From 7bb35b9e407422312c171802c7f5e583f353ba28 Mon Sep 17 00:00:00 2001
From: sinanmohd <sinan@sinanmohd.com>
Date: Sun, 11 Feb 2024 20:17:49 +0530
Subject: hosts/kay,lia/sshfwd: init

---
 hosts/kay/modules/dns/sinanmohd.com.zone |  2 +-
 hosts/kay/modules/sshfwd.nix             | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 hosts/kay/modules/sshfwd.nix

(limited to 'hosts/kay/modules')

diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone
index 2ea2925..05f7cef 100644
--- a/hosts/kay/modules/dns/sinanmohd.com.zone
+++ b/hosts/kay/modules/dns/sinanmohd.com.zone
@@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com.
 $TTL 2d
 
 @	IN	SOA	ns1	sinan (
-			2024020800 ; serial
+			2024020840 ; serial
 			2h         ; refresh
 			5m         ; retry
 			1d         ; expire
diff --git a/hosts/kay/modules/sshfwd.nix b/hosts/kay/modules/sshfwd.nix
new file mode 100644
index 0000000..0f0d3c3
--- /dev/null
+++ b/hosts/kay/modules/sshfwd.nix
@@ -0,0 +1,28 @@
+{ ... }: let
+  group = "sshfwd";
+in {
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  users = {
+    groups.${group}.members = [];
+
+    users."lia" = {
+      inherit group;
+      isSystemUser = true;
+
+      openssh.authorizedKeys.keys
+        = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ];
+    };
+  };
+
+  services.openssh.extraConfig  = ''
+    Match Group ${group}
+    ForceCommand echo 'this account is only usable for forwarding'
+    PermitTunnel no
+    AllowAgentForwarding no
+    X11Forwarding no
+
+    AllowTcpForwarding yes
+    GatewayPorts yes
+  '';
+}
-- 
cgit v1.2.3