fra1-b: block global sshd

2024-08-27 08:36:02 +03:00 · 2024-08-27 08:36:02 +03:00 · 96a98405ad
commit 96a98405ad
parent d91976dafc
2 changed files with 21 additions and 13 deletions
--- a/hosts/fra1-b/configuration.nix
+++ b/hosts/fra1-b/configuration.nix
@ -70,7 +70,6 @@ in

    services = {
      node_exporter.enable = true;
-      sshguard.enable = true;
      tailscale.enable = true;

      ssh8022.server = {
@ -127,10 +126,7 @@ in
    useDHCP = true;
    firewall = {
      allowedUDPPorts = [ 53 ];
-      allowedTCPPorts = [
-        22
-        53
-      ];
+      allowedTCPPorts = [ 53 ];
    };
  };

--- a/modules/services/ssh8022/default.nix
+++ b/modules/services/ssh8022/default.nix
@ -34,14 +34,26 @@
        cfg = config.mj.services.ssh8022.server;
      in
      lib.mkIf cfg.enable {
-        services.spiped = {
-          enable = true;
-          config = {
-            ssh8022 = {
-              inherit (cfg) keyfile;
-              decrypt = true;
-              source = "[0.0.0.0]:8022";
-              target = "127.0.0.1:22";
+
+        mj.services.friendlyport.ports = [
+          {
+            subnets = [ myData.subnets.tailscale.cidr ];
+            tcp = [ 22 ];
+          }
+        ];
+
+        services = {
+          openssh.openFirewall = false;
+
+          spiped = {
+            enable = true;
+            config = {
+              ssh8022 = {
+                inherit (cfg) keyfile;
+                decrypt = true;
+                source = "[0.0.0.0]:8022";
+                target = "127.0.0.1:22";
+              };
            };
          };
        };