hosts/www/openssh.nix

@@ -4,20 +4,19 @@
   users = {
     users.deploy = {
       description = "deploys static websites from forgejo";
-      shell = pkgs.dash; # gets restricted by authorized_keys
+      shell = "/run/current-system/sw/bin/nologin";
       isSystemUser = true;
       group = "deploy";
-      openssh.authorizedKeys.keys = [
+      packages = [
-        "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM35LG+xuDaoHQ2bYD4eRc3P6Cl3JVYntoP5Gu9R+mZC deploy@www.berlin.ccc.de production"
+        pkgs.rsync
-        "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www-staging/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjjLtnGf7w5D/ON+P2HpMZ5HA2fWp5YSQMGMuu5CjUt deploy@www.berlin.ccc.de staging"
       ];
+      openssh.authorizedKeys.keys = [
+        #"command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtN5miFqjb585xuM89PXo3yxtY7WS159BvYS26HbZxC git.berlin.ccc.de/cccb/www"
+        "command='rsync --server --daemon . /srv/http/www-staging/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtN5miFqjb585xuM89PXo3yxtY7WS159BvYS26HbZxC git.berlin.ccc.de/cccb/www"
+      ];
+      #extraGroups = ["nginx"];
     };
     groups.deploy = {};
   };
-
-  services.openssh.extraConfig = ''
-    Match User deploy
-      Banner none
-  '';
 }
 

services/prometheus-node.nix

@@ -3,7 +3,7 @@
 {
   services.prometheus.exporters.node = {
     enable = true;
-    openFirewall = true;
+    #listenAddress = "0.0.0.0";
     firewallRules = ''
       ip saddr 195.160.173.14/32 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
       ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"