From a852816503b580d03fb3d996ddb4732385822c5d Mon Sep 17 00:00:00 2001
From: rndusr <ryan@beepboop.systems>
Date: Sun, 21 Jan 2024 12:40:51 -0600
Subject: [PATCH] lock the stuff down

---
 boxes/netbox/default.nix | 20 +++++++++++++++++++-
 flake.lock               |  4 ++--
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix
index 2d112d5..e21f423 100644
--- a/boxes/netbox/default.nix
+++ b/boxes/netbox/default.nix
@@ -144,6 +144,23 @@ in {
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
+  services.sslh = {
+    enable = true;
+    settings.protocols = [
+      {
+        host = "localhost";
+	name = "ssh";
+	port = "55555";
+	service = "ssh";
+      }
+      {
+        host = "localhost";
+	name = "tls";
+	port = "442";
+      }
+    ];
+  };
+
   # cgit
   users = {
     groups.git = { };
@@ -279,6 +296,7 @@ in {
 
   services.nginx.enable = true;
   services.nginx.clientMaxBodySize = "100m";
+  services.nginx.defaultSSLListenPort = 442;
 
   services.nginx.virtualHosts."beepboop.systems" = {
     forceSSL = true;
@@ -442,6 +460,6 @@ in {
 
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 5232 55555 22 80 443 ];
+    allowedTCPPorts = [ 80 443 ];
   };
 }
diff --git a/flake.lock b/flake.lock
index 4f1b849..d53acea 100644
--- a/flake.lock
+++ b/flake.lock
@@ -210,11 +210,11 @@
       "locked": {
         "lastModified": 1,
         "narHash": "sha256-iemuV19UU8TriqixcvwdRUTa8lIrxc3Krwt4bHpUUWE=",
-        "path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds",
+        "path": "/nix/store/26f187i54ky8clnmd0rbjvv8h3khgc5d-source/builds",
         "type": "path"
       },
       "original": {
-        "path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds",
+        "path": "/nix/store/26f187i54ky8clnmd0rbjvv8h3khgc5d-source/builds",
         "type": "path"
       }
     },