diff options
-rw-r--r-- | .sops.yaml | 6 | ||||
-rw-r--r-- | hosts/kay/configuration.nix | 1 | ||||
-rw-r--r-- | hosts/kay/modules/dns/sinanmohd.com.zone | 2 | ||||
-rw-r--r-- | hosts/kay/modules/sshfwd.nix | 28 | ||||
-rw-r--r-- | hosts/lia/configuration.nix | 1 | ||||
-rw-r--r-- | hosts/lia/modules/sshfwd.nix | 22 | ||||
-rw-r--r-- | hosts/lia/secrets.yaml | 31 |
7 files changed, 90 insertions, 1 deletions
@@ -3,6 +3,7 @@ keys: - &cez age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq - &kay age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + - &lia age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x - &dspace age15hsgvg3tz9lql0jpr5x8pm66r42kemd65fpz0wa6t8nhvwrxygcssjxd9c - &fscusat age1yqma4xm4qss787cnwv2v7j2e0eswhm5k9f27n6zhp74euyydv9essxdrmn @@ -17,6 +18,11 @@ creation_rules: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + - path_regex: ^hosts/lia/.* + age: >- + age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, + age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x + - path_regex: ^hosts/dspace/.* age: >- age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, diff --git a/hosts/kay/configuration.nix b/hosts/kay/configuration.nix index 97172d0..78385d1 100644 --- a/hosts/kay/configuration.nix +++ b/hosts/kay/configuration.nix @@ -8,6 +8,7 @@ ./modules/sftp.nix ./modules/acme.nix ./modules/dns + ./modules/sshfwd.nix ../../common.nix ]; diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone index 2ea2925..05f7cef 100644 --- a/hosts/kay/modules/dns/sinanmohd.com.zone +++ b/hosts/kay/modules/dns/sinanmohd.com.zone @@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com. $TTL 2d @ IN SOA ns1 sinan ( - 2024020800 ; serial + 2024020840 ; serial 2h ; refresh 5m ; retry 1d ; expire diff --git a/hosts/kay/modules/sshfwd.nix b/hosts/kay/modules/sshfwd.nix new file mode 100644 index 0000000..0f0d3c3 --- /dev/null +++ b/hosts/kay/modules/sshfwd.nix @@ -0,0 +1,28 @@ +{ ... }: let + group = "sshfwd"; +in { + networking.firewall.allowedTCPPorts = [ 2222 ]; + + users = { + groups.${group}.members = []; + + users."lia" = { + inherit group; + isSystemUser = true; + + openssh.authorizedKeys.keys + = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ]; + }; + }; + + services.openssh.extraConfig = '' + Match Group ${group} + ForceCommand echo 'this account is only usable for forwarding' + PermitTunnel no + AllowAgentForwarding no + X11Forwarding no + + AllowTcpForwarding yes + GatewayPorts yes + ''; +} diff --git a/hosts/lia/configuration.nix b/hosts/lia/configuration.nix index 37ae805..4cc057e 100644 --- a/hosts/lia/configuration.nix +++ b/hosts/lia/configuration.nix @@ -7,6 +7,7 @@ ./modules/network ./modules/users.nix ./modules/lxc.nix + ./modules/sshfwd.nix ]; } diff --git a/hosts/lia/modules/sshfwd.nix b/hosts/lia/modules/sshfwd.nix new file mode 100644 index 0000000..f86238b --- /dev/null +++ b/hosts/lia/modules/sshfwd.nix @@ -0,0 +1,22 @@ +{ pkgs, config, ... }: { + sops.secrets."sshfwd/kay" = {}; + + environment.systemPackages = with pkgs; [ openssh ]; + systemd.services."sshfwd" = { + description = "Forwarding port 22 to the Internet"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + # restart rather than stop+start this unit to prevent the + # network from dying during switch-to-configuration. + stopIfChanged = false; + + path = [ pkgs.openssh ]; + script = '' + echo -n "Forwarding port 22" + exec ssh -N lia@sinanmohd.com \ + -R 0.0.0.0:2222:127.0.0.1:22 \ + -i ${config.sops.secrets."sshfwd/kay".path} + ''; + }; +} diff --git a/hosts/lia/secrets.yaml b/hosts/lia/secrets.yaml new file mode 100644 index 0000000..4438faf --- /dev/null +++ b/hosts/lia/secrets.yaml @@ -0,0 +1,31 @@ +sshfwd: + kay: ENC[AES256_GCM,data:XXWpIKypbAaB6rMTi/+GWzJ7lGQ7rKOjPqsFxfKQBvCLpy8NJEKHPnV2OzGwl/if2g6VVmk9TpuhOZk1MlZtM7X0mczu3YTqBHub2iVbuCxV8XbupOiYbz9afDx8YFo7jHPCfd+yn28T8OgHB2vfcvV5ShtgiEghjl8eobgxKZyzQ6Wikh+9cRQolEIEva+wUIJI/qp0vpC3ihn3xfUPJcFsOolfx0fZ5zGOtCBFCTgzvxwWCVtioH1qoEtlQ8Smeo+eJb2hzgouAYD7OOwebG3+xPv8zUxFBM6D23WzKW5PHArO25mkk9Ho0jCv3YHqY7TvurYbm+69sTe/cIo7TZin9Qb/JR8vlaNnpnKnZ2J2nmLZDGvqqbif3loYUVcpbsqWSPNBnpXGmWm/ATE7qt3G+pl+GwRxceLk63ZGJ4XHKuY6j6cgdoxvT13Gs+tzE8vcZphixWsKV7hd/YzI1FWETcEsxhrMhhCKV7bt9M7UlRBU5jRZGSgepNF0YjvjO58y6fMCZdSyRhKoRDm7AqYmzM+TNaOH/ge/4GRTQcw1eno2Ilcffk4P6yZ+zlcotncyaUcn2WLNrhiU,iv:Hy2AKc6IaEzR8rn5qjfBmkmplKhk30cdhgnMAfP0M20=,tag:b0GOdA8hrHwTl4ps4lFhhw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZzlrOEpXQmdLVyt1MFRS + Q2JUU0N1MVNzLzVLcWhMb25uL3VsLzJrdFRNCnI1OWZFTnpqc056M0RYd3gvS1Nr + N2VEU1kyU3JuYjhhaUtuajg2cjQ4LzQKLS0tIE5qZmlqVGN1WXhZWkw3dGwyNTdF + QTd0V2V3QVVHbnhRUUt6MkRzYm5zeEEKFkqGe6Eg1BEPLqMkxUg56hc+sn0p4KZV + kThyib3g0KsrHpQM05v4CK0h6qlf8HXwvwJVx9tis8Nck1IW3zS8Pw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QzhPYXcxQ0lRS2VwaXQ4 + V3JUVDJyenowSzhFenBKYlBEbGNXTFIxUjFNCjhmWm5aQ1lTcTJidzFiT2J4R2Ux + b2ZjTWQ5WWtOY1BpZHVJYzN4clNlU0kKLS0tIHpBWU5zQWNVTWZ0TTdSNFZodkVq + RG9hL2hlYjdaYTVJWVFlSE4xN1poUHcKe4BPaVEyc3W1hyu0jOQcEdZ1kl2aQLgZ + fHDs4kDeCcfJI/s5Cb/YD3cIp7HB6FBoe7LHiNiJbyJGR0wJecLqxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-11T15:31:57Z" + mac: ENC[AES256_GCM,data:Z4ZJhpBrvd2R5xrnJ/C2C/SOsUepqSy2hrVzPnFi+nfIidHi5gV7oCh1ASR/uFrOZGilcUCuqOpi1tGDJiw+oYQTOhA8Gq92t6s3cVq63GRGwD0XhqWm8/1kULq6b4jyK9lN94sTDHHQVAYzzglOiaTgbBs6xLS/VpUSiJRK2QE=,iv:8OlSGg3YqoN1SKZGaXvD9u4dq0OYEBAKMLEUmByXD3I=,tag:3FJOS3mZLCc3D48m8yXBSg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 |