hosts/kay,lia/sshfwd: init

author: sinanmohd <sinan@sinanmohd.com> 2024-02-11 20:17:49 +0530
committer: sinanmohd <sinan@sinanmohd.com> 2024-02-11 21:06:35 +0530
commit: 7bb35b9e407422312c171802c7f5e583f353ba28 (patch)
tree: dd78df8c598e97edf346f897f4580ab5155ac0c0 /hosts/kay/modules/sshfwd.nix
parent: 05c7f64bd12d56f3fc066f61fc01351acb0ddb7b (diff)
1 files changed, 28 insertions, 0 deletions
diff --git a/hosts/kay/modules/sshfwd.nix b/hosts/kay/modules/sshfwd.nix
new file mode 100644
index 0000000..0f0d3c3
--- /dev/null
+++ b/hosts/kay/modules/sshfwd.nix
@@ -0,0 +1,28 @@
+{ ... }: let
+  group = "sshfwd";
+in {
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  users = {
+    groups.${group}.members = [];
+
+    users."lia" = {
+      inherit group;
+      isSystemUser = true;
+
+      openssh.authorizedKeys.keys
+        = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ];
+    };
+  };
+
+  services.openssh.extraConfig  = ''
+    Match Group ${group}
+    ForceCommand echo 'this account is only usable for forwarding'
+    PermitTunnel no
+    AllowAgentForwarding no
+    X11Forwarding no
+
+    AllowTcpForwarding yes
+    GatewayPorts yes
+  '';
+}
author	sinanmohd <sinan@sinanmohd.com>	2024-02-11 20:17:49 +0530
committer	sinanmohd <sinan@sinanmohd.com>	2024-02-11 21:06:35 +0530
commit	7bb35b9e407422312c171802c7f5e583f353ba28 (patch)
tree	dd78df8c598e97edf346f897f4580ab5155ac0c0 /hosts/kay/modules/sshfwd.nix
parent	05c7f64bd12d56f3fc066f61fc01351acb0ddb7b (diff)