From b1519c8f22c68972349edffb56b2cd4f192ca8d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= <git@benjaminbaedorf.eu>
Date: Fri, 5 Apr 2024 13:05:45 +0200
Subject: [PATCH] ssh: only allow ssh on wireguard interface

---
 modules/networking.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/networking.nix b/modules/networking.nix
index 44cf17c..21242d3 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -1,6 +1,10 @@
-{ pkgs, ... }: {
+{ pkgs, lib, ... }: {
+  # Don't expose SSH via public interfaces
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+
   services.openssh = {
     enable = true;
+    openFirewall = lib.mkDefault false;
     settings = {
       PermitRootLogin = "prohibit-password";
       PasswordAuthentication = false;