From ad516941e8b5d3d330e2675d76cdad216b19b79b Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Mon, 11 Jan 2021 23:45:06 +0000 Subject: [PATCH] clouvider-lon01: SSH firewalling changes --- ops/nixos/clouvider-lon01/default.nix | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index 207d9a24ad..300fc16b44 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -121,22 +121,17 @@ in { allowedUDPPorts = [ 34197 # factorio ]; + extraCommands = '' + # Allow SSH on public interfaces. + iptables -A INPUT -p tcp --dport 22 --dst 185.198.188.29 -j ACCEPT + iptables -A INPUT -p tcp --dport 22 --dst ${config.my.ip.tailscale} -j ACCEPT + ip6tables -A INPUT -p tcp --dport 22 --dst 2a0a:54c0:0:17::2 -j ACCEPT + ''; }; }; my.ip.tailscale = "100.79.173.25"; - services.openssh.listenAddresses = [{ - addr = config.my.ip.tailscale; port = 22; - }] ++ (let - inherit (builtins) map concatMap; - in - map - (addr: { inherit addr; port = 22; }) - (concatMap - (intf: - (map (addr: addr.address) (intf.ipv4.addresses)) ++ - (map (addr: "[${addr.address}]") (intf.ipv6.addresses))) - (with config.networking.interfaces; [ br-ext ]))); + services.openssh.openFirewall = true; # TODO: make this false once I know it works services.openssh.hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key";