summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-08 15:23:37 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-08 15:23:37 +0100
commita2962229c6a81ac23a685d243fa43d83957b4fc4 (patch)
treeda76b91033b595d202ef76eee81d15adc1a0f1db
parentf7bfa8f38cba7da1fb54bcf9e778b4dafeea967e (diff)
downloadnixos-a2962229c6a81ac23a685d243fa43d83957b4fc4.tar
nixos-a2962229c6a81ac23a685d243fa43d83957b4fc4.tar.gz
nixos-a2962229c6a81ac23a685d243fa43d83957b4fc4.tar.bz2
nixos-a2962229c6a81ac23a685d243fa43d83957b4fc4.tar.xz
nixos-a2962229c6a81ac23a685d243fa43d83957b4fc4.zip
gkleen@sif: systemd-based ssh socks proxy
-rw-r--r--accounts/gkleen@sif/default.nix26
-rw-r--r--accounts/gkleen@sif/ssh-hosts.nix18
-rw-r--r--accounts/gkleen@sif/systemd.nix86
-rw-r--r--overlays/sshpass-secret.nix26
4 files changed, 107 insertions, 49 deletions
diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix
index 4f4897f5..70a5c9f2 100644
--- a/accounts/gkleen@sif/default.nix
+++ b/accounts/gkleen@sif/default.nix
@@ -59,30 +59,6 @@ let
59 wrapProgram $out/bin/zulip \ 59 wrapProgram $out/bin/zulip \
60 --add-flags '--force-device-scale-factor=1.6' 60 --add-flags '--force-device-scale-factor=1.6'
61 ''; 61 '';
62 sshpassSecret = pkgs.writeScriptBin "sshpass-secret" ''
63 #!${pkgs.zsh}/bin/zsh -e
64
65 typeset -a cmd
66 cmd=()
67
68 while
69 if [[ "$#" -le 0 ]]; then
70 echo "Insufficient arguments" >&2
71 exit 2
72 fi
73 arg="''${1}"
74 shift
75 do
76 [[ "''${arg}" == '--' ]] && break
77 user=''${arg%@*}
78 host=''${arg#*@}
79 exec {fdnum}< <(${pkgs.gnome.libsecret}/bin/secret-tool lookup service sshpass host "''${host}" user "''${user}")
80 cmd+=(${pkgs.sshpass}/bin/sshpass -d ''${fdnum} -P "''${user}@''${host}'s password:")
81 done
82
83 cmd+=($@)
84 exec -a ''${cmd[1]} -- $cmd
85 '';
86in { 62in {
87 imports = with flake.nixosModules.userProfiles.${userName}; [ 63 imports = with flake.nixosModules.userProfiles.${userName}; [
88 mpv yt-dlp 64 mpv yt-dlp
@@ -329,7 +305,7 @@ in {
329 keyboard = { 305 keyboard = {
330 layout = "us"; 306 layout = "us";
331 variant = "dvp"; 307 variant = "dvp";
332 options = [ "ctl:nocaps" ]; 308 options = [ "ctl:nocaps" "compose:caps" ];
333 }; 309 };
334 }; 310 };
335 311
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
index b1ac2a05..06b9ccaa 100644
--- a/accounts/gkleen@sif/ssh-hosts.nix
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -287,6 +287,24 @@
287 { hostname = "mathw0h.mathinst.loc"; 287 { hostname = "mathw0h.mathinst.loc";
288 proxyJump = "mathw0g"; 288 proxyJump = "mathw0g";
289 }; 289 };
290 "proxy.mathw0g" =
291 { hostname = "mathw0g.math.lmu.de";
292 extraOptions = {
293 ControlPath = "none";
294 ServerAliveCountMax = "3";
295 ServerAliveInterval = "1";
296 };
297 };
298 "proxy.mathw0h" =
299 { hostname = "mathw0h.mathinst.loc";
300 proxyJump = "proxy.mathw0g";
301 extraOptions = {
302 ControlPath = "none";
303 ExitOnForwardFailure = "yes";
304 ServerAliveCountMax = "3";
305 ServerAliveInterval = "1";
306 };
307 };
290 "vrt-kvm04" = 308 "vrt-kvm04" =
291 { hostname = "vrt-kvm04"; 309 { hostname = "vrt-kvm04";
292 proxyJump = "mathw0e"; 310 proxyJump = "mathw0e";
diff --git a/accounts/gkleen@sif/systemd.nix b/accounts/gkleen@sif/systemd.nix
index 56965b74..4ebecb93 100644
--- a/accounts/gkleen@sif/systemd.nix
+++ b/accounts/gkleen@sif/systemd.nix
@@ -2,6 +2,36 @@
2let 2let
3 xmobar = import ./xmobar pkgs.haskellPackages; 3 xmobar = import ./xmobar pkgs.haskellPackages;
4 cfg = config.home-manager.users.${userName}; 4 cfg = config.home-manager.users.${userName};
5
6 autossh-socks-script = pkgs.writeScript "autossh" ''
7 #!${pkgs.zsh}/bin/zsh -xe
8
9 host="''${1%:*}"
10 port="''${1#*:}"
11
12 typeset -a cmd
13 cmd=()
14
15 if [[ -n "''${SSHPASS_SECRET}" ]]; then
16 cmd+=(${pkgs.sshpassSecret}/bin/sshpass-secret)
17 cmd+=("''${(@s/:/)SSHPASS_SECRET}")
18 cmd+=(--)
19 fi
20
21 cmd+=(${pkgs.openssh}/bin/ssh -vvN -D localhost:''${port} "''${host}")
22
23 ( exec -a "''${cmd[1]}" -- ''${cmd} ) &
24 pid=$!
