diff --git a/ansible/group_vars/all/ssh.yml b/ansible/group_vars/all/ssh.yml new file mode 100644 index 0000000..41be9b2 --- /dev/null +++ b/ansible/group_vars/all/ssh.yml @@ -0,0 +1 @@ +expose_ssh: false diff --git a/ansible/host_vars/intersect.yml b/ansible/host_vars/intersect.yml new file mode 100644 index 0000000..c6a60bc --- /dev/null +++ b/ansible/host_vars/intersect.yml @@ -0,0 +1 @@ +expose_ssh: true diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config index 88e808d..bd05525 100644 --- a/ansible/roles/base/files/sshd_config +++ b/ansible/roles/base/files/sshd_config @@ -2,8 +2,11 @@ # Change to a high/odd port if this server is exposed to the internet directly Port 7743 -# Deny all other users besides the following +{% if expose_ssh %} AllowUsers {{ user }} +{% else %} +AllowUsers {{ user }}@{{ wireguard.cidr }} +{% endif %} # Bind to all interfaces (change to specific interface if needed) ListenAddress 0.0.0.0