aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/ginaz/default.nix
diff options
context:
space:
mode:
authorMark Nipper <nipsy@bitgnome.net>2024-06-14 01:14:12 -0700
committerMark Nipper <nipsy@bitgnome.net>2024-06-14 01:14:12 -0700
commit6648abd0f57e7cd703cca46c303c39bdc27d657c (patch)
treec88dacb4fc6caaf5101063bf00e15c9030f16d16 /hosts/ginaz/default.nix
parente7953e8afc1d0146ab27fe3bacf13d980b496147 (diff)
downloadnix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.gz
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.bz2
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.lz
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.xz
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.zst
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.zip
Add SSH rules for nftables on ginaz
Diffstat (limited to '')
-rw-r--r--hosts/ginaz/default.nix30
1 files changed, 30 insertions, 0 deletions
diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix
index 625547d..3812f41 100644
--- a/hosts/ginaz/default.nix
+++ b/hosts/ginaz/default.nix
@@ -46,5 +46,35 @@
services.openssh.settings.X11Forwarding = true;
services.xserver.videoDrivers = [ "amdgpu" ];
+ sops = {
+ age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+ defaultSopsFile = ../secrets/ginaz.yaml;
+
+ secrets = {
+ "nftables/ssh" = {};
+ };
+ };
+
system.stateVersion = "23.11";
+
+ systemd.services."nftables-extra" = {
+ description = "nftables extra firewall rules";
+ script = ''
+ ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+ '';
+ serviceConfig = {
+ RemainAfterExit = true;
+ Type = "oneshot";
+ };
+ unitConfig = {
+ ConditionPathExists = config.sops.secrets."nftables/ssh".path;
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ systemd.paths."nftables-extra" = {
+ pathConfig = {
+ PathExists = config.sops.secrets."nftables/ssh".path;
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
}