changes

boxes/mlg/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ./hardware-configuration.nix
     ./nvidia.nix
+    ../../modules/ssh-phone-home.nix
     ../../modules/bootstrap.nix
     ../../modules/common.nix
     ../../modules/x11.nix
@@ -29,6 +30,16 @@
     minetest
   ];
 
+  services.openssh.enable = true;
+  services.ssh-phone-home = {
+    enable = true;
+    localUser = "usr";
+    remoteHostname = "192.168.1.100";
+    remotePort = 22;
+    remoteUser = "usr";
+    bindPort = 2222;
+  };
+
   boot.loader = {
     efi = {
       canTouchEfiVariables = true;

boxes/x230t/default.nix

@@ -18,6 +18,11 @@
     thunderbird
     hue-cli
     bluetuith
+    brave
+    vdirsyncer
+    isync
+    khal
+    todoman
   ];
 
   hardware.bluetooth = {

builds/utils.nix

@@ -5,6 +5,7 @@
 , libxcb
 # shell scripts stuff
 , makeWrapper
+, sshuttle
 , sxhkd
 , bash
 , feh
@@ -24,7 +25,7 @@ stdenv.mkDerivation rec {
   src = ./utils;
 
   nativeBuildInputs = [ makeWrapper pkg-config libxcb ];
-  buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg ];
+  buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg sshuttle ];
 
   buildPhase = ''
     ls
@@ -37,7 +38,7 @@ stdenv.mkDerivation rec {
     for i in $(ls $src/sh); do
       cp $src/sh/$i $out/bin
       ln -sf $out/bin/tmenu_run $out/bin/regenerate
-      wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg ]}
+      wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg sshuttle ]}
     done
 
     cp c/status/main $out/bin/statusbar

builds/utils/sh/vpn

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# a poor man's vpn
+ip=$(dig +short beepboop.systems)
+sshuttle --dns -r ryan@$ip:443 0/0

flake.lock

@@ -209,12 +209,12 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-uu/yGM8VTaGEAqSPHm4gJusVaPFH0wcf8BFMXgFlUPE=",
+        "narHash": "sha256-3icKqIEjS068WDJ+05sEvFDL6DsPB0GpKTc8Bm4F9Po=",
-        "path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
+        "path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
         "type": "path"
       },
       "original": {
-        "path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
+        "path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
         "type": "path"
       }
     },

modules/ssh-phone-home.nix

@@ -0,0 +1,105 @@
+{ config, lib, pkgs, ... }:
+
+# with thanks to
+# https://www.auntieneo.net/2014/12/14/reverse-ssh-tunnel-on-nixos-with-systemd/
+
+with lib;
+
+let
+  inherit (pkgs) openssh;
+  cfg = config.services.ssh-phone-home;
+in
+
+{
+
+  ###### interface
+
+  options = {
+    services.ssh-phone-home = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable a "phone home" reverse SSH proxy.
+        '';
+      };
+
+      persist = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          When this is set to true, the service will persistently attempt to
+          reconnect at intervals whenever the port forwarding operation fails.
+          This is the recommended behavior for reliable operation. If one finds
+          oneself in an environment where this kind of behavior might draw the
+          suspicion of a network administrator, it might be a good idea to
+          set this option to false (or not use <literal>ssh-phone-home</literal>
+          at all).
+        '';
+      };
+
+      localUser = mkOption {
+        description = ''
+          Local user to connect as (i.e. the user with password-less SSH keys).
+        '';
+      };
+
+      remoteHostname = mkOption {
+        description = ''
+          The remote host to connect to. This should be the host outside of the
+          firewall or NAT.
+        '';
+      };
+
+      remotePort = mkOption {
+        default = 22;
+        description = ''
+          The port on which to connect to the remote host via SSH protocol.
+        '';
+      };
+
+      remoteUser = mkOption {
+        description = ''
+          The username to connect to the remote host as.
+        '';
+      };
+
+      bindPort = mkOption {
+        default = 2222;
+        description = ''
+          The port to bind and listen to on the remote host.
+        '';
+      };
+    };
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+    systemd.services.ssh-phone-home =
+    {
+      description = ''
+        Reverse SSH tunnel as a service
+      '';
+
+      # FIXME: This isn't triggered until a reboot, and probably won't work between suspends.
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = with cfg; {
+        User = cfg.localUser;
+      } // (if cfg.persist then
+        {
+          # Restart every 10 seconds on failure
+          RestartSec = 10;
+          Restart = "on-failure";
+        }
+        else {}
+      );
+
+      script = with cfg;  ''
+        ${openssh}/bin/ssh -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R ${toString bindPort}:localhost:22 -l ${remoteUser} -p ${toString remotePort} ${remoteHostname}
+      '';
+    };
+  };
+}