clouvider-lon01: SSH firewalling changes

This commit is contained in:
Luke Granger-Brown 2021-01-11 23:45:06 +00:00
parent a1c9917c4c
commit ad516941e8

View file

@ -121,22 +121,17 @@ in {
allowedUDPPorts = [
34197 # factorio
];
extraCommands = ''
# Allow SSH on public interfaces.
iptables -A INPUT -p tcp --dport 22 --dst 185.198.188.29 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --dst ${config.my.ip.tailscale} -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 --dst 2a0a:54c0:0:17::2 -j ACCEPT
'';
};
};
my.ip.tailscale = "100.79.173.25";
services.openssh.listenAddresses = [{
addr = config.my.ip.tailscale; port = 22;
}] ++ (let
inherit (builtins) map concatMap;
in
map
(addr: { inherit addr; port = 22; })
(concatMap
(intf:
(map (addr: addr.address) (intf.ipv4.addresses)) ++
(map (addr: "[${addr.address}]") (intf.ipv6.addresses)))
(with config.networking.interfaces; [ br-ext ])));
services.openssh.openFirewall = true; # TODO: make this false once I know it works
services.openssh.hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";