home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit c05db6d30f9cf7c7147f8c4b746e6134e61cce96
parent d001e1f9b3ac52da5b2b7b3749033515a72e5829
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Sat, 11 Sep 2021 14:37:35 +0200

systems/kerkouane: hardened kerkouane ssh

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Msystems/hosts/kerkouane.nix | 8++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix @@ -9,7 +9,7 @@ let secretPath = ../../secrets/machines.nix; secretCondition = (builtins.pathExists secretPath); - sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22; + wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; nginxExtraConfig = '' expires 31d; @@ -183,7 +183,11 @@ in extraConfig = nginxExtraConfig; }; }; - openssh.ports = [ sshPort ]; + services.openssh.listenAddresses = [ + { addr = wireguardIp; port = 22; } + ]; + openssh.openFirewall = false; + openssh.passwordAuthentication = false; openssh.permitRootLogin = "without-password"; syncthing.guiAddress = "127.0.0.1:8384"; };