From 1d831a1297d87d814bfeac11264b0c3aa565f7a7 Mon Sep 17 00:00:00 2001
From: Dustin Frisch <fooker@lab.sh>
Date: Thu, 16 May 2024 23:34:13 +0200
Subject: [PATCH] nodes: allow ssh only for vip cluster users

---
 machines/node/users.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/machines/node/users.nix b/machines/node/users.nix
index a3e8cec..4dbcff3 100644
--- a/machines/node/users.nix
+++ b/machines/node/users.nix
@@ -23,7 +23,9 @@ with lib;
     extraConfig = ''
       IgnoreRhosts no
 
-      Match Group cluster
+      DenyGroups !vip,cluster
+
+      Match Group vip
         HostbasedAuthentication yes
         HostbasedAcceptedAlgorithms ssh-ed25519*
         HostbasedUsesNameFromPacketOnly yes