sys/platform/[lustrated]: enable address-restricted ssh password auth, fail2ban

author: Alejandro Soto <alejandro@34project.org> 2024-12-17 19:27:59 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-12-17 20:35:46 -0600
commit: 822b0381bf810fc85bf92ff1a9e1eb2fa30b76cc (patch)
tree: 2955c94eb31767e1f87f4af2c18dc17fbc786ba9 /sys/auth
parent: 2824f4871a786b19874cd46548ad43cee1a20f4d (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 0569f17..7ae9079 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -34,6 +34,7 @@ in
 
           interface = mkOption {
             type = nullOr str;
+            default = null;
           };
 
           vsockCid = mkOption {
@@ -87,15 +88,18 @@ in
     local.boot.impermanence.files =
       flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys);
 
-    networking.firewall.interfaces = optionalAttrs (restrict != null && restrict.interface != null) {
-      ${restrict.interface}.allowedTCPPorts = [ port ];
+    networking.firewall = {
+      interfaces = optionalAttrs (restrict != null && restrict.interface != null) {
+        ${restrict.interface}.allowedTCPPorts = [ port ];
+      };
+
+      allowedTCPPorts = optional (restrict == null || restrict.interface == null) port;
     };
 
     services.openssh = {
       enable = true;
 
       ports = optional (restrict != null -> restrict.addresses != [ ]) port;
-      openFirewall = restrict == null;
       startWhenNeeded = !config.services.fail2ban.enable;
 
       extraConfig = optionalString cfg.tunnel.enable ''
author	Alejandro Soto <alejandro@34project.org>	2024-12-17 19:27:59 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-12-17 20:35:46 -0600
commit	822b0381bf810fc85bf92ff1a9e1eb2fa30b76cc (patch)
tree	2955c94eb31767e1f87f4af2c18dc17fbc786ba9 /sys/auth
parent	2824f4871a786b19874cd46548ad43cee1a20f4d (diff)