diff --git a/hosts/bolle/default.nix b/hosts/bolle/default.nix index 64bf91d..57d2767 100644 --- a/hosts/bolle/default.nix +++ b/hosts/bolle/default.nix @@ -19,7 +19,6 @@ ../../profiles/domeneshop-dyndns ../../profiles/remote-builders.nix - #../../profiles/code-remote #../../profiles/autossh-reverse-tunnels ]; services.domeneshop-updater.targets = [ config.networking.fqdn ]; diff --git a/hosts/eple/default.nix b/hosts/eple/default.nix index 32c65e5..2ca48de 100644 --- a/hosts/eple/default.nix +++ b/hosts/eple/default.nix @@ -19,7 +19,6 @@ ../../profiles/shell.nix ../../profiles/domeneshop-dyndns - #../../profiles/code-remote ../../profiles/remote-builders.nix #../../profiles/autossh-reverse-tunnels ]; diff --git a/profiles/remote-builders.nix b/profiles/remote-builders.nix index 08fe54b..e91d096 100644 --- a/profiles/remote-builders.nix +++ b/profiles/remote-builders.nix @@ -33,14 +33,15 @@ let isThis = fqdn == config.networking.fqdn; in mkIf (!isThis) ( lib.mkMerge [ # out - (lib.mkIf (isBuilder && thisHostIsConsumer) { + (lib.mkIf (thisHostIsConsumer && isBuilder) { nix.buildMachines = [ buildMachine ]; }) # out or jump - (lib.mkIf (host.ssh ? listenPublicKey && thisHostIsConsumer) { + (lib.mkIf (thisHostIsConsumer && host.ssh ? listenPublicKey) { programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey; + # TODO: use nix.buildMachines.*.publicHostKey ? # timeouts are great when remote is unresponsive. nix doesn't care programs.ssh.extraConfig = '' @@ -48,12 +49,12 @@ let ConnectTimeout 3 Port ${builtins.toString host.ssh.listenPort} ${lib.optionalString (host.ssh ? proxyJump) '' - ProxyJump ${host.ssh.proxyJump} + ProxyJump ${jump.ssh.listenUser}@${host.ssh.proxyJump}:${builtins.toString jump.ssh.listenPort} ''} ''; }) # in - (mkIf (isConsumer && (thisHostIsBuilder || thisHostIsHopHost) ) { + (mkIf ((thisHostIsBuilder || thisHostIsHopHost) && isConsumer) { nix.settings.allowed-users = [ thisHost.ssh.listenUser ]; nix.settings.trusted-users = [ thisHost.ssh.listenUser ]; diff --git a/todos.md b/todos.md index 0983539..cf6cbc6 100644 --- a/todos.md +++ b/todos.md @@ -17,7 +17,8 @@ * [ ] switch to systemd networkd * [x] Setup some remote-development and deploy flow * [ ] zfs, declarative pools? -* [ ] figure out how to reuse system flake lock while deplying, leave the night job to upgrade +* [ ] zfs, fix export +* [ ] figure out how to reuse system flake lock while deploying, leave the night job to upgrade * [ ] some tunneling for NFS hosts * [ ] https://nix-community.org/community-builder/ # ricing diff --git a/users/pbsds/home/default.nix b/users/pbsds/home/default.nix index 6e5cf9e..ec0b107 100644 --- a/users/pbsds/home/default.nix +++ b/users/pbsds/home/default.nix @@ -32,6 +32,11 @@ #nix-shell -p atom --run "atom $(printf "%q " "$@") --no-sandbox" nix run nixpkgs#atom -- --disable-gpu --in-process-gpu --no-sandbox "$@" } + + function vpn { + ip="$(dig +short -x a $1 | tail -n 1)" + ( set -x; sshuttle 0.0.0.0/0 --disable-ipv6 --dns -r "$1" -x $ip -x 127.0.0.1 -x 172.0.0.0/8 ) + } ''; home.packages = with pkgs; [ @@ -76,12 +81,13 @@ cachix #nix-template nix-output-monitor - nixpkgs-review + unstable.nixpkgs-review unstable.nixpkgs-hammering unstable.nix-update unstable.nix-init unstable.deadnix unstable.statix + (pkgs.nixfmt-rfc-style or unstable.nixfmt-rfc-style or null) nurl manix #comma # collides with nix-index-database diff --git a/users/pbsds/home/gnome.nix b/users/pbsds/home/gnome.nix index 6b7c615..f35526c 100644 --- a/users/pbsds/home/gnome.nix +++ b/users/pbsds/home/gnome.nix @@ -7,5 +7,6 @@ ./profiles/mpv.nix ./profiles/desktop.nix ./profiles/salert.nix + ./profiles/sshuttle.nix ]; } diff --git a/users/pbsds/home/profiles/shell.nix b/users/pbsds/home/profiles/shell.nix index 4285403..646699d 100644 --- a/users/pbsds/home/profiles/shell.nix +++ b/users/pbsds/home/profiles/shell.nix @@ -90,7 +90,7 @@ curl wget - sshuttle + wakeonlan #tldr entr diff --git a/users/pbsds/home/profiles/ssh.nix b/users/pbsds/home/profiles/ssh.nix index 995cf0d..61e2bd0 100644 --- a/users/pbsds/home/profiles/ssh.nix +++ b/users/pbsds/home/profiles/ssh.nix @@ -5,9 +5,6 @@ if test -f ~/.ssh/config; then complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" ssh complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" rssh - complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" vpn - complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" lvpn - complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" dvpn complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" scp complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" remote-init complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" remote-add diff --git a/users/pbsds/home/profiles/sshuttle.nix b/users/pbsds/home/profiles/sshuttle.nix new file mode 100644 index 0000000..af7e351 --- /dev/null +++ b/users/pbsds/home/profiles/sshuttle.nix @@ -0,0 +1,21 @@ +# https://nix-community.github.io/home-manager/options.html +{ pkgs, config, ... }: +{ + home.packages = with pkgs; [ + sshuttle + ]; + + programs.bash.initExtra = '' + function vpn ( + ip="$(dig +short -x a $1 | tail -n 1)" + set -x + sshuttle 0.0.0.0/0 --disable-ipv6 --dns -r "$1" -x $ip -x 127.0.0.1 -x 172.0.0.0/8 + ) + + if test -f ~/.ssh/config; then + complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" vpn + complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" lvpn + complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" dvpn + fi + ''; +}