Compare commits
3 Commits
9fe5e89928
...
21778be01c
Author | SHA1 | Date | |
---|---|---|---|
|
21778be01c | ||
|
122a6adedb | ||
|
80a23ec536 |
@ -4,6 +4,7 @@
|
|||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./nvidia.nix
|
./nvidia.nix
|
||||||
|
../../modules/ssh-phone-home.nix
|
||||||
../../modules/bootstrap.nix
|
../../modules/bootstrap.nix
|
||||||
../../modules/common.nix
|
../../modules/common.nix
|
||||||
../../modules/x11.nix
|
../../modules/x11.nix
|
||||||
@ -29,6 +30,16 @@
|
|||||||
minetest
|
minetest
|
||||||
];
|
];
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
services.ssh-phone-home = {
|
||||||
|
enable = true;
|
||||||
|
localUser = "usr";
|
||||||
|
remoteHostname = "192.168.1.100";
|
||||||
|
remotePort = 22;
|
||||||
|
remoteUser = "usr";
|
||||||
|
bindPort = 2222;
|
||||||
|
};
|
||||||
|
|
||||||
boot.loader = {
|
boot.loader = {
|
||||||
efi = {
|
efi = {
|
||||||
canTouchEfiVariables = true;
|
canTouchEfiVariables = true;
|
||||||
|
@ -18,6 +18,11 @@
|
|||||||
thunderbird
|
thunderbird
|
||||||
hue-cli
|
hue-cli
|
||||||
bluetuith
|
bluetuith
|
||||||
|
brave
|
||||||
|
vdirsyncer
|
||||||
|
isync
|
||||||
|
khal
|
||||||
|
todoman
|
||||||
];
|
];
|
||||||
|
|
||||||
hardware.bluetooth = {
|
hardware.bluetooth = {
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
, libxcb
|
, libxcb
|
||||||
# shell scripts stuff
|
# shell scripts stuff
|
||||||
, makeWrapper
|
, makeWrapper
|
||||||
|
, sshuttle
|
||||||
, sxhkd
|
, sxhkd
|
||||||
, bash
|
, bash
|
||||||
, feh
|
, feh
|
||||||
@ -24,7 +25,7 @@ stdenv.mkDerivation rec {
|
|||||||
src = ./utils;
|
src = ./utils;
|
||||||
|
|
||||||
nativeBuildInputs = [ makeWrapper pkg-config libxcb ];
|
nativeBuildInputs = [ makeWrapper pkg-config libxcb ];
|
||||||
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg ];
|
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg sshuttle ];
|
||||||
|
|
||||||
buildPhase = ''
|
buildPhase = ''
|
||||||
ls
|
ls
|
||||||
@ -37,7 +38,7 @@ stdenv.mkDerivation rec {
|
|||||||
for i in $(ls $src/sh); do
|
for i in $(ls $src/sh); do
|
||||||
cp $src/sh/$i $out/bin
|
cp $src/sh/$i $out/bin
|
||||||
ln -sf $out/bin/tmenu_run $out/bin/regenerate
|
ln -sf $out/bin/tmenu_run $out/bin/regenerate
|
||||||
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg ]}
|
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg sshuttle ]}
|
||||||
done
|
done
|
||||||
|
|
||||||
cp c/status/main $out/bin/statusbar
|
cp c/status/main $out/bin/statusbar
|
||||||
|
5
builds/utils/sh/vpn
Executable file
5
builds/utils/sh/vpn
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# a poor man's vpn
|
||||||
|
ip=$(dig +short beepboop.systems)
|
||||||
|
sshuttle --dns -r ryan@$ip:443 0/0
|
6
flake.lock
generated
6
flake.lock
generated
@ -209,12 +209,12 @@
|
|||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1,
|
"lastModified": 1,
|
||||||
"narHash": "sha256-uu/yGM8VTaGEAqSPHm4gJusVaPFH0wcf8BFMXgFlUPE=",
|
"narHash": "sha256-3icKqIEjS068WDJ+05sEvFDL6DsPB0GpKTc8Bm4F9Po=",
|
||||||
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
|
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
|
||||||
"type": "path"
|
"type": "path"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
|
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
|
||||||
"type": "path"
|
"type": "path"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
105
modules/ssh-phone-home.nix
Normal file
105
modules/ssh-phone-home.nix
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
# with thanks to
|
||||||
|
# https://www.auntieneo.net/2014/12/14/reverse-ssh-tunnel-on-nixos-with-systemd/
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (pkgs) openssh;
|
||||||
|
cfg = config.services.ssh-phone-home;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
###### interface
|
||||||
|
|
||||||
|
options = {
|
||||||
|
services.ssh-phone-home = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Whether to enable a "phone home" reverse SSH proxy.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
persist = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
When this is set to true, the service will persistently attempt to
|
||||||
|
reconnect at intervals whenever the port forwarding operation fails.
|
||||||
|
This is the recommended behavior for reliable operation. If one finds
|
||||||
|
oneself in an environment where this kind of behavior might draw the
|
||||||
|
suspicion of a network administrator, it might be a good idea to
|
||||||
|
set this option to false (or not use <literal>ssh-phone-home</literal>
|
||||||
|
at all).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
localUser = mkOption {
|
||||||
|
description = ''
|
||||||
|
Local user to connect as (i.e. the user with password-less SSH keys).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
remoteHostname = mkOption {
|
||||||
|
description = ''
|
||||||
|
The remote host to connect to. This should be the host outside of the
|
||||||
|
firewall or NAT.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
remotePort = mkOption {
|
||||||
|
default = 22;
|
||||||
|
description = ''
|
||||||
|
The port on which to connect to the remote host via SSH protocol.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
remoteUser = mkOption {
|
||||||
|
description = ''
|
||||||
|
The username to connect to the remote host as.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
bindPort = mkOption {
|
||||||
|
default = 2222;
|
||||||
|
description = ''
|
||||||
|
The port to bind and listen to on the remote host.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
###### implementation
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
systemd.services.ssh-phone-home =
|
||||||
|
{
|
||||||
|
description = ''
|
||||||
|
Reverse SSH tunnel as a service
|
||||||
|
'';
|
||||||
|
|
||||||
|
# FIXME: This isn't triggered until a reboot, and probably won't work between suspends.
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
serviceConfig = with cfg; {
|
||||||
|
User = cfg.localUser;
|
||||||
|
} // (if cfg.persist then
|
||||||
|
{
|
||||||
|
# Restart every 10 seconds on failure
|
||||||
|
RestartSec = 10;
|
||||||
|
Restart = "on-failure";
|
||||||
|
}
|
||||||
|
else {}
|
||||||
|
);
|
||||||
|
|
||||||
|
script = with cfg; ''
|
||||||
|
${openssh}/bin/ssh -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R ${toString bindPort}:localhost:22 -l ${remoteUser} -p ${toString remotePort} ${remoteHostname}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user