From 89d86413dd4cfda33284e1ed87683d2f50e836da Mon Sep 17 00:00:00 2001
From: lightly-toasted <tooast@duck.com>
Date: Tue, 18 Nov 2025 16:12:17 +0900
Subject: [PATCH] feat(vps): enable Tailscale SSH

- Remove port 22 from firewall
- Add --ssh to tailscale up flags
---
 hosts/vps/modules/network.nix            | 2 +-
 hosts/vps/modules/services/openssh.nix   | 1 +
 hosts/vps/modules/services/tailscale.nix | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hosts/vps/modules/network.nix b/hosts/vps/modules/network.nix
index 71c955f..710509f 100644
--- a/hosts/vps/modules/network.nix
+++ b/hosts/vps/modules/network.nix
@@ -5,7 +5,7 @@
   networking.domain = "";
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPorts = [ 80 443 ];
   };
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 }
diff --git a/hosts/vps/modules/services/openssh.nix b/hosts/vps/modules/services/openssh.nix
index 728a51e..808e42e 100644
--- a/hosts/vps/modules/services/openssh.nix
+++ b/hosts/vps/modules/services/openssh.nix
@@ -1,6 +1,7 @@
 {
   services.openssh = {
     enable = true;
+    openFirewall = false;
     settings = {
       PasswordAuthentication = false;
       PermitRootLogin = "prohibit-password";
diff --git a/hosts/vps/modules/services/tailscale.nix b/hosts/vps/modules/services/tailscale.nix
index 85f7a0d..da69499 100644
--- a/hosts/vps/modules/services/tailscale.nix
+++ b/hosts/vps/modules/services/tailscale.nix
@@ -8,5 +8,6 @@
     authKeyFile = config.sops.secrets."tailscale/authkey".path;
     useRoutingFeatures = "both";
     permitCertUid = "caddy";
+    extraUpFlags = [ "--ssh" ];
   };
 }