1 files changed, 16 insertions, 8 deletions

diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index f9fd068..43e8c91 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -328,12 +328,14 @@ in
         rpc_hold_timeout = "70s";
       };
 
-      ca_file = "/var/lib/consul/pki/consul-ca.crt";
-      cert_file = "/var/lib/consul/pki/consul.crt";
-      key_file = "/var/lib/consul/pki/consul.key";
-      verify_incoming = true;
-      verify_outgoing = true;
-      verify_server_hostname = true;
+      tls.defaults = {
+        ca_file = "/var/lib/consul/pki/consul-ca.crt";
+        cert_file = "/var/lib/consul/pki/consul.crt";
+        key_file = "/var/lib/consul/pki/consul.key";
+        verify_incoming = true;
+        verify_outgoing = true;
+      };
+      tls.internal_rpc.verify_server_hostname = true;
     };
 
     services.nomad.enable = true;
@@ -410,8 +412,8 @@ in
       enable = true;
 
       allowedTCPPorts = [
-        # Allow anyone to connect on SSH port
-        (head ({ openssh.ports = [22]; } // config.services).openssh.ports)
+        # Allow anyone to connect on SSH port on tcp/110, port 22 is used by forgejo
+        (head ({ openssh.ports = [ 110 ]; } // config.services).openssh.ports)
       ];
 
       allowedUDPPorts = [
@@ -419,6 +421,12 @@ in
         cfg.wireguardPort
       ];
 
+      # Don't spam logs with refused connections
+      logRefusedConnections = false;
+
+      # Use REJECT instead of DROP, to avoid timeouts (e.g. when trying to connect to the wrong SSH port)
+      rejectPackets = true;
+
       # Allow specific hosts access to specific things in the cluster
       extraCommands = ''
         # Allow UDP packets comming from port 1900 from a local address,