treewide: limit rsync pull target access to principal

2026-02-04 01:00:04 +01:00 · 2026-01-31 10:15:17 +09:00
parent c3ce6a40ea
commit 91de031896
8 changed files with 15 additions and 4 deletions
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -56,6 +56,7 @@ in {
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, values, ... }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
@@ -107,6 +107,7 @@ in {
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, fp, pkgs, values, ... }:
 let
  cfg = config.services.snappymail;
 in {
@@ -22,6 +22,7 @@ in {
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -34,6 +34,7 @@ in {
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, ... }:
 let
  cfg = config.services.mysql;
  backupDir = "/data/mysql-backups";
@@ -22,6 +22,7 @@ in
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
@@ -23,6 +23,7 @@ in
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -202,6 +202,7 @@ in {
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
--- a/values.nix
+++ b/values.nix
@@ -73,6 +73,10 @@ in rec {
      ipv4 = pvv-ipv4 179;
      ipv6 = pvv-ipv6 "1:2";
    };
+    principal = {
+      ipv4 = pvv-ipv4 233;
+      ipv6 = pvv-ipv6 "4:233";
+    };
    ustetind = {
      ipv4 = pvv-ipv4 234;
      ipv6 = pvv-ipv6 234;