Compare commits

..

3 Commits

Author SHA1 Message Date
randomuser
21778be01c changes 2024-01-24 23:09:50 -06:00
randomuser
122a6adedb changes 2024-01-24 23:09:02 -06:00
randomuser
80a23ec536 changes 2024-01-24 18:49:26 -06:00
6 changed files with 132 additions and 5 deletions

View File

@ -4,6 +4,7 @@
imports = [
./hardware-configuration.nix
./nvidia.nix
../../modules/ssh-phone-home.nix
../../modules/bootstrap.nix
../../modules/common.nix
../../modules/x11.nix
@ -29,6 +30,16 @@
minetest
];
services.openssh.enable = true;
services.ssh-phone-home = {
enable = true;
localUser = "usr";
remoteHostname = "192.168.1.100";
remotePort = 22;
remoteUser = "usr";
bindPort = 2222;
};
boot.loader = {
efi = {
canTouchEfiVariables = true;

View File

@ -18,6 +18,11 @@
thunderbird
hue-cli
bluetuith
brave
vdirsyncer
isync
khal
todoman
];
hardware.bluetooth = {

View File

@ -5,6 +5,7 @@
, libxcb
# shell scripts stuff
, makeWrapper
, sshuttle
, sxhkd
, bash
, feh
@ -24,7 +25,7 @@ stdenv.mkDerivation rec {
src = ./utils;
nativeBuildInputs = [ makeWrapper pkg-config libxcb ];
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg ];
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg sshuttle ];
buildPhase = ''
ls
@ -37,7 +38,7 @@ stdenv.mkDerivation rec {
for i in $(ls $src/sh); do
cp $src/sh/$i $out/bin
ln -sf $out/bin/tmenu_run $out/bin/regenerate
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg ]}
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg sshuttle ]}
done
cp c/status/main $out/bin/statusbar

5
builds/utils/sh/vpn Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
# a poor man's vpn
ip=$(dig +short beepboop.systems)
sshuttle --dns -r ryan@$ip:443 0/0

6
flake.lock generated
View File

@ -209,12 +209,12 @@
},
"locked": {
"lastModified": 1,
"narHash": "sha256-uu/yGM8VTaGEAqSPHm4gJusVaPFH0wcf8BFMXgFlUPE=",
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
"narHash": "sha256-3icKqIEjS068WDJ+05sEvFDL6DsPB0GpKTc8Bm4F9Po=",
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
"type": "path"
},
"original": {
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
"type": "path"
}
},

105
modules/ssh-phone-home.nix Normal file
View File

@ -0,0 +1,105 @@
{ config, lib, pkgs, ... }:
# with thanks to
# https://www.auntieneo.net/2014/12/14/reverse-ssh-tunnel-on-nixos-with-systemd/
with lib;
let
inherit (pkgs) openssh;
cfg = config.services.ssh-phone-home;
in
{
###### interface
options = {
services.ssh-phone-home = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable a "phone home" reverse SSH proxy.
'';
};
persist = mkOption {
type = types.bool;
default = true;
description = ''
When this is set to true, the service will persistently attempt to
reconnect at intervals whenever the port forwarding operation fails.
This is the recommended behavior for reliable operation. If one finds
oneself in an environment where this kind of behavior might draw the
suspicion of a network administrator, it might be a good idea to
set this option to false (or not use <literal>ssh-phone-home</literal>
at all).
'';
};
localUser = mkOption {
description = ''
Local user to connect as (i.e. the user with password-less SSH keys).
'';
};
remoteHostname = mkOption {
description = ''
The remote host to connect to. This should be the host outside of the
firewall or NAT.
'';
};
remotePort = mkOption {
default = 22;
description = ''
The port on which to connect to the remote host via SSH protocol.
'';
};
remoteUser = mkOption {
description = ''
The username to connect to the remote host as.
'';
};
bindPort = mkOption {
default = 2222;
description = ''
The port to bind and listen to on the remote host.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
systemd.services.ssh-phone-home =
{
description = ''
Reverse SSH tunnel as a service
'';
# FIXME: This isn't triggered until a reboot, and probably won't work between suspends.
wantedBy = [ "multi-user.target" ];
serviceConfig = with cfg; {
User = cfg.localUser;
} // (if cfg.persist then
{
# Restart every 10 seconds on failure
RestartSec = 10;
Restart = "on-failure";
}
else {}
);
script = with cfg; ''
${openssh}/bin/ssh -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R ${toString bindPort}:localhost:22 -l ${remoteUser} -p ${toString remotePort} ${remoteHostname}
'';
};
};
}