clouvider-lon01: SSH firewalling changes
This commit is contained in:
parent
a1c9917c4c
commit
ad516941e8
1 changed files with 7 additions and 12 deletions
|
@ -121,22 +121,17 @@ in {
|
||||||
allowedUDPPorts = [
|
allowedUDPPorts = [
|
||||||
34197 # factorio
|
34197 # factorio
|
||||||
];
|
];
|
||||||
|
extraCommands = ''
|
||||||
|
# Allow SSH on public interfaces.
|
||||||
|
iptables -A INPUT -p tcp --dport 22 --dst 185.198.188.29 -j ACCEPT
|
||||||
|
iptables -A INPUT -p tcp --dport 22 --dst ${config.my.ip.tailscale} -j ACCEPT
|
||||||
|
ip6tables -A INPUT -p tcp --dport 22 --dst 2a0a:54c0:0:17::2 -j ACCEPT
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
my.ip.tailscale = "100.79.173.25";
|
my.ip.tailscale = "100.79.173.25";
|
||||||
|
|
||||||
services.openssh.listenAddresses = [{
|
services.openssh.openFirewall = true; # TODO: make this false once I know it works
|
||||||
addr = config.my.ip.tailscale; port = 22;
|
|
||||||
}] ++ (let
|
|
||||||
inherit (builtins) map concatMap;
|
|
||||||
in
|
|
||||||
map
|
|
||||||
(addr: { inherit addr; port = 22; })
|
|
||||||
(concatMap
|
|
||||||
(intf:
|
|
||||||
(map (addr: addr.address) (intf.ipv4.addresses)) ++
|
|
||||||
(map (addr: "[${addr.address}]") (intf.ipv6.addresses)))
|
|
||||||
(with config.networking.interfaces; [ br-ext ])));
|
|
||||||
services.openssh.hostKeys = [
|
services.openssh.hostKeys = [
|
||||||
{
|
{
|
||||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||||
|
|
Loading…
Reference in a new issue