From bb82106913e2dd6a98bd98c8fddcf8b2b5fa6f71 Mon Sep 17 00:00:00 2001
From: John Gallagher <john@oxidecomputer.com>
Date: Fri, 6 Oct 2023 15:44:49 -0400
Subject: [PATCH] minor cleanup

---
 common/src/address.rs           | 8 +++++++-
 wicket/zone-etc/ssh/sshd_config | 4 ----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/common/src/address.rs b/common/src/address.rs
index b5c7f4e912f..baa344ef220 100644
--- a/common/src/address.rs
+++ b/common/src/address.rs
@@ -47,8 +47,14 @@ pub const CRUCIBLE_PANTRY_PORT: u16 = 17000;
 
 pub const NEXUS_INTERNAL_PORT: u16 = 12221;
 
-/// TODO docs
+/// The port on which Nexus exposes its external API on the underlay network.
+///
+/// This is used by the `wicketd` Nexus proxy to allow external API access via
+/// the rack's tech port.
 pub const NEXUS_TECHPORT_EXTERNAL_PORT: u16 = 12228;
+
+/// The port on which `wicketd` runs a Nexus external API proxy on the tech port
+/// interface(s).
 pub const WICKETD_NEXUS_PROXY_PORT: u16 = 12229;
 
 pub const NTP_PORT: u16 = 123;
diff --git a/wicket/zone-etc/ssh/sshd_config b/wicket/zone-etc/ssh/sshd_config
index 02eb445651e..b2e7cef99ed 100644
--- a/wicket/zone-etc/ssh/sshd_config
+++ b/wicket/zone-etc/ssh/sshd_config
@@ -37,10 +37,6 @@ Match User wicket
         AuthenticationMethods none
         ForceCommand /opt/oxide/wicket/bin/wicket
 
-        # Allow TCP port forwarding to wicketd's nexus proxy; port number
-        # matches `WICKETD_NEXUS_PROXY_PORT`
-        PermitOpen [::1]:12229
-
 Match User support
         PubkeyAuthentication yes
         AuthenticationMethods publickey