.cidr = "192.168.189.0/24"; + vno1 = { + cidr = "192.168.189.0/24"; + sshPattern = "192.168.189.?"; + }; vno3.cidr = "192.168.100.0/24"; }; diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix index 4cf6fd2..6441dbb 100644 --- a/hosts/fra1-a/configuration.nix +++ b/hosts/fra1-a/configuration.nix @@ -58,6 +58,7 @@ deployerbot = { follower = { enable = true; + sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; uidgid = myData.uidgid.updaterbot-deployee; publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; }; diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index 4885e94..0841796 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -89,6 +89,7 @@ in { enable = true; uidgid = myData.uidgid.updaterbot-deployee; publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; + sshAllowSubnets = with myData.subnets; [tailscale.sshPattern vno1.sshPattern]; }; }; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index db7c829..085fb34 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -196,6 +196,7 @@ follower = { enable = true; + sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; uidgid = myData.uidgid.updaterbot-deployee; publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; }; diff --git a/hosts/vno3-rp3b/configuration.nix b/hosts/vno3-rp3b/configuration.nix index 00cc78d..2f5aa0e 100644 --- a/hosts/vno3-rp3b/configuration.nix +++ b/hosts/vno3-rp3b/configuration.nix @@ -84,6 +84,7 @@ deployerbot = { follower = { enable = true; + sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; uidgid = myData.uidgid.updaterbot-deployee; publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; }; diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix index 258a6a2..0c88f63 100644 --- a/modules/services/deployerbot/default.nix +++ b/modules/services/deployerbot/default.nix @@ -41,6 +41,7 @@ in { options.mj.services.deployerbot.follower = with lib.types; { enable = lib.mkEnableOption "Allow system to be deployed with deployerbot"; + sshAllowSubnets = lib.mkOption {type = listOf str;}; publicKey = lib.mkOption {type = str;}; uidgid = lib.mkOption {type = int;}; }; @@ -126,7 +127,7 @@ in { createHome = true; uid = cfg.follower.uidgid; openssh.authorizedKeys.keys = let - restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + cfg.follower.publicKey; + restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.follower.sshAllowSubnets}\" " + cfg.follower.publicKey; in [restrictedPubKey]; }; };