fra1-b: block global sshd

This commit is contained in:
Motiejus Jakštys 2024-08-27 08:36:02 +03:00
parent d91976dafc
commit 96a98405ad
2 changed files with 21 additions and 13 deletions

View File

@ -70,7 +70,6 @@ in
services = { services = {
node_exporter.enable = true; node_exporter.enable = true;
sshguard.enable = true;
tailscale.enable = true; tailscale.enable = true;
ssh8022.server = { ssh8022.server = {
@ -127,10 +126,7 @@ in
useDHCP = true; useDHCP = true;
firewall = { firewall = {
allowedUDPPorts = [ 53 ]; allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ allowedTCPPorts = [ 53 ];
22
53
];
}; };
}; };

View File

@ -34,14 +34,26 @@
cfg = config.mj.services.ssh8022.server; cfg = config.mj.services.ssh8022.server;
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
services.spiped = {
enable = true; mj.services.friendlyport.ports = [
config = { {
ssh8022 = { subnets = [ myData.subnets.tailscale.cidr ];
inherit (cfg) keyfile; tcp = [ 22 ];
decrypt = true; }
source = "[0.0.0.0]:8022"; ];
target = "127.0.0.1:22";
services = {
openssh.openFirewall = false;
spiped = {
enable = true;
config = {
ssh8022 = {
inherit (cfg) keyfile;
decrypt = true;
source = "[0.0.0.0]:8022";
target = "127.0.0.1:22";
};
}; };
}; };
}; };