pi/services/autossh.nix

{ config, pkgs, lib, ... }:

let
  net = import ../data/network.nix;
  serv = import ../data/services.nix;

  autoForwards = map (port: {
      remote = port;
      localAddress = "localhost";
      localPort = port;
  }) net.usedPorts;
  fordwards = lib.unique (serv.autossh.forwards ++ autoForwards);

  forwardStrings = map (port: "-R ${toString port.remote}:${port.localAddress}:${toString port.localPort}") fordwards;
  forwardString = builtins.concatStringsSep " " forwardStrings;

  sshHost = net.services.remoteProxy.ip;
  sshPort = 22;
  sshUser = "root";
  sshKeyPath = serv.autossh.key_path;
  trustedHostsFile = serv.autossh.known_hosts;
in
{
  environment.systemPackages = with pkgs; [
    autossh
    moreutils
  ];

  systemd.services.autossh-tunnel = {
    description = "Autossh Reverse SSH Tunnel";
    after = [ "network.target" "network-online.target" ];
    wants = [ "network-online.target" ];
    
    serviceConfig = {
      Type = "simple";
      User = "autossh-tunnel";
      Restart = "always";
      RestartSec = 10;
      
      ExecStart = ''
        ${pkgs.autossh}/bin/autossh \
          -N \
          -T \
          -M 0 \
          -o ServerAliveInterval=10 \
          -o ExitOnForwardFailure=yes \
          -o UserKnownHostsFile=${trustedHostsFile} \
          ${forwardString} \
          -i ${sshKeyPath} \
          -p ${toString sshPort} \
          ${sshUser}@${sshHost}
      '';
    };
    
    wantedBy = [ "multi-user.target" ];
  };
}