From 62d230adf689bef8bda48d836133754b7d3c282f Mon Sep 17 00:00:00 2001 From: Katharina Heidenreich Date: Fri, 10 Apr 2026 22:21:11 +0200 Subject: [PATCH] feat: add tunnel user --- config/openssh.nix | 7 +++++++ config/secrets.nix | 10 ++++++++++ secrets/openssh/tunnel/pub_keys | 18 ++++++++++++++++++ system/users.nix | 8 ++++++++ 4 files changed, 43 insertions(+) create mode 100644 secrets/openssh/tunnel/pub_keys diff --git a/config/openssh.nix b/config/openssh.nix index a40db75..acd7b23 100644 --- a/config/openssh.nix +++ b/config/openssh.nix @@ -17,6 +17,13 @@ rec { PermitListen localhost:* PermitListen 127.0.0.1:* ''; + "tunnel" = '' + AllowTcpForwarding yes + PermitTTY no + X11Forwarding no + PermitTunnel no + AllowAgentForwarding no + ''; }; }; } \ No newline at end of file diff --git a/config/secrets.nix b/config/secrets.nix index ffc0738..78254bd 100644 --- a/config/secrets.nix +++ b/config/secrets.nix @@ -20,6 +20,16 @@ mode = "0600"; }; }; + + tunnel = { + pub_keys = { + file = ../secrets/openssh/tunnel/pub_keys; + path = "/var/lib/tunnel/.ssh/authorized_keys"; + owner = "tunnel"; + group = "nogroup"; + mode = "0600"; + }; + }; }; }; } \ No newline at end of file diff --git a/secrets/openssh/tunnel/pub_keys b/secrets/openssh/tunnel/pub_keys new file mode 100644 index 0000000..d474b91 --- /dev/null +++ b/secrets/openssh/tunnel/pub_keys @@ -0,0 +1,18 @@ +{ + "data": "ENC[AES256_GCM,data:w778jzX0nrR5DlWCzpbx+WRCfT2aTDPuzO9x69SZb7gNaM5ynOyESOcSdgPHIePMZtYZqLQO+7scAthsv21nUEJx4rhysTvAZIeeUY9FvkOv2E7akpN35Ig2x7glUbrJ/eU3Uxax53WsQENXpBMpBvoBDkHCq0ixjYqYz8rapL03xyCRHBP/YFUbDMTavlfdZS3uJc+4ExO7bqexpPIVSSZaUfsisBM0RXUvYOGcWNZ3vHRZDEHUxBEjAQ/WRNTPoVSIDr1K,iv:C67ksybTHpzMC00nCZ9slfl01otIril51LxDSL78Ud4=,tag:dlTpWM+ub9N/LhdXdVemng==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g5q3hwnpgsas682jkq0zmee3zqggucfe0v5ec0a6pv7wzexadehqne66cj", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VVQ4UHRKZHRNUTFPZm5S\neW5WZURqYnRRWWdSc2Z0ck9iN01aejl5SUJFCmR4Sytoa0x6TUw1UGVpY3E3amJp\nTElIdnArRUoraVpvNU9Yamg3S0JqMncKLS0tIGFETFByMEVTVjVISlRVTStkc0FP\nOXhldUtPSVRBbkFGNVZ5KzZoTHUxYlUKsKuDemT5ira9CU7G84qWOfepsB4VgkJk\n2XVTAIgpjKzCVpvkKOw8RPGmrii1zv0d+Bc6yiMAIVqfF1cxXML9vQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age13p5fukn4eetfqr5jvuc7xv6gwpn8hthq59ay5k2chm0c0409r9jq97dpyz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoak91Lzl4RTQxR2dpdnUw\nNXR2L0wrTDViZjVjVE9FY3N6ZDArZHdOeFZFCnpCV2IyWkg5b25OTUtDV21xZWtl\nQmpudTVLS2MxZEFlby83Y0E4RFNQNUUKLS0tIHoybjZ5ZUlHQit1R0xkRHBCNm9r\nNldnMktKcVhwUmhMcit5YVZpZElkZ28K7CVkA8hVLQtwoKxMVwo+mv0nmyX/4cqP\nuQ3BOENv2HpCDuJIKeHSHnhxjBGPcE7ItGc18Oiz40TmCEmLA1RiMg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-04-10T20:19:33Z", + "mac": "ENC[AES256_GCM,data:0dGecDFzsGoWlk05H2+y06Rnq4HdjATTyoZ0OplQd5bb8VMLELAwSYJp+1vqSDLASyjZGRlGdP+A9pUxMG1GJG5QfCyPX8b6hIPDf1HmlO0ReE+7ZMhqNy47uj/DDq+di5VQM2DbG2SnoqDahwQPRwPxoZ+6mHDz91uLuNfQJZg=,iv:3lTD+Fbe/IVkuFTaQNs//T4YYGUGz9cJTEgnWZl+nBE=,tag:OLyovGEai6DzCu+u4CLzPw==,type:str]", + "version": "3.12.1" + } +} diff --git a/system/users.nix b/system/users.nix index 17e2878..f922281 100644 --- a/system/users.nix +++ b/system/users.nix @@ -9,6 +9,14 @@ hashedPassword = "$y$j9T$NiaiVxQKs0C1V4VdCFKBO.$P6RfBDTyJfPJJzKyHf9PJEy9Ku5M6AU57U98nVD6wP6"; }; + users.users.tunnel = { + isSystemUser = true; + group = "nogroup"; + shell = pkgs.nologin; + createHome = true; + home = "/var/lib/tunnel"; + }; + users.users.autossh-incoming = { isSystemUser = true; group = "autossh-incoming";