From ecf9efc39c180b39cb76f981df2ffe6a42c1b4f8 Mon Sep 17 00:00:00 2001
From: Katharina Heidenreich <katharina.heidenreich@stud.tu-darmstadt.de>
Date: Sat, 14 Mar 2026 13:33:53 +0100
Subject: [PATCH] feat: add autossh

---
 .gitignore           |  1 +
 configuration.nix    |  1 +
 data/services.nix    |  4 ++++
 services/autossh.nix | 52 ++++++++++++++++++++++++++++++++++++++++++++
 services/default.nix |  1 +
 5 files changed, 59 insertions(+)
 create mode 100644 services/autossh.nix

diff --git a/.gitignore b/.gitignore
index a7987d7..bbb04b5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 users/
 ssh_keys/
+secret/
 results
diff --git a/configuration.nix b/configuration.nix
index 28fbb01..a613775 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -25,6 +25,7 @@ in {
     ./services
     ./users
     ./programs
+    ./secret
   ];
 
   fileSystems = fileSystemDefinition;
diff --git a/data/services.nix b/data/services.nix
index 4f0faa4..502b15d 100644
--- a/data/services.nix
+++ b/data/services.nix
@@ -20,5 +20,9 @@ rec {
   matrix = {
     trusted_servers = [ "matrix.org" ];
   };
+  autossh = {
+    key_path = "/etc/auto-ssh_secrets/key";
+    known_hosts = "/etc/auto-ssh_secrets/known_hosts";
+  };
 }
 
diff --git a/services/autossh.nix b/services/autossh.nix
new file mode 100644
index 0000000..b2ad058
--- /dev/null
+++ b/services/autossh.nix
@@ -0,0 +1,52 @@
+{ config, pkgs, ... }:
+
+let
+  net = import ../data/network.nix;
+  serv = import ../data/services.nix;
+
+  remoteListenHost = "0.0.0.0";
+  remoteListenPort = 80;
+  localHost = "localhost";
+  localPort = 80;
+  sshHost = net.services.remoteProxy.ip;
+  sshPort = 22;
+  sshUser = "root";
+  sshKeyPath = serv.autossh.key_path;
+  trustedHostsFile = serv.autossh.known_hosts;
+in
+{
+  environment.systemPackages = with pkgs; [
+    autossh
+    moreutils
+  ];
+
+  systemd.services.autossh-tunnel = {
+    description = "Autossh Reverse SSH Tunnel";
+    after = [ "network.target" "network-online.target" ];
+    wants = [ "network-online.target" ];
+    
+    serviceConfig = {
+      Type = "simple";
+      User = "root";
+      Restart = "always";
+      RestartSec = 10;
+      
+      ExecStart = ''
+        ${pkgs.autossh}/bin/autossh \
+          -N \
+          -T \
+          -M 0 \
+          -o ServerAliveInterval=10 \
+          -o ExitOnForwardFailure=yes \
+          -o UserKnownHostsFile=${trustedHostsFile} \
+          -R ${remoteListenHost}:${toString remoteListenPort}:${localHost}:${toString localPort} \
+          -i ${sshKeyPath} \
+          -p ${toString sshPort} \
+          ${sshUser}@${sshHost} \
+          2>&1 | ${pkgs.moreutils}/bin/ts '%Y-%m-%dT%H:%M:%S%z'
+      '';
+    };
+    
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/services/default.nix b/services/default.nix
index 9e7b998..9d30d21 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -7,5 +7,6 @@
     ./openssh.nix
     ./qbittorrent.nix
     ./unbound.nix
+    ./autossh.nix
     ];
 }