From 822b0381bf810fc85bf92ff1a9e1eb2fa30b76cc Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Tue, 17 Dec 2024 19:27:59 -0600
Subject: sys/platform/[lustrated]: enable address-restricted ssh password
 auth, fail2ban

---
 sys/auth/openssh.nix | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'sys')

diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 0569f17..7ae9079 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -34,6 +34,7 @@ in
 
           interface = mkOption {
             type = nullOr str;
+            default = null;
           };
 
           vsockCid = mkOption {
@@ -87,15 +88,18 @@ in
     local.boot.impermanence.files =
       flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys);
 
-    networking.firewall.interfaces = optionalAttrs (restrict != null && restrict.interface != null) {
-      ${restrict.interface}.allowedTCPPorts = [ port ];
+    networking.firewall = {
+      interfaces = optionalAttrs (restrict != null && restrict.interface != null) {
+        ${restrict.interface}.allowedTCPPorts = [ port ];
+      };
+
+      allowedTCPPorts = optional (restrict == null || restrict.interface == null) port;
     };
 
     services.openssh = {
       enable = true;
 
       ports = optional (restrict != null -> restrict.addresses != [ ]) port;
-      openFirewall = restrict == null;
       startWhenNeeded = !config.services.fail2ban.enable;
 
       extraConfig = optionalString cfg.tunnel.enable ''
-- 
cgit v1.2.3