25 ${pkgs.systemd}/bin/systemd-notify --pid="''${pid}"
26
27 while ! ${pkgs.netcat-openbsd.nc}/bin/nc -z -v localhost ''${port}; do
28 ${pkgs.coreutils}/bin/sleep 0.1
29 done
30
31 ${pkgs.systemd}/bin/systemd-notify --ready
32
33 wait "''${pid}"
34 '';
5in { 35in {
6 services = { 36 services = {
7 sync-keepass = { 37 sync-keepass = {
@@ -16,30 +46,6 @@ in {
16 After = ["graphical-session-pre.target"]; 46 After = ["graphical-session-pre.target"];
17 }; 47 };
18 }; 48 };
19 # trayer = {
20 # Service = {
21 # Type = "simple";
22 # WorkingDirectory = "~";
23 # ExecStart = "${pkgs.trayer}/bin/trayer --edge top --align right --SetDockType true --SetPartialStrut true --expand true --width 8 --tint 0x000000 --alpha 0 --transparent true --height 32 --monitor primary";
24 # Restart = "always";
25 # };
26 # Install = {
27 # WantedBy = ["graphical-session.target"];
28 # };
29 # };
30 # xmobar = {
31 # Service = {
32 # Type = "simple";
33 # WorkingDirectory = "~";
34 # ExecStart = "${xmobar}/bin/xmobar";
35 # Restart = "always";
36 # Environment = "PATH=${pkgs.worktime}/bin:${pkgs.openssh}/bin";
37
38 # };
39 # Install = {
40 # WantedBy = ["graphical-session.target"];
41 # };
42 # };
43 taffybar = { 49 taffybar = {
44 Service = { 50 Service = {
45 Environment = with pkgs; "PATH=${worktime}/bin:${systemd}/bin"; 51 Environment = with pkgs; "PATH=${worktime}/bin:${systemd}/bin";
@@ -61,6 +67,38 @@ in {
61 Restart = "always"; 67 Restart = "always";
62 }; 68 };
63 }; 69 };
70 "autossh-socks@proxy.mathw0h:8119" = {
71 Service = {
72 Type = "notify";
73 NotifyAccess = "all";
74 WorkingDirectory = "~";
75 Restart = "always";
76 ExecStart = "${autossh-socks-script} \"%I\"";
77 Environment = [ "SSHPASS_SECRET=gkleen@mathw0g.math.lmu.de" ];
78 };
79 Unit = {
80 StopWhenUnneeded = true;
81 };
82 };
83 "proxy-to-autossh-socks@8118" = {
84 Unit = {
85 Requires = ["autossh-socks@proxy.mathw0h:8119.service" "proxy-to-autossh-socks@8118.socket"];
86 After = ["autossh-socks@proxy.mathw0h:8119.service" "proxy-to-autossh-socks@8118.socket"];
87 };
88 Service = {
89 ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd --exit-idle-time=10s localhost:8119";
90 };
91 };
92 };
93 sockets = {
94 "proxy-to-autossh-socks@8118" = {
95 Socket = {
96 ListenStream = "%I";
97 };
98 Install = {
99 WantedBy = ["default.target"];
100 };
101 };
64 }; 102 };
65 timers = { 103 timers = {
66 sync-keepass = { 104 sync-keepass = {
diff --git a/overlays/sshpass-secret.nix b/overlays/sshpass-secret.nix
new file mode 100644
index 00000000..cfd19afe
--- /dev/null
+++ b/overlays/sshpass-secret.nix
@@ -0,0 +1,26 @@
1final: prev: {
2 sshpassSecret = prev.writeScriptBin "sshpass-secret" ''
3 #!${final.zsh}/bin/zsh -e
4
5 typeset -a cmd
6 cmd=()
7
8 while
9 if [[ "$#" -le 0 ]]; then
10 echo "Insufficient arguments" >&2
11 exit 2
12 fi
13 arg="''${1}"
14 shift
15 do
16 [[ "''${arg}" == '--' ]] && break
17 user=''${arg%@*}
18 host=''${arg#*@}
19 exec {fdnum}< <(${final.gnome.libsecret}/bin/secret-tool lookup service sshpass host "''${host}" user "''${user}")
20 cmd+=(${final.sshpass}/bin/sshpass -d ''${fdnum} -P "''${user}@''${host}'s password:")
21 done
22
23 cmd+=($@)
24 exec -a ''${cmd[1]} -- $cmd
25 '';
26}