feat: add autossh

.gitignore

@@ -1,3 +1,4 @@
 users/
 ssh_keys/
+secret/
 results

configuration.nix

@@ -25,6 +25,7 @@ in {
     ./services
     ./users
     ./programs
+    ./secret
   ];
 
   fileSystems = fileSystemDefinition;

data/services.nix

@@ -20,5 +20,9 @@ rec {
   matrix = {
     trusted_servers = [ "matrix.org" ];
   };
+  autossh = {
+    key_path = "/etc/auto-ssh_secrets/key";
+    known_hosts = "/etc/auto-ssh_secrets/known_hosts";
+  };
 }
 

services/autossh.nix

@@ -0,0 +1,52 @@
+{ config, pkgs, ... }:
+
+let
+  net = import ../data/network.nix;
+  serv = import ../data/services.nix;
+
+  remoteListenHost = "0.0.0.0";
+  remoteListenPort = 80;
+  localHost = "localhost";
+  localPort = 80;
+  sshHost = net.services.remoteProxy.ip;
+  sshPort = 22;
+  sshUser = "root";
+  sshKeyPath = serv.autossh.key_path;
+  trustedHostsFile = serv.autossh.known_hosts;
+in
+{
+  environment.systemPackages = with pkgs; [
+    autossh
+    moreutils
+  ];
+
+  systemd.services.autossh-tunnel = {
+    description = "Autossh Reverse SSH Tunnel";
+    after = [ "network.target" "network-online.target" ];
+    wants = [ "network-online.target" ];
+    
+    serviceConfig = {
+      Type = "simple";
+      User = "root";
+      Restart = "always";
+      RestartSec = 10;
+      
+      ExecStart = ''
+        ${pkgs.autossh}/bin/autossh \
+          -N \
+          -T \
+          -M 0 \
+          -o ServerAliveInterval=10 \
+          -o ExitOnForwardFailure=yes \
+          -o UserKnownHostsFile=${trustedHostsFile} \
+          -R ${remoteListenHost}:${toString remoteListenPort}:${localHost}:${toString localPort} \
+          -i ${sshKeyPath} \
+          -p ${toString sshPort} \
+          ${sshUser}@${sshHost} \
+          2>&1 | ${pkgs.moreutils}/bin/ts '%Y-%m-%dT%H:%M:%S%z'
+      '';
+    };
+    
+    wantedBy = [ "multi-user.target" ];
+  };
+}

services/default.nix

@@ -7,5 +7,6 @@
     ./openssh.nix
     ./qbittorrent.nix
     ./unbound.nix
+    ./autossh.nix
     ];
 }