tv iptables: move sshd stuff to sshd config

2 files changed, 17 insertions, 12 deletions

diff --git a/tv/2configs/sshd.nix b/tv/2configs/sshd.nix
index 25468f2..79af5b0 100644
--- a/tv/2configs/sshd.nix
+++ b/tv/2configs/sshd.nix
@@ -1,10 +1,22 @@
-{ config, lib, pkgs, ... }:
-
 with import <stockholm/lib>;
-
-{
+{ config, ... }: let
+  cfg.host = config.krebs.build.host;
+in {
   services.openssh = {
     enable = true;
   };
   tv.iptables.input-internet-accept-tcp = singleton "ssh";
+  tv.iptables.extra.nat.OUTPUT = [
+    "-o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22"
+  ];
+  tv.iptables.extra4.nat.PREROUTING = [
+    "-d ${cfg.host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT"
+  ];
+  tv.iptables.extra6.nat.PREROUTING = [
+    "-d ${cfg.host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT"
+  ];
+  tv.iptables.extra.nat.PREROUTING = [
+    "-p tcp --dport 22 -j REDIRECT --to-ports 0"
+    "-p tcp --dport 11423 -j REDIRECT --to-ports 22"
+  ];
 }
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index 3974760..9cf0bd5 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -135,15 +135,8 @@ let {
       :INPUT ACCEPT [0:0]
       :OUTPUT ACCEPT [0:0]
       :POSTROUTING ACCEPT [0:0]
-      ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [
-        "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
-        "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
-      ]}
-      ${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
-        "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
-      ]}
-      ${formatTable cfg.extra.nat}
       ${formatTable cfg."extra${toString iptables-version}".nat}
+      ${formatTable cfg.extra.nat}
       COMMIT
       *filter
       :INPUT DROP [0:0]