summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.sops.yaml6
-rw-r--r--hosts/kay/configuration.nix1
-rw-r--r--hosts/kay/modules/dns/sinanmohd.com.zone2
-rw-r--r--hosts/kay/modules/sshfwd.nix28
-rw-r--r--hosts/lia/configuration.nix1
-rw-r--r--hosts/lia/modules/sshfwd.nix22
-rw-r--r--hosts/lia/secrets.yaml31
7 files changed, 90 insertions, 1 deletions
diff --git a/.sops.yaml b/.sops.yaml
index 4e448f1..84ea125 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,6 +3,7 @@ keys:
- &cez age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq
- &kay age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm
+ - &lia age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x
- &dspace age15hsgvg3tz9lql0jpr5x8pm66r42kemd65fpz0wa6t8nhvwrxygcssjxd9c
- &fscusat age1yqma4xm4qss787cnwv2v7j2e0eswhm5k9f27n6zhp74euyydv9essxdrmn
@@ -17,6 +18,11 @@ creation_rules:
age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv,
age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm
+ - path_regex: ^hosts/lia/.*
+ age: >-
+ age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv,
+ age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x
+
- path_regex: ^hosts/dspace/.*
age: >-
age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv,
diff --git a/hosts/kay/configuration.nix b/hosts/kay/configuration.nix
index 97172d0..78385d1 100644
--- a/hosts/kay/configuration.nix
+++ b/hosts/kay/configuration.nix
@@ -8,6 +8,7 @@
./modules/sftp.nix
./modules/acme.nix
./modules/dns
+ ./modules/sshfwd.nix
../../common.nix
];
diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone
index 2ea2925..05f7cef 100644
--- a/hosts/kay/modules/dns/sinanmohd.com.zone
+++ b/hosts/kay/modules/dns/sinanmohd.com.zone
@@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com.
$TTL 2d
@ IN SOA ns1 sinan (
- 2024020800 ; serial
+ 2024020840 ; serial
2h ; refresh
5m ; retry
1d ; expire
diff --git a/hosts/kay/modules/sshfwd.nix b/hosts/kay/modules/sshfwd.nix
new file mode 100644
index 0000000..0f0d3c3
--- /dev/null
+++ b/hosts/kay/modules/sshfwd.nix
@@ -0,0 +1,28 @@
+{ ... }: let
+ group = "sshfwd";
+in {
+ networking.firewall.allowedTCPPorts = [ 2222 ];
+
+ users = {
+ groups.${group}.members = [];
+
+ users."lia" = {
+ inherit group;
+ isSystemUser = true;
+
+ openssh.authorizedKeys.keys
+ = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ];
+ };
+ };
+
+ services.openssh.extraConfig = ''
+ Match Group ${group}
+ ForceCommand echo 'this account is only usable for forwarding'
+ PermitTunnel no
+ AllowAgentForwarding no
+ X11Forwarding no
+
+ AllowTcpForwarding yes
+ GatewayPorts yes
+ '';
+}
diff --git a/hosts/lia/configuration.nix b/hosts/lia/configuration.nix
index 37ae805..4cc057e 100644
--- a/hosts/lia/configuration.nix
+++ b/hosts/lia/configuration.nix
@@ -7,6 +7,7 @@
./modules/network
./modules/users.nix
./modules/lxc.nix
+ ./modules/sshfwd.nix
];
}
diff --git a/hosts/lia/modules/sshfwd.nix b/hosts/lia/modules/sshfwd.nix
new file mode 100644
index 0000000..f86238b
--- /dev/null
+++ b/hosts/lia/modules/sshfwd.nix
@@ -0,0 +1,22 @@
+{ pkgs, config, ... }: {
+ sops.secrets."sshfwd/kay" = {};
+
+ environment.systemPackages = with pkgs; [ openssh ];
+ systemd.services."sshfwd" = {
+ description = "Forwarding port 22 to the Internet";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network-online.target" ];
+ wants = [ "network-online.target" ];
+ # restart rather than stop+start this unit to prevent the
+ # network from dying during switch-to-configuration.
