From 43fa56bf35ba2a4eecef6a3ba063b45d55348040 Mon Sep 17 00:00:00 2001
From: Petru Paler <petru@paler.net>
Date: Sun, 23 Nov 2025 07:24:09 +0000
Subject: [PATCH] Bind on all addresses and rely on firewall for blocking
 public ssh.

Otherwise, sshd will try and fail to bind on the tailscale IP before
tailscale is up.
---
 hosts/alo-cloud-1/default.nix | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/hosts/alo-cloud-1/default.nix b/hosts/alo-cloud-1/default.nix
index 7742ea0..4afc9ba 100644
--- a/hosts/alo-cloud-1/default.nix
+++ b/hosts/alo-cloud-1/default.nix
@@ -25,7 +25,6 @@
     internalInterfaces = [ "tailscale0" ];
   };
 
-  # Security hardening: Enable firewall (override global setting)
   networking.firewall = {
     enable = lib.mkForce true;
     allowedTCPPorts = [ 80 443 ];  # Public web traffic only
@@ -33,11 +32,7 @@
     trustedInterfaces = [ "tailscale0" ];  # Full access via VPN
   };
 
-  # Security hardening: Restrict SSH to Tailscale only + key-based auth
   services.openssh = {
-    listenAddresses = [
-      { addr = "100.75.147.49"; port = 22; }  # Tailscale IP only
-    ];
     settings.PasswordAuthentication = false;  # Keys only
   };
 }