From 6648abd0f57e7cd703cca46c303c39bdc27d657c Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Fri, 14 Jun 2024 01:14:12 -0700 Subject: Add SSH rules for nftables on ginaz --- hosts/ginaz/default.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'hosts/ginaz/default.nix') diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix index 625547d..3812f41 100644 --- a/hosts/ginaz/default.nix +++ b/hosts/ginaz/default.nix @@ -46,5 +46,35 @@ services.openssh.settings.X11Forwarding = true; services.xserver.videoDrivers = [ "amdgpu" ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../secrets/ginaz.yaml; + + secrets = { + "nftables/ssh" = {}; + }; + }; + system.stateVersion = "23.11"; + + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + script = '' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + }; + wantedBy = [ "multi-user.target" ]; + }; + systemd.paths."nftables-extra" = { + pathConfig = { + PathExists = config.sops.secrets."nftables/ssh".path; + }; + wantedBy = [ "multi-user.target" ]; + }; } -- cgit v1.2.3