treewide: limit rsync pull target access to principal

2026-02-04 09:10:01 +01:00 · 2026-01-31 10:15:17 +09:00
parent c3ce6a40ea
commit 91de031896
8 changed files with 15 additions and 4 deletions
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, values, ... }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
@@ -23,6 +23,7 @@ in
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"