diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/ssh/sshd_config | 21 | ||||
| -rw-r--r-- | etc/systemd/system/monerod@.service | 4 |
2 files changed, 22 insertions, 3 deletions
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index d5d12057..bf7498f8 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -9,7 +9,26 @@ KbdInteractiveAuthentication no UsePAM yes # when ssh into this remote server, client if use alacritty need `SendEnv COLORTERM` to send the env to server, so server ls can default output color, more see comments in my alacritty.toml config AcceptEnv COLORTERM -AllowUsers gitolite@10.0.0.0/24 + +# https://unix.stackexchange.com/a/472848 wrote about sshd_config AllowUsers +# CIDR address: "Notice that that will not work with 'inconsistent' addresses +# (where the bits outside the mask are not all 0, eg. 192.168.177.0/22)". My +# understanding is that 177 in binary is 10110001, 32-22=10 so 192.168.177.0 +# last 10 binary are 0100000000, note there's a 1 so it will not work; and +# 192.168.176.0/22 works because its last 10 binary are all 0. `man +# sshd_config` also wrote about this: "Note that the mask length provided must +# be consistent with the address - it is an error to specify a mask length that +# is too long for the address or one with bits set in this host portion of the +# address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively."; the +# second part of the comment "one with bits set in this host portion of the +# address" with the example CIDR ip 192.0.2.0/8 matched my understanding above, +# 192.0.2.0/8 has a 2 which is 10 in binary which is a bit set "in" the CIDR /8 +# range, so it will not work. Just before that quote, it also gives an example +# of 192.0.2.0/24 which should work. Not tested. +# +# My test shows `AllowUsers gitolite@localhost` does not work, so I use +# 127.0.0.1 and ::1 +AllowUsers gitolite@10.0.0.0/24 gitolite@127.0.0.1 gitolite@::1 # Include drop-in configurations Include /etc/ssh/sshd_config.d/*.conf diff --git a/etc/systemd/system/monerod@.service b/etc/systemd/system/monerod@.service index 9d0651c4..bcdbb700 100644 --- a/etc/systemd/system/monerod@.service +++ b/etc/systemd/system/monerod@.service @@ -5,7 +5,7 @@ After=network.target # Notes about my tests with BindsTo= and other options see this url: # https://git.flylightning.xyz/public_archive_codes/tree/configs/configs_root_dir/etc/systemd/system/monerod_after_bindsto_mullvad.service - +# # I learned about using sys-subsystem-net-devices-wg_ba.device from: # https://unix.stackexchange.com/q/360214 # https://unix.stackexchange.com/q/669660 @@ -16,7 +16,7 @@ After=network.target # sys-subsystem-net-devices-wg_ba.device shows "Device:" is also # /sys/devices/virtual/net/wg_ba, so I choose to use # sys-subsystem-net-devices-wg_ba.device. - +# # I want monerod tunnel all traffic through wireguard, otherwise China ISP will # think I mine crypto and will be unhappy. This is one of the measures I take, # which is to only run monerod when wg_ba network interface is up. **Note it |