Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-12-20 02:43:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

switch to explicit sshd listen addresses

Browse source 
This makes more sense than blocking inbound traffic for specific IP
addresses where SSH doesn't make sense.

This orders sshd.service after network-online.target since otherwise
ListenAddress can fail to work with specific IP addresses assigned by
systemd-networkd.
This commit is contained in:
Daniel Micay 2025-12-06 00:51:01 -05:00
parent 9f40af22b7
commit abca76d110
5 changed files with 9 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
deploy-initial-vps
View file

@ -57,10 +57,14 @@ rsync etc/sysconfig/chronyd $remote:/mnt/etc/sysconfig/chronyd
rsync ${hosts_authorized_keys[$host]:-authorized_keys} $remote:/mnt/root/.ssh/authorized_keys
cp etc/ssh/sshd_config tmp
sed -i "s/{{ipv4_address}}/${hosts_ipv4_address[$host]:-127.0.0.1}/g" tmp
sed -i "s/{{ipv6_address}}/${hosts_ipv6_address[$host]:-::1}/g" tmp
sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp
rsync tmp $remote:/mnt/etc/ssh/sshd_config
rm tmp
rsync -r --delete etc/systemd/system/sshd.service.d $remote:/mnt/etc/systemd/system/
cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp
sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]:-65536} / 64 ))/g" tmp
sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp