felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-04 09:10:01 +01:00
Code Issues Projects Releases Wiki Activity

treewide: limit rsync pull target access to principal

Browse Source
This commit is contained in:
h7x4
2026-01-31 10:15:17 +09:00
parent c3ce6a40ea
commit 91de031896
8 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -56,6 +56,7 @@ in {
rrsyncArgs.ro = true; rrsyncArgs.ro = true;
authorizedKeysAttrs = [ authorizedKeysAttrs = [
"restrict" "restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding" "no-agent-forwarding"
"no-port-forwarding" "no-port-forwarding"
"no-pty" "no-pty"

3
hosts/bekkalokk/services/vaultwarden.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, values, ... }:
let let
cfg = config.services.vaultwarden; cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no"; domain = "pw.pvv.ntnu.no";
@@ -107,6 +107,7 @@ in {
rrsyncArgs.ro = true; rrsyncArgs.ro = true;
authorizedKeysAttrs = [ authorizedKeysAttrs = [
"restrict" "restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding" "no-agent-forwarding"
"no-port-forwarding" "no-port-forwarding"
"no-pty" "no-pty"

3
hosts/bekkalokk/services/webmail/snappymail.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, fp, pkgs, ... }: { config, lib, fp, pkgs, values, ... }:
let let
cfg = config.services.snappymail; cfg = config.services.snappymail;
in { in {
@@ -22,6 +22,7 @@ in {
rrsyncArgs.ro = true; rrsyncArgs.ro = true;
authorizedKeysAttrs = [ authorizedKeysAttrs = [
"restrict" "restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding" "no-agent-forwarding"
"no-port-forwarding" "no-port-forwarding"
"no-pty" "no-pty"

1
hosts/bicep/services/matrix/synapse.nix
View File

@@ -34,6 +34,7 @@ in {
rrsyncArgs.ro = true; rrsyncArgs.ro = true;
authorizedKeysAttrs = [ authorizedKeysAttrs = [
"restrict" "restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding" "no-agent-forwarding"
"no-port-forwarding" "no-port-forwarding"
"no-pty" "no-pty"

3
hosts/bicep/services/mysql/backup.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, values, ... }:
let let
cfg = config.services.mysql; cfg = config.services.mysql;
backupDir = "/data/mysql-backups"; backupDir = "/data/mysql-backups";
@@ -22,6 +22,7 @@ in
rrsyncArgs.ro = true; rrsyncArgs.ro = true;
authorizedKeysAttrs = [ authorizedKeysAttrs = [
"restrict" "restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding" "no-agent-forwarding"
"no-port-forwarding" "no-port-forwarding"
"no-pty" "no-pty"

3
hosts/bicep/services/postgresql/backup.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, values, ... }:
let let
cfg = config.services.postgresql; cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups"; backupDir = "/data/postgresql-backups";
@@ -23,6 +23,7 @@ in
rrsyncArgs.ro = true; rrsyncArgs.ro = true;
authorizedKeysAttrs = [ authorizedKeysAttrs = [
"restrict" "restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding" "no-agent-forwarding"
"no-port-forwarding" "no-port-forwarding"
"no-pty" "no-pty"

1
hosts/kommode/services/gitea/default.nix
View File

@@ -202,6 +202,7 @@ in {
rrsyncArgs.ro = true; rrsyncArgs.ro = true;
authorizedKeysAttrs = [ authorizedKeysAttrs = [
"restrict" "restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding" "no-agent-forwarding"
"no-port-forwarding" "no-port-forwarding"
"no-pty" "no-pty"

4
values.nix
View File

@@ -73,6 +73,10 @@ in rec {
ipv4 = pvv-ipv4 179; ipv4 = pvv-ipv4 179;
ipv6 = pvv-ipv6 "1:2"; ipv6 = pvv-ipv6 "1:2";
}; };
principal = {
ipv4 = pvv-ipv4 233;
ipv6 = pvv-ipv6 "4:233";
};
ustetind = { ustetind = {
ipv4 = pvv-ipv4 234; ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 234; ipv6 = pvv-ipv6 234;