From 9c0682ef9b91b5dc7dc17b6411d8a83506ab3038 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sun, 12 Jul 2020 17:53:02 +0100
Subject: [PATCH] Restrict SSH connections to wireguard cidr

Except on home server, still handy to connect on same network.
---
 ansible/group_vars/all/ssh.yml       | 1 +
 ansible/host_vars/intersect.yml      | 1 +
 ansible/roles/base/files/sshd_config | 5 ++++-
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 ansible/group_vars/all/ssh.yml
 create mode 100644 ansible/host_vars/intersect.yml

diff --git a/ansible/group_vars/all/ssh.yml b/ansible/group_vars/all/ssh.yml
new file mode 100644
index 0000000..41be9b2
--- /dev/null
+++ b/ansible/group_vars/all/ssh.yml
@@ -0,0 +1 @@
+expose_ssh: false
diff --git a/ansible/host_vars/intersect.yml b/ansible/host_vars/intersect.yml
new file mode 100644
index 0000000..c6a60bc
--- /dev/null
+++ b/ansible/host_vars/intersect.yml
@@ -0,0 +1 @@
+expose_ssh: true
diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config
index 88e808d..bd05525 100644
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@@ -2,8 +2,11 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port 7743
 
-# Deny all other users besides the following
+{% if expose_ssh %}
 AllowUsers {{ user }}
+{% else %}
+AllowUsers {{ user }}@{{ wireguard.cidr }}
+{% endif %}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0