clouvider-lon01: SSH firewalling changes
This commit is contained in:
parent
a1c9917c4c
commit
ad516941e8
1 changed files with 7 additions and 12 deletions
|
@ -121,22 +121,17 @@ in {
|
|||
allowedUDPPorts = [
|
||||
34197 # factorio
|
||||
];
|
||||
extraCommands = ''
|
||||
# Allow SSH on public interfaces.
|
||||
iptables -A INPUT -p tcp --dport 22 --dst 185.198.188.29 -j ACCEPT
|
||||
iptables -A INPUT -p tcp --dport 22 --dst ${config.my.ip.tailscale} -j ACCEPT
|
||||
ip6tables -A INPUT -p tcp --dport 22 --dst 2a0a:54c0:0:17::2 -j ACCEPT
|
||||
'';
|
||||
};
|
||||
};
|
||||
my.ip.tailscale = "100.79.173.25";
|
||||
|
||||
services.openssh.listenAddresses = [{
|
||||
addr = config.my.ip.tailscale; port = 22;
|
||||
}] ++ (let
|
||||
inherit (builtins) map concatMap;
|
||||
in
|
||||
map
|
||||
(addr: { inherit addr; port = 22; })
|
||||
(concatMap
|
||||
(intf:
|
||||
(map (addr: addr.address) (intf.ipv4.addresses)) ++
|
||||
(map (addr: "[${addr.address}]") (intf.ipv6.addresses)))
|
||||
(with config.networking.interfaces; [ br-ext ])));
|
||||
services.openssh.openFirewall = true; # TODO: make this false once I know it works
|
||||
services.openssh.hostKeys = [
|
||||
{
|
||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||
|
|
Loading…
Reference in a new issue