fra1-b: block global sshd

This commit is contained in:
Motiejus Jakštys 2024-08-27 08:36:02 +03:00
parent d91976dafc
commit 96a98405ad
2 changed files with 21 additions and 13 deletions

View File

@ -70,7 +70,6 @@ in
services = {
node_exporter.enable = true;
sshguard.enable = true;
tailscale.enable = true;
ssh8022.server = {
@ -127,10 +126,7 @@ in
useDHCP = true;
firewall = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [
22
53
];
allowedTCPPorts = [ 53 ];
};
};

View File

@ -34,7 +34,18 @@
cfg = config.mj.services.ssh8022.server;
in
lib.mkIf cfg.enable {
services.spiped = {
mj.services.friendlyport.ports = [
{
subnets = [ myData.subnets.tailscale.cidr ];
tcp = [ 22 ];
}
];
services = {
openssh.openFirewall = false;
spiped = {
enable = true;
config = {
ssh8022 = {
@ -45,6 +56,7 @@
};
};
};
};
networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
systemd.services."spiped@ssh8022" = {
wantedBy = [ "multi-user.target" ];