commit 0e48ec63f46f280982fe8226348bb6e8f693d5ef (tree)
parent 96a98405ad29609303fae8ef74349d30988b4a53
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date: Tue, 27 Aug 2024 08:39:32 +0300
ssh8022: opn global firewall by default
Diffstat:
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/hosts/fra1-b/configuration.nix b/hosts/fra1-b/configuration.nix
@@ -75,6 +75,7 @@ in
ssh8022.server = {
enable = true;
keyfile = config.age.secrets.ssh8022-server.path;
+ openGlobalFirewall = false;
};
remote-builder.server = {
diff --git a/modules/services/ssh8022/default.nix b/modules/services/ssh8022/default.nix
@@ -14,6 +14,10 @@
server = {
enable = lib.mkEnableOption "Enable ssh8022 server";
keyfile = lib.mkOption { type = str; };
+ openGlobalFirewall = lib.mkOption {
+ type = bool;
+ default = true;
+ };
};
};
@@ -35,7 +39,7 @@
in
lib.mkIf cfg.enable {
- mj.services.friendlyport.ports = [
+ mj.services.friendlyport.ports = lib.mkIf (!cfg.openGlobalFirewall) [
{
subnets = [ myData.subnets.tailscale.cidr ];
tcp = [ 22 ];
@@ -43,7 +47,7 @@
];
services = {
- openssh.openFirewall = false;
+ openssh.openFirewall = cfg.openGlobalFirewall;
spiped = {
enable = true;