Compare commits
3 Commits
9fe5e89928
...
21778be01c
Author | SHA1 | Date | |
---|---|---|---|
|
21778be01c | ||
|
122a6adedb | ||
|
80a23ec536 |
@ -4,6 +4,7 @@
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./nvidia.nix
|
||||
../../modules/ssh-phone-home.nix
|
||||
../../modules/bootstrap.nix
|
||||
../../modules/common.nix
|
||||
../../modules/x11.nix
|
||||
@ -29,6 +30,16 @@
|
||||
minetest
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.ssh-phone-home = {
|
||||
enable = true;
|
||||
localUser = "usr";
|
||||
remoteHostname = "192.168.1.100";
|
||||
remotePort = 22;
|
||||
remoteUser = "usr";
|
||||
bindPort = 2222;
|
||||
};
|
||||
|
||||
boot.loader = {
|
||||
efi = {
|
||||
canTouchEfiVariables = true;
|
||||
|
@ -18,6 +18,11 @@
|
||||
thunderbird
|
||||
hue-cli
|
||||
bluetuith
|
||||
brave
|
||||
vdirsyncer
|
||||
isync
|
||||
khal
|
||||
todoman
|
||||
];
|
||||
|
||||
hardware.bluetooth = {
|
||||
|
@ -5,6 +5,7 @@
|
||||
, libxcb
|
||||
# shell scripts stuff
|
||||
, makeWrapper
|
||||
, sshuttle
|
||||
, sxhkd
|
||||
, bash
|
||||
, feh
|
||||
@ -24,7 +25,7 @@ stdenv.mkDerivation rec {
|
||||
src = ./utils;
|
||||
|
||||
nativeBuildInputs = [ makeWrapper pkg-config libxcb ];
|
||||
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg ];
|
||||
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg sshuttle ];
|
||||
|
||||
buildPhase = ''
|
||||
ls
|
||||
@ -37,7 +38,7 @@ stdenv.mkDerivation rec {
|
||||
for i in $(ls $src/sh); do
|
||||
cp $src/sh/$i $out/bin
|
||||
ln -sf $out/bin/tmenu_run $out/bin/regenerate
|
||||
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg ]}
|
||||
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg sshuttle ]}
|
||||
done
|
||||
|
||||
cp c/status/main $out/bin/statusbar
|
||||
|
5
builds/utils/sh/vpn
Executable file
5
builds/utils/sh/vpn
Executable file
@ -0,0 +1,5 @@
|
||||
#!/bin/sh
|
||||
|
||||
# a poor man's vpn
|
||||
ip=$(dig +short beepboop.systems)
|
||||
sshuttle --dns -r ryan@$ip:443 0/0
|
6
flake.lock
generated
6
flake.lock
generated
@ -209,12 +209,12 @@
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1,
|
||||
"narHash": "sha256-uu/yGM8VTaGEAqSPHm4gJusVaPFH0wcf8BFMXgFlUPE=",
|
||||
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
|
||||
"narHash": "sha256-3icKqIEjS068WDJ+05sEvFDL6DsPB0GpKTc8Bm4F9Po=",
|
||||
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
|
||||
"type": "path"
|
||||
},
|
||||
"original": {
|
||||
"path": "/nix/store/hgkpghh249402niaihbsp9h3zdhiaivy-source/builds",
|
||||
"path": "/nix/store/9797g0387xqz764w22ascnvn3bvm90kd-source/builds",
|
||||
"type": "path"
|
||||
}
|
||||
},
|
||||
|
105
modules/ssh-phone-home.nix
Normal file
105
modules/ssh-phone-home.nix
Normal file
@ -0,0 +1,105 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
# with thanks to
|
||||
# https://www.auntieneo.net/2014/12/14/reverse-ssh-tunnel-on-nixos-with-systemd/
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
inherit (pkgs) openssh;
|
||||
cfg = config.services.ssh-phone-home;
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
services.ssh-phone-home = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable a "phone home" reverse SSH proxy.
|
||||
'';
|
||||
};
|
||||
|
||||
persist = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
When this is set to true, the service will persistently attempt to
|
||||
reconnect at intervals whenever the port forwarding operation fails.
|
||||
This is the recommended behavior for reliable operation. If one finds
|
||||
oneself in an environment where this kind of behavior might draw the
|
||||
suspicion of a network administrator, it might be a good idea to
|
||||
set this option to false (or not use <literal>ssh-phone-home</literal>
|
||||
at all).
|
||||
'';
|
||||
};
|
||||
|
||||
localUser = mkOption {
|
||||
description = ''
|
||||
Local user to connect as (i.e. the user with password-less SSH keys).
|
||||
'';
|
||||
};
|
||||
|
||||
remoteHostname = mkOption {
|
||||
description = ''
|
||||
The remote host to connect to. This should be the host outside of the
|
||||
firewall or NAT.
|
||||
'';
|
||||
};
|
||||
|
||||
remotePort = mkOption {
|
||||
default = 22;
|
||||
description = ''
|
||||
The port on which to connect to the remote host via SSH protocol.
|
||||
'';
|
||||
};
|
||||
|
||||
remoteUser = mkOption {
|
||||
description = ''
|
||||
The username to connect to the remote host as.
|
||||
'';
|
||||
};
|
||||
|
||||
bindPort = mkOption {
|
||||
default = 2222;
|
||||
description = ''
|
||||
The port to bind and listen to on the remote host.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.ssh-phone-home =
|
||||
{
|
||||
description = ''
|
||||
Reverse SSH tunnel as a service
|
||||
'';
|
||||
|
||||
# FIXME: This isn't triggered until a reboot, and probably won't work between suspends.
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = with cfg; {
|
||||
User = cfg.localUser;
|
||||
} // (if cfg.persist then
|
||||
{
|
||||
# Restart every 10 seconds on failure
|
||||
RestartSec = 10;
|
||||
Restart = "on-failure";
|
||||
}
|
||||
else {}
|
||||
);
|
||||
|
||||
script = with cfg; ''
|
||||
${openssh}/bin/ssh -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R ${toString bindPort}:localhost:22 -l ${remoteUser} -p ${toString remotePort} ${remoteHostname}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user