fra1-b: block global sshd

2024-08-27 08:36:02 +03:00 · 2024-08-27 08:36:02 +03:00 · 96a98405ad
commit 96a98405ad
parent d91976dafc
2 changed files with 21 additions and 13 deletions
--- a/hosts/fra1-b/configuration.nix
+++ b/hosts/fra1-b/configuration.nix
@ -70,7 +70,6 @@ in

    services = {
      node_exporter.enable = true;
-      sshguard.enable = true;
      tailscale.enable = true;

      ssh8022.server = {
@ -127,10 +126,7 @@ in
    useDHCP = true;
    firewall = {
      allowedUDPPorts = [ 53 ];
-      allowedTCPPorts = [
-        22
-        53
-      ];
+      allowedTCPPorts = [ 53 ];
    };
  };

--- a/modules/services/ssh8022/default.nix
+++ b/modules/services/ssh8022/default.nix
@ -34,7 +34,18 @@
        cfg = config.mj.services.ssh8022.server;
      in
      lib.mkIf cfg.enable {
-        services.spiped = {
+
+        mj.services.friendlyport.ports = [
+          {
+            subnets = [ myData.subnets.tailscale.cidr ];
+            tcp = [ 22 ];
+          }
+        ];
+
+        services = {
+          openssh.openFirewall = false;
+
+          spiped = {
            enable = true;
            config = {
              ssh8022 = {
@ -45,6 +56,7 @@
              };
            };
          };
+        };
        networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
        systemd.services."spiped@ssh8022" = {
          wantedBy = [ "multi-user.target" ];