diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index aa9c0fa1c09..d9b12d27816 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -21,7 +21,7 @@ let
daemon reads in addition to the the user's authorized_keys file.
You can combine the keys and
keyFiles options.
- Warning: If you are using NixOps then don't use this
+ Warning: If you are using NixOps then don't use this
option since it will replace the key required for deployment via ssh.
'';
};
@@ -137,6 +137,14 @@ in
'';
};
+ openFirewall = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to automatically open the specified ports in the firewall.
+ '';
+ };
+
listenAddresses = mkOption {
type = with types; listOf (submodule {
options = {
@@ -302,7 +310,7 @@ in
};
- networking.firewall.allowedTCPPorts = cfg.ports;
+ networking.firewall.allowedTCPPorts = if cfg.openFirewall then cfg.ports else [];
security.pam.services.sshd =
{ startSession = true;