commit c05db6d30f9cf7c7147f8c4b746e6134e61cce96 parent d001e1f9b3ac52da5b2b7b3749033515a72e5829 Author: Vincent Demeester <vincent@sbr.pm> Date: Sat, 11 Sep 2021 14:37:35 +0200 systems/kerkouane: hardened kerkouane ssh Signed-off-by: Vincent Demeester <vincent@sbr.pm> Diffstat:
M | systems/hosts/kerkouane.nix | | | 8 | ++++++-- |
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix @@ -9,7 +9,7 @@ let secretPath = ../../secrets/machines.nix; secretCondition = (builtins.pathExists secretPath); - sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22; + wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; nginxExtraConfig = '' expires 31d; @@ -183,7 +183,11 @@ in extraConfig = nginxExtraConfig; }; }; - openssh.ports = [ sshPort ]; + services.openssh.listenAddresses = [ + { addr = wireguardIp; port = 22; } + ]; + openssh.openFirewall = false; + openssh.passwordAuthentication = false; openssh.permitRootLogin = "without-password"; syncthing.guiAddress = "127.0.0.1:8384"; };