fra1-b: block global sshd

2024-08-27 08:36:02 +03:00 · 2024-08-27 08:36:02 +03:00 · 96a98405ad
commit 96a98405ad
parent d91976dafc
2 changed files with 21 additions and 13 deletions
--- a/hosts/fra1-b/configuration.nix
+++ b/hosts/fra1-b/configuration.nix
@ -70,7 +70,6 @@ in
    services = {
      node_exporter.enable = true;
      sshguard.enable = true;
      tailscale.enable = true;
      ssh8022.server = {
@ -127,10 +126,7 @@ in
    useDHCP = true;
    firewall = {
      allowedUDPPorts = [ 53 ];
-      allowedTCPPorts = [
+      allowedTCPPorts = [ 53 ];
        22
        53
      ];
    };
  };
--- a/modules/services/ssh8022/default.nix
+++ b/modules/services/ssh8022/default.nix
@ -34,7 +34,18 @@
        cfg = config.mj.services.ssh8022.server;
      in
      lib.mkIf cfg.enable {
-        services.spiped = {
+
        mj.services.friendlyport.ports = [
          {
            subnets = [ myData.subnets.tailscale.cidr ];
            tcp = [ 22 ];
          }
        ];
        services = {
          openssh.openFirewall = false;
          spiped = {
            enable = true;
            config = {
              ssh8022 = {
@ -45,6 +56,7 @@
              };
            };
          };
        };
        networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
        systemd.services."spiped@ssh8022" = {
          wantedBy = [ "multi-user.target" ];