Commit 8e352be8527a
systems/carthage/extra.nix
@@ -396,20 +396,15 @@ in
security.tpm2.enable = lib.mkForce false;
# Override common SSH config to restrict to VPN network only
- # TODO: After WireGuard is set up, remove "0.0.0.0" listenAddress and
- # set openFirewall back to lib.mkForce false
+ # SSH only on VPN interface — no public access
services.openssh = {
listenAddresses = [
{
addr = builtins.head globals.machines.carthage.net.vpn.ips;
port = 22;
}
- {
- addr = "0.0.0.0"; # Temporary: bootstrap access before WireGuard is up
- port = 22;
- }
];
- # openFirewall = lib.mkForce false;
+ openFirewall = lib.mkForce false;
};
services.wireguard.server = {
Makefile
@@ -50,14 +50,13 @@ host/kerkouane/boot:
host/kerkouane/switch:
nixos-rebuild --target-host root@kerkouane.vpn --flake .#kerkouane switch
-# TODO: Remove IP override once DNS/VPN points to carthage
.PHONY: host/carthage/boot
host/carthage/boot:
- NIX_SSHOPTS="-o IdentitiesOnly=yes -i $(HOME)/.ssh/kyushu" nixos-rebuild --target-host root@46.224.100.116 --flake .#carthage boot
+ nixos-rebuild --target-host root@carthage.vpn --flake .#carthage boot
.PHONY: host/carthage/switch
host/carthage/switch:
- NIX_SSHOPTS="-o IdentitiesOnly=yes -i $(HOME)/.ssh/kyushu" nixos-rebuild --target-host root@46.224.100.116 --flake .#carthage switch
+ nixos-rebuild --target-host root@carthage.vpn --flake .#carthage switch
##@ Local System Operations