From d87edb6024132db442600c76b6db1f49a01ed0e2 Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Sun, 11 Feb 2024 21:22:53 +0530 Subject: hosts/lia/sshfwd/mkFwdSrv: init --- hosts/lia/modules/sshfwd.nix | 47 +++++++++++++++++++++++++++----------------- hosts/lia/secrets.yaml | 6 +++--- 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/hosts/lia/modules/sshfwd.nix b/hosts/lia/modules/sshfwd.nix index f86238b..dac2d71 100644 --- a/hosts/lia/modules/sshfwd.nix +++ b/hosts/lia/modules/sshfwd.nix @@ -1,22 +1,33 @@ -{ pkgs, config, ... }: { - sops.secrets."sshfwd/kay" = {}; +{ pkgs, config, ... }: let + mkFwdSrv = { + local_port, + remote_port, + remote ? "sinanmohd.com", + key ? config.sops.secrets."sshfwd/${remote}".path, + }: { + "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { + description = "Forwarding port ${toString local_port} to ${remote}"; - environment.systemPackages = with pkgs; [ openssh ]; - systemd.services."sshfwd" = { - description = "Forwarding port 22 to the Internet"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - # restart rather than stop+start this unit to prevent the - # network from dying during switch-to-configuration. - stopIfChanged = false; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + # restart rather than stop+start this unit to prevent + # the ssh from dying during switch-to-configuration. + stopIfChanged = false; - path = [ pkgs.openssh ]; - script = '' - echo -n "Forwarding port 22" - exec ssh -N lia@sinanmohd.com \ - -R 0.0.0.0:2222:127.0.0.1:22 \ - -i ${config.sops.secrets."sshfwd/kay".path} - ''; + path = [ pkgs.openssh ]; + script = '' + echo -n "Forwarding port ${toString local_port}" + exec ssh -N lia@${remote} \ + -R 0.0.0.0:${toString remote_port}:127.0.0.1:${toString local_port} \ + -i ${key} + ''; + }; }; +in { + sops.secrets."sshfwd/sinanmohd.com" = {}; + + environment.systemPackages = with pkgs; [ openssh ]; + systemd.services + = mkFwdSrv { local_port = 22; remote_port = 2222; }; } diff --git a/hosts/lia/secrets.yaml b/hosts/lia/secrets.yaml index 4438faf..facb577 100644 --- a/hosts/lia/secrets.yaml +++ b/hosts/lia/secrets.yaml @@ -1,5 +1,5 @@ sshfwd: - kay: ENC[AES256_GCM,data:XXWpIKypbAaB6rMTi/+GWzJ7lGQ7rKOjPqsFxfKQBvCLpy8NJEKHPnV2OzGwl/if2g6VVmk9TpuhOZk1MlZtM7X0mczu3YTqBHub2iVbuCxV8XbupOiYbz9afDx8YFo7jHPCfd+yn28T8OgHB2vfcvV5ShtgiEghjl8eobgxKZyzQ6Wikh+9cRQolEIEva+wUIJI/qp0vpC3ihn3xfUPJcFsOolfx0fZ5zGOtCBFCTgzvxwWCVtioH1qoEtlQ8Smeo+eJb2hzgouAYD7OOwebG3+xPv8zUxFBM6D23WzKW5PHArO25mkk9Ho0jCv3YHqY7TvurYbm+69sTe/cIo7TZin9Qb/JR8vlaNnpnKnZ2J2nmLZDGvqqbif3loYUVcpbsqWSPNBnpXGmWm/ATE7qt3G+pl+GwRxceLk63ZGJ4XHKuY6j6cgdoxvT13Gs+tzE8vcZphixWsKV7hd/YzI1FWETcEsxhrMhhCKV7bt9M7UlRBU5jRZGSgepNF0YjvjO58y6fMCZdSyRhKoRDm7AqYmzM+TNaOH/ge/4GRTQcw1eno2Ilcffk4P6yZ+zlcotncyaUcn2WLNrhiU,iv:Hy2AKc6IaEzR8rn5qjfBmkmplKhk30cdhgnMAfP0M20=,tag:b0GOdA8hrHwTl4ps4lFhhw==,type:str] + sinanmohd.com: ENC[AES256_GCM,data:ZB2qbUA4+AcYlIY6IaPf9aUdMV0ltdKveqVSNS2Nhq8h6kWheqWiaXgIK6vuN7oDHKomgVXWaVdxTf6OFvFQHCHMMqtm0KfvSJW+cdORpfZkEZuji5Ob/yQiNllyS8oAw9iT5YdyifLi7XkfD+dHbt+XWLQCMFPirJ8Lz6ynTYxV+N7Pu7yOhfCzPDYfqexW7Ymrjk0PI32OVgo+sE0obnASGW645dP4ydKOZM5xx9NGr/Oao2W5C61qdr2gUCoYQKZXkfItGRfCuWuCeh0ZmbxumS6Q1WeWUW09SY5NN24025TBoZgE+UdJIXuczAQy5wzpXYsDWwBXNod4gAhe76YgLydlYBpBHe6xN6OBgCewHkjCGkirHawmbYxkmJ40L6/lMFPjRmMV7yhj94Vsyx7NAW1H8yKVE/9typXUrIyxbxAOGrwy0TjlGYogAcZ7YYZ+ipmkqNlQ1pliA2Kha+2ZzPG0hV8NKhydNr0cz5ylfL4cQaAXxxg6YHOUYL0DGbfMXMpZKTt47TJcY72RWDaUr2RsmhJ+k2vNBDY3I01n9syWnlk80h2bs1ILJ5Ad3PP8Em8yGaXJLM+3,iv:VoDyy+h3UHL0YJPJ7rbgLTZZzIPCJTD8yBPXNxWjHqo=,tag:zGQXrE066SDMCwgZpC9/Pg==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +24,8 @@ sops: RG9hL2hlYjdaYTVJWVFlSE4xN1poUHcKe4BPaVEyc3W1hyu0jOQcEdZ1kl2aQLgZ fHDs4kDeCcfJI/s5Cb/YD3cIp7HB6FBoe7LHiNiJbyJGR0wJecLqxg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-11T15:31:57Z" - mac: ENC[AES256_GCM,data:Z4ZJhpBrvd2R5xrnJ/C2C/SOsUepqSy2hrVzPnFi+nfIidHi5gV7oCh1ASR/uFrOZGilcUCuqOpi1tGDJiw+oYQTOhA8Gq92t6s3cVq63GRGwD0XhqWm8/1kULq6b4jyK9lN94sTDHHQVAYzzglOiaTgbBs6xLS/VpUSiJRK2QE=,iv:8OlSGg3YqoN1SKZGaXvD9u4dq0OYEBAKMLEUmByXD3I=,tag:3FJOS3mZLCc3D48m8yXBSg==,type:str] + lastmodified: "2024-02-11T15:56:54Z" + mac: ENC[AES256_GCM,data:H7GBDYCB/T7tM8hGOL0RMbS5NH2eNC4SJvoZUNS9WWx7gu60bn1qIkDda9aInZxZsN1ocNQDefG548pC598EsNTIeoqGWkXVdScFSXx4R+5mSmMHV5KgoPP8z+vUQ81gXsgh51hSCVUfhKshL6TccfFB4/u4kjGp2UcAAVAAEtQ=,iv:MBoCdOapNr36PeNt5GND40tcSHC1aa66JG36dPCDN+A=,tag:GDBXs2wlSAj3Bf+/XkO/2A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 -- cgit v1.2.3