From 07b76f5cf9a2980450a04198c9d23c03082c0c30 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 7 Nov 2020 14:20:46 +0000 Subject: [PATCH] clouvider-lon01: only listen on specified IPs --- ops/nixos/clouvider-lon01/default.nix | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index b93099d110..8db722fc4a 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -110,14 +110,28 @@ in { map (n: { address = "92.118.29.${toString n}"; prefixLength = 32; }) (lib.range 225 253)); ipv6.addresses = [{ address = "::1"; prefixLength = 128; }]; }; - firewall.allowPing = true; - firewall.allowedTCPPorts = [ - 80 443 # HTTP/nginx - 6697 # znc - ]; + firewall = { + allowPing = true; + allowedTCPPorts = [ + 80 443 # HTTP/nginx + 6697 # znc + ]; + }; }; my.ip.tailscale = "100.79.173.25"; + services.openssh.listenAddresses = [{ + addr = config.my.ip.tailscale; port = 22; + }] ++ (let + inherit (builtins) map concatMap; + in + map + (addr: { inherit addr; port = 22; }) + (concatMap + (intf: + (map (addr: addr.address) (intf.ipv4.addresses)) ++ + (map (addr: "[${addr.address}]") (intf.ipv6.addresses))) + (with config.networking.interfaces; [ br-ext ]))); services.openssh.hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key";