diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index 207d9a24ad..300fc16b44 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -121,22 +121,17 @@ in { allowedUDPPorts = [ 34197 # factorio ]; + extraCommands = '' + # Allow SSH on public interfaces. + iptables -A INPUT -p tcp --dport 22 --dst 185.198.188.29 -j ACCEPT + iptables -A INPUT -p tcp --dport 22 --dst ${config.my.ip.tailscale} -j ACCEPT + ip6tables -A INPUT -p tcp --dport 22 --dst 2a0a:54c0:0:17::2 -j ACCEPT + ''; }; }; my.ip.tailscale = "100.79.173.25"; - services.openssh.listenAddresses = [{ - addr = config.my.ip.tailscale; port = 22; - }] ++ (let - inherit (builtins) map concatMap; - in - map - (addr: { inherit addr; port = 22; }) - (concatMap - (intf: - (map (addr: addr.address) (intf.ipv4.addresses)) ++ - (map (addr: "[${addr.address}]") (intf.ipv6.addresses))) - (with config.networking.interfaces; [ br-ext ]))); + services.openssh.openFirewall = true; # TODO: make this false once I know it works services.openssh.hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key";