From 9c0682ef9b91b5dc7dc17b6411d8a83506ab3038 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 12 Jul 2020 17:53:02 +0100 Subject: [PATCH] Restrict SSH connections to wireguard cidr Except on home server, still handy to connect on same network. --- ansible/group_vars/all/ssh.yml | 1 + ansible/host_vars/intersect.yml | 1 + ansible/roles/base/files/sshd_config | 5 ++++- 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 ansible/group_vars/all/ssh.yml create mode 100644 ansible/host_vars/intersect.yml diff --git a/ansible/group_vars/all/ssh.yml b/ansible/group_vars/all/ssh.yml new file mode 100644 index 0000000..41be9b2 --- /dev/null +++ b/ansible/group_vars/all/ssh.yml @@ -0,0 +1 @@ +expose_ssh: false diff --git a/ansible/host_vars/intersect.yml b/ansible/host_vars/intersect.yml new file mode 100644 index 0000000..c6a60bc --- /dev/null +++ b/ansible/host_vars/intersect.yml @@ -0,0 +1 @@ +expose_ssh: true diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config index 88e808d..bd05525 100644 --- a/ansible/roles/base/files/sshd_config +++ b/ansible/roles/base/files/sshd_config @@ -2,8 +2,11 @@ # Change to a high/odd port if this server is exposed to the internet directly Port 7743 -# Deny all other users besides the following +{% if expose_ssh %} AllowUsers {{ user }} +{% else %} +AllowUsers {{ user }}@{{ wireguard.cidr }} +{% endif %} # Bind to all interfaces (change to specific interface if needed) ListenAddress 0.0.0.0