From b5b1dbf3fe670b7a8cc3064264d1f48e39cebeac Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Tue, 17 Feb 2026 23:56:46 +0100
Subject: [PATCH 1/2] fix www

---
 hosts/www/openssh.nix | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/hosts/www/openssh.nix b/hosts/www/openssh.nix
index 0a3844f..2a91325 100644
--- a/hosts/www/openssh.nix
+++ b/hosts/www/openssh.nix
@@ -4,19 +4,20 @@
   users = {
     users.deploy = {
       description = "deploys static websites from forgejo";
-      shell = "/run/current-system/sw/bin/nologin";
+      shell = pkgs.dash; # gets restricted by authorized_keys
       isSystemUser = true;
       group = "deploy";
-      packages = [
-        pkgs.rsync
-      ];
       openssh.authorizedKeys.keys = [
-        #"command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtN5miFqjb585xuM89PXo3yxtY7WS159BvYS26HbZxC git.berlin.ccc.de/cccb/www"
-        "command='rsync --server --daemon . /srv/http/www-staging/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtN5miFqjb585xuM89PXo3yxtY7WS159BvYS26HbZxC git.berlin.ccc.de/cccb/www"
+        "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM35LG+xuDaoHQ2bYD4eRc3P6Cl3JVYntoP5Gu9R+mZC deploy@www.berlin.ccc.de production"
+        "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www-staging/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjjLtnGf7w5D/ON+P2HpMZ5HA2fWp5YSQMGMuu5CjUt deploy@www.berlin.ccc.de staging"
       ];
-      #extraGroups = ["nginx"];
     };
     groups.deploy = {};
   };
+
+  services.openssh.extraConfig = ''
+    Match User deploy
+      Banner none
+  '';
 }
 

From b6f86709f07ff663ec6a2e619ddc3a4bf0ca2146 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Tue, 17 Feb 2026 23:56:53 +0100
Subject: [PATCH 2/2] add fw

---
 services/prometheus-node.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/prometheus-node.nix b/services/prometheus-node.nix
index ddb9672..af2c20e 100644
--- a/services/prometheus-node.nix
+++ b/services/prometheus-node.nix
@@ -3,7 +3,7 @@
 {
   services.prometheus.exporters.node = {
     enable = true;
-    #listenAddress = "0.0.0.0";
+    openFirewall = true;
     firewallRules = ''
       ip saddr 195.160.173.14/32 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
       ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"