enable ssh proxyHEADmaster

3 files changed, 34 insertions, 21 deletions

diff --git a/config/networking.nix b/config/networking.nix
index 7022dde..8322f8c 100644
--- a/config/networking.nix
+++ b/config/networking.nix
@@ -22,25 +22,6 @@
       "93.95.224.28"
       "93.95.224.29"
     ];
-
-    # reroute SSH on port 42137 to hephaistos
-    nat.enable = true;
-    nftables = {
-      enable = true;
-      ruleset = ''
-        table ip nat {
-          chain pre {
-            type nat hook prerouting priority dstnat; policy accept;
-            iifname "ens3" tcp dport 42137 dnat to 100.64.0.3:22
-          }
-          chain post {
-            type nat hook postrouting priority srcnat; policy accept;
-            iifname "ens3" ip daddr 100.64.0.3 tcp dport 22 masquerade
-          }
-        }
-      '';
-    };
-
   };
 
   services.resolved = {
diff --git a/config/services/default.nix b/config/services/default.nix
index 5cabb7a..52a7784 100644
--- a/config/services/default.nix
+++ b/config/services/default.nix
@@ -1,3 +1,8 @@
-{...}: {
-  imports = [./mesh ./web];
+{ ... }:
+{
+  imports = [
+    ./mesh
+    ./sshproxy
+    ./web
+  ];
 }
diff --git a/config/services/sshproxy/default.nix b/config/services/sshproxy/default.nix
new file mode 100644
index 0000000..7bfbc62
--- /dev/null
+++ b/config/services/sshproxy/default.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+{
+  users.users.sshjump = {
+    shell = "${pkgs.coreutils}/bin/true";
+    isSystemUser = true;
+    group = "sshjump";
+    openssh.authorizedKeys.keys = with config.personal.lib.publicKeys.ssh; [
+      latitude-7490
+      precision-3571
+      dragonfly-g4
+      optiplex-9030
+    ];
+  };
+
+  users.groups.sshjump = { };
+
+  services.openssh.extraConfig = ''
+    Match user sshjump
+      AllowTcpForwarding yes
+      AllowAgentForwarding yes
+      PasswordAuthentication no
+      PermitTunnel no
+      GatewayPorts no
+      PermitTTY no
+      X11Forwarding no
+  '';
+}