Bind on all addresses and rely on firewall for blocking public ssh.

Otherwise, sshd will try and fail to bind on the tailscale IP before tailscale is up.
2025-11-23 07:24:09 +00:00
parent 50c930eeaf
commit 43fa56bf35
1 changed files with 0 additions and 5 deletions
--- a/hosts/alo-cloud-1/default.nix
+++ b/hosts/alo-cloud-1/default.nix
@@ -25,7 +25,6 @@
    internalInterfaces = [ "tailscale0" ];
  };

-  # Security hardening: Enable firewall (override global setting)
  networking.firewall = {
    enable = lib.mkForce true;
    allowedTCPPorts = [ 80 443 ];  # Public web traffic only
@@ -33,11 +32,7 @@
    trustedInterfaces = [ "tailscale0" ];  # Full access via VPN
  };

-  # Security hardening: Restrict SSH to Tailscale only + key-based auth
  services.openssh = {
-    listenAddresses = [
-      { addr = "100.75.147.49"; port = 22; }  # Tailscale IP only
-    ];
    settings.PasswordAuthentication = false;  # Keys only
  };
 }