Add SSH tunnel to a host

2021-09-23 15:22:02 +02:00 · 2021-09-23 15:22:02 +02:00 · 23d766c067
commit 23d766c067
parent df51bc9eb8
6 changed files with 41 additions and 0 deletions
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@ -96,6 +96,7 @@
      };
      nextcloud.enable = true;
      syncthing.enable = true;
      tunnel.enable = true;
    };
  };
 }
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -10,5 +10,6 @@
    ./nextcloud
    ./nginx
    ./syncthing
    ./tunnel
  ];
 }
--- a/modules/services/tunnel/default.nix
+++ b/modules/services/tunnel/default.nix
@ -0,0 +1,23 @@
 { config, pkgs, lib, ... }:
 {
  options.chvp.services.tunnel.enable = lib.mkOption {
    default = false;
    example = true;
  };
  config = lib.mkIf config.chvp.services.tunnel.enable {
    networking.firewall.trustedInterfaces = [ "br-mailcow" ];
    systemd.services.tunnel = {
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      script = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."files/services/tunnel/key".path} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o ControlPath=none -NT -p $SSH_PORT -L 0.0.0.0:9797:$CONN_HOST:$CONN_PORT $USER@$SSH_HOST";
      serviceConfig = {
        EnvironmentFile = config.age.secrets."files/services/tunnel/env".path;
      };
    };
    age.secrets."files/services/tunnel/key".file = ../../../secrets/files/services/tunnel/key.age;
    age.secrets."files/services/tunnel/env".file = ../../../secrets/files/services/tunnel/env.age;
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -46,6 +46,9 @@ in
  "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/files/services/tunnel/key.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/files/services/tunnel/env.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users;
  "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users;
--- a/secrets/files/services/tunnel/env.age
+++ b/secrets/files/services/tunnel/env.age
@ -0,0 +1,13 @@
 age-encryption.org/v1
 -> ssh-ed25519 yad4VQ 4EZbasW5A0791VTZy5+OBXLVJ+/G5kTRvlnMeg4lSDg
 Aj4iFFHEjEW0SyMrgQTt9hcAed42N/jL60FjARqlHFo
 -> ssh-ed25519 s9rb8g cRHZludrYSvCJy15kHhxUH516CfOtwQ3VEk4FYJdW2U
 NbzPbwg5rkgzVAFeHJqfpFdExIMexIZpdLBZFz1miHE
 -> ssh-ed25519 hKAFvQ rNrDoQWNd76bpvoWFh31ClZQ5VIRAfe2BDEpS/bN0Ug
 6uKJeY1fL3pryI9ynX9dVEXrsLQg+hrBvkz0FY2fOUI
 -> k-grease M=!N`9 6bU
 CtgiHxZfRbY81i9AiltE2ZY0M2xFtIZ7Q7ClL49HU67SimSdJxSLC382I0xk08O9
 3JRWjOQqvRtcSosB
 --- vUl2LYnVGXcLs4jdkc9IDYX7HM78TCPTJ5BCvD6fJ1Q
 PVæë§¤³I
ªºM„ ö<C2A0>ÄRyÙPPå±6E^.K¦’k<>²ÀÚ2%åÇoD€Ÿ:Õ
Ù…ÃA£‰û>Ib><æ¥Ö<
ÆAæ	ð
 z[!Þ%PØ)«Ð¥ïR-çz$Üƒ<7´qú:ú<>ïÝ‰f¼
--- a/secrets/files/services/tunnel/key.age
+++ b/secrets/files/services/tunnel/key.age