Compare commits
No commits in common. "21778be01c639f769b36d6d44c0ad059e71fb883" and "9fe5e8992887ef08979848a305e74a2dbb72ef4d" have entirely different histories.
21778be01c
...
9fe5e89928
@ -4,7 +4,6 @@
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./nvidia.nix
|
||||
../../modules/ssh-phone-home.nix
|
||||
../../modules/bootstrap.nix
|
||||
../../modules/common.nix
|
||||
../../modules/x11.nix
|
||||
@ -30,16 +29,6 @@
|
||||
minetest
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.ssh-phone-home = {
|
||||
enable = true;
|
||||
localUser = "usr";
|
||||
remoteHostname = "192.168.1.100";
|
||||
remotePort = 22;
|
||||
remoteUser = "usr";
|
||||
bindPort = 2222;
|
||||
};
|
||||
|
||||
boot.loader = {
|
||||
efi = {
|
||||
canTouchEfiVariables = true;
|
||||
|
@ -18,11 +18,6 @@
|
||||
thunderbird
|
||||
hue-cli
|
||||
bluetuith
|
||||
brave
|
||||
vdirsyncer
|
||||
isync
|
||||
khal
|
||||
todoman
|
||||
];
|
||||
|
||||
hardware.bluetooth = {
|
||||
|
@ -5,7 +5,6 @@
|
||||
, libxcb
|
||||
# shell scripts stuff
|
||||
, makeWrapper
|
||||
, sshuttle
|
||||
, sxhkd
|
||||
, bash
|
||||
, feh
|
||||
@ -25,7 +24,7 @@ stdenv.mkDerivation rec {
|
||||
src = ./utils;
|
||||
|
||||
nativeBuildInputs = [ makeWrapper pkg-config libxcb ];
|
||||
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg sshuttle ];
|
||||
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg ];
|
||||
|
||||
buildPhase = ''
|
||||
ls
|
||||
@ -38,7 +37,7 @@ stdenv.mkDerivation rec {
|
||||
for i in $(ls $src/sh); do
|
||||
cp $src/sh/$i $out/bin
|
||||
ln -sf $out/bin/tmenu_run $out/bin/regenerate
|
||||
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg sshuttle ]}
|
||||
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg ]}
|
||||
done
|
||||
|
||||
cp c/status/main $out/bin/statusbar
|
||||
|
@ -1,5 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# a poor man's vpn
|
||||
ip=$(dig +short beepboop.systems)
|
||||
sshuttle --dns -r ryan@$ip:443 0/0
|
6
flake.lock
generated
6
flake.lock
generated
@ -209,12 +209,12 @@
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1,
|
||||
"narHash": "sha256-3icKqIEjS068WDJ+05sEvFDL6DsPB0GpKTc8Bm4F9Po=",
|
||||
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
|
||||
"narHash": "sha256-uu/yGM8VTaGEAqSPHm4gJusVaPFH0wcf8BFMXgFlUPE=",
|
||||
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
|
||||
"type": "path"
|
||||
},
|
||||
"original": {
|
||||
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
|
||||
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
|
||||
"type": "path"
|
||||
}
|
||||
},
|
||||
|
@ -1,105 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
# with thanks to
|
||||
# https://www.auntieneo.net/2014/12/14/reverse-ssh-tunnel-on-nixos-with-systemd/
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
inherit (pkgs) openssh;
|
||||
cfg = config.services.ssh-phone-home;
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
services.ssh-phone-home = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable a "phone home" reverse SSH proxy.
|
||||
'';
|
||||
};
|
||||
|
||||
persist = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
When this is set to true, the service will persistently attempt to
|
||||
reconnect at intervals whenever the port forwarding operation fails.
|
||||
This is the recommended behavior for reliable operation. If one finds
|
||||
oneself in an environment where this kind of behavior might draw the
|
||||
suspicion of a network administrator, it might be a good idea to
|
||||
set this option to false (or not use <literal>ssh-phone-home</literal>
|
||||
at all).
|
||||
'';
|
||||
};
|
||||
|
||||
localUser = mkOption {
|
||||
description = ''
|
||||
Local user to connect as (i.e. the user with password-less SSH keys).
|
||||
'';
|
||||
};
|
||||
|
||||
remoteHostname = mkOption {
|
||||
description = ''
|
||||
The remote host to connect to. This should be the host outside of the
|
||||
firewall or NAT.
|
||||
'';
|
||||
};
|
||||
|
||||
remotePort = mkOption {
|
||||
default = 22;
|
||||
description = ''
|
||||
The port on which to connect to the remote host via SSH protocol.
|
||||
'';
|
||||
};
|
||||
|
||||
remoteUser = mkOption {
|
||||
description = ''
|
||||
The username to connect to the remote host as.
|
||||
'';
|
||||
};
|
||||
|
||||
bindPort = mkOption {
|
||||
default = 2222;
|
||||
description = ''
|
||||
The port to bind and listen to on the remote host.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.ssh-phone-home =
|
||||
{
|
||||
description = ''
|
||||
Reverse SSH tunnel as a service
|
||||
'';
|
||||
|
||||
# FIXME: This isn't triggered until a reboot, and probably won't work between suspends.
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = with cfg; {
|
||||
User = cfg.localUser;
|
||||
} // (if cfg.persist then
|
||||
{
|
||||
# Restart every 10 seconds on failure
|
||||
RestartSec = 10;
|
||||
Restart = "on-failure";
|
||||
}
|
||||
else {}
|
||||
);
|
||||
|
||||
script = with cfg; ''
|
||||
${openssh}/bin/ssh -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R ${toString bindPort}:localhost:22 -l ${remoteUser} -p ${toString remotePort} ${remoteHostname}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user