From cb4ca64bd7f94af82bcec58bdd6cefc99f92284f Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Tue, 16 Jan 2024 13:55:18 +0300
Subject: [PATCH] Fix exposed ports

---
 modules/endlessh-go.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/endlessh-go.nix b/modules/endlessh-go.nix
index 6c2eddc..d97982f 100644
--- a/modules/endlessh-go.nix
+++ b/modules/endlessh-go.nix
@@ -14,9 +14,13 @@ serverSystemConfiguration {
 
   nixpkgs.config.allowUnfree = true; # For pkgs.clash-geoip.
 
+  # services.endlessh-go.openFirewall exposes both the Prometheus
+  # exporters port and the SSH port, and we don't want the metrics
+  # to leak, so we manually expose this like so.
+  networking.firewall.allowedTCPPorts = [ config.services.endlessh-go.port ];
+
   services.endlessh-go = enabled {
-    openFirewall = true;
-    port         = 22;
+    port = 22;
 
     extraOptions = [
       "-alsologtostderr"