Commit `c05db6d30f9c`

Vincent Demeester <vincent@sbr.pm>

2021-09-11 14:37:35

systems/kerkouane: hardened kerkouane ssh

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

main

1 parent d001e1f

Changed files (1)

systems

hosts

kerkouane.nix

@@ -9,7 +9,7 @@ let
   secretPath = ../../secrets/machines.nix;
   secretCondition = (builtins.pathExists secretPath);
 
-  sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22;
+  wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
 
   nginxExtraConfig = ''
     expires 31d;
@@ -183,7 +183,11 @@ in
         extraConfig = nginxExtraConfig;
       };
     };
-    openssh.ports = [ sshPort ];
+    services.openssh.listenAddresses = [
+      { addr = wireguardIp; port = 22; }
+    ];
+    openssh.openFirewall = false;
+    openssh.passwordAuthentication = false;
     openssh.permitRootLogin = "without-password";
     syncthing.guiAddress = "127.0.0.1:8384";
   };

Commit c05db6d30f9c

Commit `c05db6d30f9c`