hosts/kay,lia/sshfwd: init

3 files changed, 54 insertions, 0 deletions

diff --git a/hosts/lia/configuration.nix b/hosts/lia/configuration.nix
index 37ae805..4cc057e 100644
--- a/hosts/lia/configuration.nix
+++ b/hosts/lia/configuration.nix
@@ -7,6 +7,7 @@
     ./modules/network
     ./modules/users.nix
     ./modules/lxc.nix
+    ./modules/sshfwd.nix
   ];
 }
 
diff --git a/hosts/lia/modules/sshfwd.nix b/hosts/lia/modules/sshfwd.nix
new file mode 100644
index 0000000..f86238b
--- /dev/null
+++ b/hosts/lia/modules/sshfwd.nix
@@ -0,0 +1,22 @@
+{ pkgs, config, ... }: {
+  sops.secrets."sshfwd/kay" = {};
+
+  environment.systemPackages = with pkgs; [ openssh ];
+  systemd.services."sshfwd" = {
+    description = "Forwarding port 22 to the Internet";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    # restart rather than stop+start this unit to prevent the
+    # network from dying during switch-to-configuration.
+    stopIfChanged = false;
+
+    path = [ pkgs.openssh ];
+    script = ''
+      echo -n "Forwarding port 22"
+      exec ssh -N lia@sinanmohd.com \
+          -R 0.0.0.0:2222:127.0.0.1:22 \
+          -i ${config.sops.secrets."sshfwd/kay".path}
+    '';
+  };
+}
diff --git a/hosts/lia/secrets.yaml b/hosts/lia/secrets.yaml
new file mode 100644
index 0000000..4438faf
--- /dev/null
+++ b/hosts/lia/secrets.yaml
@@ -0,0 +1,31 @@
+sshfwd:
+    kay: ENC[AES256_GCM,data:XXWpIKypbAaB6rMTi/+GWzJ7lGQ7rKOjPqsFxfKQBvCLpy8NJEKHPnV2OzGwl/if2g6VVmk9TpuhOZk1MlZtM7X0mczu3YTqBHub2iVbuCxV8XbupOiYbz9afDx8YFo7jHPCfd+yn28T8OgHB2vfcvV5ShtgiEghjl8eobgxKZyzQ6Wikh+9cRQolEIEva+wUIJI/qp0vpC3ihn3xfUPJcFsOolfx0fZ5zGOtCBFCTgzvxwWCVtioH1qoEtlQ8Smeo+eJb2hzgouAYD7OOwebG3+xPv8zUxFBM6D23WzKW5PHArO25mkk9Ho0jCv3YHqY7TvurYbm+69sTe/cIo7TZin9Qb/JR8vlaNnpnKnZ2J2nmLZDGvqqbif3loYUVcpbsqWSPNBnpXGmWm/ATE7qt3G+pl+GwRxceLk63ZGJ4XHKuY6j6cgdoxvT13Gs+tzE8vcZphixWsKV7hd/YzI1FWETcEsxhrMhhCKV7bt9M7UlRBU5jRZGSgepNF0YjvjO58y6fMCZdSyRhKoRDm7AqYmzM+TNaOH/ge/4GRTQcw1eno2Ilcffk4P6yZ+zlcotncyaUcn2WLNrhiU,iv:Hy2AKc6IaEzR8rn5qjfBmkmplKhk30cdhgnMAfP0M20=,tag:b0GOdA8hrHwTl4ps4lFhhw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZzlrOEpXQmdLVyt1MFRS
+            Q2JUU0N1MVNzLzVLcWhMb25uL3VsLzJrdFRNCnI1OWZFTnpqc056M0RYd3gvS1Nr
+            N2VEU1kyU3JuYjhhaUtuajg2cjQ4LzQKLS0tIE5qZmlqVGN1WXhZWkw3dGwyNTdF
+            QTd0V2V3QVVHbnhRUUt6MkRzYm5zeEEKFkqGe6Eg1BEPLqMkxUg56hc+sn0p4KZV
+            kThyib3g0KsrHpQM05v4CK0h6qlf8HXwvwJVx9tis8Nck1IW3zS8Pw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QzhPYXcxQ0lRS2VwaXQ4
+            V3JUVDJyenowSzhFenBKYlBEbGNXTFIxUjFNCjhmWm5aQ1lTcTJidzFiT2J4R2Ux
+            b2ZjTWQ5WWtOY1BpZHVJYzN4clNlU0kKLS0tIHpBWU5zQWNVTWZ0TTdSNFZodkVq
+            RG9hL2hlYjdaYTVJWVFlSE4xN1poUHcKe4BPaVEyc3W1hyu0jOQcEdZ1kl2aQLgZ
+            fHDs4kDeCcfJI/s5Cb/YD3cIp7HB6FBoe7LHiNiJbyJGR0wJecLqxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-11T15:31:57Z"
+    mac: ENC[AES256_GCM,data:Z4ZJhpBrvd2R5xrnJ/C2C/SOsUepqSy2hrVzPnFi+nfIidHi5gV7oCh1ASR/uFrOZGilcUCuqOpi1tGDJiw+oYQTOhA8Gq92t6s3cVq63GRGwD0XhqWm8/1kULq6b4jyK9lN94sTDHHQVAYzzglOiaTgbBs6xLS/VpUSiJRK2QE=,iv:8OlSGg3YqoN1SKZGaXvD9u4dq0OYEBAKMLEUmByXD3I=,tag:3FJOS3mZLCc3D48m8yXBSg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1