From 2553913200a09491b47273c74ffed2c573d70b4d Mon Sep 17 00:00:00 2001
From: Mark Nipper <nipsy@bitgnome.net>
Date: Mon, 14 Apr 2025 15:39:54 -0700
Subject: Restrict SSH access @fangorn

---
 hosts/fangorn/default.nix | 34 +++++++---------------------------
 1 file changed, 7 insertions(+), 27 deletions(-)

(limited to 'hosts/fangorn/default.nix')

diff --git a/hosts/fangorn/default.nix b/hosts/fangorn/default.nix
index 95b55b5..dc83bd6 100644
--- a/hosts/fangorn/default.nix
+++ b/hosts/fangorn/default.nix
@@ -42,6 +42,9 @@
   ];
 
   networking = {
+    firewall.extraInputRules = ''
+      iifname "wg0" tdp dport ssh counter accept
+    '';
     hostId = "6f1faddc";
     hostName = "fangorn";
     networkmanager.enable = true;
@@ -59,7 +62,10 @@
     ];
   };
 
-  services.openssh.settings.X11Forwarding = true;
+  services.openssh = {
+    openFirewall = false;
+    settings.X11Forwarding = true;
+  };
   services.xserver.desktopManager.xfce.enable = true;
   services.xserver.videoDrivers = [ "amdgpu" ];
 
@@ -73,30 +79,4 @@
   };
 
   system.stateVersion = "23.11";
-
-  #systemd.services."nftables-extra" = let rules_script = ''
-  #    ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
-  #  ''; in {
-  #    description = "nftables extra firewall rules";
-  #    reload = rules_script;
-  #    script = rules_script;
-  #    serviceConfig = {
-  #      RemainAfterExit = true;
-  #      Type = "oneshot";
-  #    };
-  #    unitConfig = {
-  #      ConditionPathExists = config.sops.secrets."nftables/ssh".path;
-  #      ReloadPropagatedFrom = "nftables.service";
-  #    };
-  #    wantedBy = [ "multi-user.target" ];
-  #    after = [ "nftables.service" ];
-  #    partOf = [ "nftables.service" ];
-  #};
-
-  #systemd.paths."nftables-extra" = {
-  #  pathConfig = {
-  #    PathExists = config.sops.secrets."nftables/ssh".path;
-  #  };
-  #  wantedBy = [ "multi-user.target" ];
-  #};
 }
-- 
cgit v1.2.3