+ stopIfChanged = false;
+
+ path = [ pkgs.openssh ];
+ script = ''
+ echo -n "Forwarding port 22"
+ exec ssh -N lia@sinanmohd.com \
+ -R 0.0.0.0:2222:127.0.0.1:22 \
+ -i ${config.sops.secrets."sshfwd/kay".path}
+ '';
+ };
+}
diff --git a/hosts/lia/secrets.yaml b/hosts/lia/secrets.yaml
new file mode 100644
index 0000000..4438faf
--- /dev/null
+++ b/hosts/lia/secrets.yaml
@@ -0,0 +1,31 @@
+sshfwd:
+ kay: ENC[AES256_GCM,data:XXWpIKypbAaB6rMTi/+GWzJ7lGQ7rKOjPqsFxfKQBvCLpy8NJEKHPnV2OzGwl/if2g6VVmk9TpuhOZk1MlZtM7X0mczu3YTqBHub2iVbuCxV8XbupOiYbz9afDx8YFo7jHPCfd+yn28T8OgHB2vfcvV5ShtgiEghjl8eobgxKZyzQ6Wikh+9cRQolEIEva+wUIJI/qp0vpC3ihn3xfUPJcFsOolfx0fZ5zGOtCBFCTgzvxwWCVtioH1qoEtlQ8Smeo+eJb2hzgouAYD7OOwebG3+xPv8zUxFBM6D23WzKW5PHArO25mkk9Ho0jCv3YHqY7TvurYbm+69sTe/cIo7TZin9Qb/JR8vlaNnpnKnZ2J2nmLZDGvqqbif3loYUVcpbsqWSPNBnpXGmWm/ATE7qt3G+pl+GwRxceLk63ZGJ4XHKuY6j6cgdoxvT13Gs+tzE8vcZphixWsKV7hd/YzI1FWETcEsxhrMhhCKV7bt9M7UlRBU5jRZGSgepNF0YjvjO58y6fMCZdSyRhKoRDm7AqYmzM+TNaOH/ge/4GRTQcw1eno2Ilcffk4P6yZ+zlcotncyaUcn2WLNrhiU,iv:Hy2AKc6IaEzR8rn5qjfBmkmplKhk30cdhgnMAfP0M20=,tag:b0GOdA8hrHwTl4ps4lFhhw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZzlrOEpXQmdLVyt1MFRS
+ Q2JUU0N1MVNzLzVLcWhMb25uL3VsLzJrdFRNCnI1OWZFTnpqc056M0RYd3gvS1Nr
+ N2VEU1kyU3JuYjhhaUtuajg2cjQ4LzQKLS0tIE5qZmlqVGN1WXhZWkw3dGwyNTdF
+ QTd0V2V3QVVHbnhRUUt6MkRzYm5zeEEKFkqGe6Eg1BEPLqMkxUg56hc+sn0p4KZV
+ kThyib3g0KsrHpQM05v4CK0h6qlf8HXwvwJVx9tis8Nck1IW3zS8Pw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QzhPYXcxQ0lRS2VwaXQ4
+ V3JUVDJyenowSzhFenBKYlBEbGNXTFIxUjFNCjhmWm5aQ1lTcTJidzFiT2J4R2Ux
+ b2ZjTWQ5WWtOY1BpZHVJYzN4clNlU0kKLS0tIHpBWU5zQWNVTWZ0TTdSNFZodkVq
+ RG9hL2hlYjdaYTVJWVFlSE4xN1poUHcKe4BPaVEyc3W1hyu0jOQcEdZ1kl2aQLgZ
+ fHDs4kDeCcfJI/s5Cb/YD3cIp7HB6FBoe7LHiNiJbyJGR0wJecLqxg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-02-11T15:31:57Z"
+ mac: ENC[AES256_GCM,data:Z4ZJhpBrvd2R5xrnJ/C2C/SOsUepqSy2hrVzPnFi+nfIidHi5gV7oCh1ASR/uFrOZGilcUCuqOpi1tGDJiw+oYQTOhA8Gq92t6s3cVq63GRGwD0XhqWm8/1kULq6b4jyK9lN94sTDHHQVAYzzglOiaTgbBs6xLS/VpUSiJRK2QE=,iv:8OlSGg3YqoN1SKZGaXvD9u4dq0OYEBAKMLEUmByXD3I=,tag:3FJOS3mZLCc3D48m8yXBSg==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1