From 91de031896f7fe03bdd36248cee1e3de2652917e Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sat, 31 Jan 2026 10:15:17 +0900
Subject: [PATCH] treewide: limit rsync pull target access to principal

---
 hosts/bekkalokk/services/mediawiki/default.nix  | 1 +
 hosts/bekkalokk/services/vaultwarden.nix        | 3 ++-
 hosts/bekkalokk/services/webmail/snappymail.nix | 3 ++-
 hosts/bicep/services/matrix/synapse.nix         | 1 +
 hosts/bicep/services/mysql/backup.nix           | 3 ++-
 hosts/bicep/services/postgresql/backup.nix      | 3 ++-
 hosts/kommode/services/gitea/default.nix        | 1 +
 values.nix                                      | 4 ++++
 8 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix
index d02a17b..6ce000f 100644
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -56,6 +56,7 @@ in {
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
         "no-agent-forwarding"
         "no-port-forwarding"
         "no-pty"
diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix
index c9626e0..f552c69 100644
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, values, ... }:
 let
   cfg = config.services.vaultwarden;
   domain = "pw.pvv.ntnu.no";
@@ -107,6 +107,7 @@ in {
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
         "no-agent-forwarding"
         "no-port-forwarding"
         "no-pty"
diff --git a/hosts/bekkalokk/services/webmail/snappymail.nix b/hosts/bekkalokk/services/webmail/snappymail.nix
index 864b6d9..3b8e5b5 100644
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,4 +1,4 @@
-{ config, lib, fp, pkgs, ... }:
+{ config, lib, fp, pkgs, values, ... }:
 let
   cfg = config.services.snappymail;
 in {
@@ -22,6 +22,7 @@ in {
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
         "no-agent-forwarding"
         "no-port-forwarding"
         "no-pty"
diff --git a/hosts/bicep/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix
index d9d5d93..c9a055d 100644
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -34,6 +34,7 @@ in {
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
         "no-agent-forwarding"
         "no-port-forwarding"
         "no-pty"
diff --git a/hosts/bicep/services/mysql/backup.nix b/hosts/bicep/services/mysql/backup.nix
index 1ff47c2..2936a2a 100644
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, ... }:
 let
   cfg = config.services.mysql;
   backupDir = "/data/mysql-backups";
@@ -22,6 +22,7 @@ in
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
         "no-agent-forwarding"
         "no-port-forwarding"
         "no-pty"
diff --git a/hosts/bicep/services/postgresql/backup.nix b/hosts/bicep/services/postgresql/backup.nix
index 9ccc4ef..ebb508a 100644
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, ... }:
 let
   cfg = config.services.postgresql;
   backupDir = "/data/postgresql-backups";
@@ -23,6 +23,7 @@ in
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
         "no-agent-forwarding"
         "no-port-forwarding"
         "no-pty"
diff --git a/hosts/kommode/services/gitea/default.nix b/hosts/kommode/services/gitea/default.nix
index 6d0392f..55d40a5 100644
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -202,6 +202,7 @@ in {
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
         "no-agent-forwarding"
         "no-port-forwarding"
         "no-pty"
diff --git a/values.nix b/values.nix
index 479eb47..6b3c6e0 100644
--- a/values.nix
+++ b/values.nix
@@ -73,6 +73,10 @@ in rec {
       ipv4 = pvv-ipv4 179;
       ipv6 = pvv-ipv6 "1:2";
     };
+    principal = {
+      ipv4 = pvv-ipv4 233;
+      ipv6 = pvv-ipv6 "4:233";
+    };
     ustetind = {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;