pub-solar/infra
6
1
Fork 3
Code Issues 24 Pull requests 10 Actions Packages Projects 1 Releases Wiki Activity
infra/modules/networking.nix
Benjamin Yule Bädorf ad1ea4a49e
All checks were successful
Flake checks / Check (pull_request) Successful in 8m11s
Details
forgejo: run internal ssh server on port 22 
The system-wide SSH server was hidden behind a wireguard proxy for
security reasons, but since forgejo was using it, git pushes and pulls
got broken for people without wireguard access.

These config changes make sure forgejo starts its built-in SSH server
on port 22, which is then allowed to be accessed from the open internet
in the firewall config.
2024-04-05 15:05:28 +02:00

46 lines
1.7 KiB
Nix
Raw Blame History

{ pkgs, lib, ... }: {
# Don't expose SSH via public interfaces
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];
services.openssh = {
enable = true;
openFirewall = lib.mkDefault false;
ports = [ 2222 ];
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
# Add back openssh MACs that got removed from defaults
# for backwards compatibility
#
# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
# This breaks compatibilty with clients that do not offer these MACs. For
# compatibility reasons, we add back the old defaults.
# See: https://github.com/NixOS/nixpkgs/pull/231165
#
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
};
services.resolved = {
enable = true;
# DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS
# when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579
extraConfig = ''
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
Domains=~.
DNSOverTLS=yes
DNSSEC=false
'';
};
}
Reference in a new issue View git blame Copy permalink