From bb1dbae8187601cea2ddfbdcdc9baa456bc5b4ab Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 1 Feb 2016 17:40:25 +0100
Subject: [PATCH] tv: open ssh port by default

---
 tv/1systems/cd.nix      | 4 ----
 tv/1systems/nomic.nix   | 1 -
 tv/1systems/wu.nix      | 1 -
 tv/1systems/xu.nix      | 1 -
 tv/2configs/default.nix | 5 +++++
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index da44f5077..6db78ca89 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -41,7 +41,6 @@ with lib;
       tv.iptables = {
         enable = true;
         input-internet-accept-new-tcp = [
-          "ssh"
           "tinc"
           "smtp"
           "xmpp-client"
@@ -58,10 +57,7 @@ with lib;
         "cgit.cd.krebsco.de"
         "cgit.cd.viljetic.de"
       ];
-    }
-    {
       # TODO make public_html also available to cd, cd.retiolum (AKA default)
-      tv.iptables.input-internet-accept-new-tcp = singleton "http";
       krebs.nginx.servers.public_html = {
         server-names = singleton "cd.viljetic.de";
         locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index b7e77e973..f176a5f23 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -17,7 +17,6 @@ with lib;
       tv.iptables = {
         enable = true;
         input-internet-accept-new-tcp = [
-          "ssh"
           "http"
           "tinc"
           "smtp"
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index f52bbc091..16709052b 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -129,7 +129,6 @@ with lib;
       tv.iptables = {
         enable = true;
         input-internet-accept-new-tcp = [
-          "ssh"
           "http"
           "tinc"
           "smtp"
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index 54e16868f..c6f1a393e 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -127,7 +127,6 @@ with lib;
       tv.iptables = {
         enable = true;
         input-internet-accept-new-tcp = [
-          "ssh"
           "http"
           "tinc"
           "smtp"
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index 310077021..abe9d3de8 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -162,6 +162,10 @@ with lib;
       };
     }
 
+    {
+      tv.iptables.enable = true;
+    }
+
     {
       services.openssh = {
         enable = true;
@@ -169,6 +173,7 @@ with lib;
           { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
         ];
       };
+      tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
     }
 
     {