From bd29827fba8aefa978798ad105d8793976f082b4 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sat, 3 Aug 2024 11:49:59 -0600
Subject: sys/auth, sys/[lustrated]: restrict SSH to gate interface

---
 sys/auth/openssh.nix | 61 +++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 44 insertions(+), 17 deletions(-)

(limited to 'sys/auth/openssh.nix')

diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 87c6299..161fe6f 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -2,6 +2,8 @@
 with lib; let
   cfg = config.local.auth.openssh;
   withOath = config.local.auth.oath.enable;
+
+  port = if cfg.shiftPortNumber then 2234 else 22;
 in
 {
   options.local.auth.openssh = {
@@ -19,6 +21,22 @@ in
         };
       }) [ "ecdsa" "ed25519" "rsa" ]);
 
+    restrictListen = mkOption {
+      default = null;
+
+      type = with types; nullOr (submodule {
+        options = {
+          address = mkOption {
+            type = str;
+          };
+
+          interface = mkOption {
+            type = str;
+          };
+        };
+      });
+    };
+
     shiftPortNumber = mkOption {
       type = types.bool;
       default = true;
@@ -41,26 +59,16 @@ in
     local.boot.impermanence.files =
       flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys);
 
+    networking.firewall.interfaces = optionalAttrs (cfg.restrictListen != null) {
+      ${cfg.restrictListen.interface}.allowedTCPPorts = [ port ];
+    };
+
     services.openssh = {
       enable = true;
-      openFirewall = true;
-      ports = mkIf cfg.shiftPortNumber [ 2234 ];
-      startWhenNeeded = !config.services.fail2ban.enable;
-
-      hostKeys = map
-        (name: {
-          path = "/etc/ssh/ssh_host_${name}_key";
-          type = name;
-        } // optionalAttrs (name == "rsa") {
-          bits = 4096;
-        })
-        (attrNames (filterAttrs (name: enable: enable) cfg.hostKeys));
 
-      settings = {
-        X11Forwarding = true;
-        PermitRootLogin = "prohibit-password";
-        PasswordAuthentication = withOath; # Necesario para oath, no reemplaza a oath
-      };
+      ports = [ port ];
+      openFirewall = cfg.restrictListen == null;
+      startWhenNeeded = !config.services.fail2ban.enable;
 
       extraConfig = optionalString cfg.tunnel.enable ''
         # User 'tunnel' has no password. Use PAM OATH
@@ -79,6 +87,25 @@ in
              This is a reverse tunnel
            ''}
       '';
+
+      hostKeys = map
+        (name: {
+          path = "/etc/ssh/ssh_host_${name}_key";
+          type = name;
+        } // optionalAttrs (name == "rsa") {
+          bits = 4096;
+        })
+        (attrNames (filterAttrs (name: enable: enable) cfg.hostKeys));
+
+      settings = {
+        X11Forwarding = true;
+        PermitRootLogin = "prohibit-password";
+        PasswordAuthentication = withOath; # Necesario para oath, no reemplaza a oath
+      };
+
+      listenAddresses = mkIf (cfg.restrictListen != null) (singleton {
+        addr = cfg.restrictListen.address;
+      });
     };
 
     users.users = {
-- 
cgit v1.2.3