From 23d766c067c9e87d8cd0865de49c46db04b3548b Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte.vanpetegem@ugent.be>
Date: Thu, 23 Sep 2021 15:22:02 +0200
Subject: [PATCH] Add SSH tunnel to a host

---
 machines/lasting-integrity/default.nix |   1 +
 modules/services/default.nix           |   1 +
 modules/services/tunnel/default.nix    |  23 +++++++++++++++++++++++
 secrets.nix                            |   3 +++
 secrets/files/services/tunnel/env.age  |  13 +++++++++++++
 secrets/files/services/tunnel/key.age  | Bin 0 -> 892 bytes
 6 files changed, 41 insertions(+)
 create mode 100644 modules/services/tunnel/default.nix
 create mode 100644 secrets/files/services/tunnel/env.age
 create mode 100644 secrets/files/services/tunnel/key.age

diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix
index dc111527..24eb6c94 100644
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@@ -96,6 +96,7 @@
       };
       nextcloud.enable = true;
       syncthing.enable = true;
+      tunnel.enable = true;
     };
   };
 }
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 3c333283..9b03d605 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -10,5 +10,6 @@
     ./nextcloud
     ./nginx
     ./syncthing
+    ./tunnel
   ];
 }
diff --git a/modules/services/tunnel/default.nix b/modules/services/tunnel/default.nix
new file mode 100644
index 00000000..e8de2c5a
--- /dev/null
+++ b/modules/services/tunnel/default.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+
+{
+  options.chvp.services.tunnel.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.tunnel.enable {
+    networking.firewall.trustedInterfaces = [ "br-mailcow" ];
+    systemd.services.tunnel = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      script = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."files/services/tunnel/key".path} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o ControlPath=none -NT -p $SSH_PORT -L 0.0.0.0:9797:$CONN_HOST:$CONN_PORT $USER@$SSH_HOST";
+      serviceConfig = {
+        EnvironmentFile = config.age.secrets."files/services/tunnel/env".path;
+      };
+    };
+
+    age.secrets."files/services/tunnel/key".file = ../../../secrets/files/services/tunnel/key.age;
+    age.secrets."files/services/tunnel/env".file = ../../../secrets/files/services/tunnel/env.age;
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index c51d65e6..d53b2ed7 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -46,6 +46,9 @@ in
 
   "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users;
 
+  "secrets/files/services/tunnel/key.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/files/services/tunnel/env.age".publicKeys = [ lasting-integrity ] ++ users;
+
   "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users;
 
   "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users;
diff --git a/secrets/files/services/tunnel/env.age b/secrets/files/services/tunnel/env.age
new file mode 100644
index 00000000..e9b98c22
--- /dev/null
+++ b/secrets/files/services/tunnel/env.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 yad4VQ 4EZbasW5A0791VTZy5+OBXLVJ+/G5kTRvlnMeg4lSDg
+Aj4iFFHEjEW0SyMrgQTt9hcAed42N/jL60FjARqlHFo
+-> ssh-ed25519 s9rb8g cRHZludrYSvCJy15kHhxUH516CfOtwQ3VEk4FYJdW2U
+NbzPbwg5rkgzVAFeHJqfpFdExIMexIZpdLBZFz1miHE
+-> ssh-ed25519 hKAFvQ rNrDoQWNd76bpvoWFh31ClZQ5VIRAfe2BDEpS/bN0Ug
+6uKJeY1fL3pryI9ynX9dVEXrsLQg+hrBvkz0FY2fOUI
+-> k-grease M=!N`9 6bU
+CtgiHxZfRbY81i9AiltE2ZY0M2xFtIZ7Q7ClL49HU67SimSdJxSLC382I0xk08O9
+3JRWjOQqvRtcSosB
+--- vUl2LYnVGXcLs4jdkc9IDYX7HM78TCPTJ5BCvD6fJ1Q
+PV�매�I
��M�����Ry�PP��6E^.K��k����2%��oD��:�
م�A
���>Ib><���<
�A�	�
+z[!�%P�)�Х�R-�z$�܃<7�q�:���݉f�
\ No newline at end of file
diff --git a/secrets/files/services/tunnel/key.age b/secrets/files/services/tunnel/key.age
new file mode 100644
index 0000000000000000000000000000000000000000..72f3d0dd432d2e36e07e981c0821e8a8a1e30d59
GIT binary patch
literal 892
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyOiVEe3slI<kMu9d
z3l9r1@(T$JNGbHl@G#b{ObIqgt8lb*%=gPQ4{&nMa1J-gFyV?YPD(fNGuKW@^~+9n
zEHlbU53;ZbGj?|kNXahF46sb|b*#z=F0-t3%0{=X*s>_eB3+@VC_mIUB*)yvSl`{T
ztkf_g)x|xkAkrhOMBCpivbex9H!vuqpeWecJ(4RT(^ucpu*yf@&B>?GS>MRTDAGGp
z+c+a2(KtKZ-7+~dD!3@S!YIGoyByuN3~xubvOoprk_un<w8El-pisl~><I0ukkW#j
zvQVE;Co@MgPtTIDV#A!O+yEmdCr_^ObT1Rvh$v@oeM^h-0Iw7m)3nkOkIdrItl)AN
zzsyvZG^0uj-(<72tYVOD)%v>WMX8C!sS4T(S_aPXRtiyWhK>r383}Q|T=}Wqeo@+<
z$=SZ?<^>iOCS1C@x(eAY>52NmfnJ7AX+@^4+TkIF{yF94p&`i?LEd?8CK39nh2>Qi
zp=Lp0j$B7B9aq-p{W&Y$>fBz7pqUJ!KlZPb4)NRVz4T|v?rFu>a*G_7PG_HUm(ezG
z(j+d8&D(bslo;RlyJqw<FYrRQ@;Sa|D}z1;B}iNUV!1f|UyJwGxUDwtUtGzW`1R=C
zsaAZyr)~9;?H2v+SRavP5u|@jsbu1|HFAl(U+vyK-&4-!cWidYDP#HTa$5`}=B!*f
z(WAJcXp+r?t%pomr)V8ln!UDn_G&A$*P7qmwn)e@Yn!clz0A4b<K#(}Hl2U7x0_B}
z{Q23n<+BQuOD6A)>to%pxTB5du-bP|x$K(fCu)!W@X=s1?Ppw4vFv;ezocV-_p2G3
zb$_3ovnR2I|B}Ol?=C7QHKsUrvUrx<XqbQN{NgDSrtW$1_SE64T<pjDGDE&r>^n81
zcEk6Fnv7Q^q&xOqa$<Q`{+4g~=Gu$ZbsuEcY<^+I@IN4R*H*S9Sv#&Tyt!B2an72Q
z7CFDMRQknU*8|BWx<BUkb#mUyo&4hD{EaV{^)8=&xiKc@U7nQs0`Wiolao~Zzxl28
zQ(|dzG`{#P;BKTyMN!o3U9a_1J<eU-pBNe|ZS_;_^T)`B2h(=NAFPb?yfFRz-BosL
MBku7!F$<jo0QKN*8~^|S

literal 0
HcmV?d00001