knot: fix preStart after hardening

[sourcephile-nix.git] / hosts / losurdo / nginx / sourcephile.fr / nix-serve.nix

diff --git a/hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix b/hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix
index 69eb695061a390526baf9166ac5eb28421487b71..cad6ef350c1a25cc26d399f4ac116b5061c9a795 100644 (file)
--- a/hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix
+++ b/hosts/losurdo/nginx/sourcephile.fr/nix-serve.nix
@@ -1,5 +1,5 @@
 { domain, ... }:
-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
   inherit (config) networking;
   inherit (config.security) gnupg;
@@ -27,6 +27,16 @@ services.nix-serve = {
   secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
   bindAddress = "127.0.0.1";
 };
+nix.allowedUsers = [ users."nix-ssh".name ];
+nix.sshServe = {
+  enable = true;
+  keys = map lib.readFile [
+    (inputs.secrets + "/members/ssh/julm-losurdo.pub")
+    (inputs.secrets + "/members/ssh/julm-oignon.pub")
+    (inputs.secrets + "/members/ssh/sevy-patate.pub")
+  ];
+};
+
 services.nginx = let virtualHost = priority:
   {
     extraConfig = ''