sshuttle, cleanup

2024-07-31 01:57:47 +02:00 · 2024-07-31 01:57:47 +02:00 · 0b434f509b
parent fa78f6c4eb
commit 0b434f509b
9 changed files with 37 additions and 12 deletions
--- a/hosts/bolle/default.nix
+++ b/hosts/bolle/default.nix
@ -19,7 +19,6 @@
    ../../profiles/domeneshop-dyndns
    ../../profiles/remote-builders.nix
    #../../profiles/code-remote
    #../../profiles/autossh-reverse-tunnels
  ];
  services.domeneshop-updater.targets = [ config.networking.fqdn ];
--- a/hosts/eple/default.nix
+++ b/hosts/eple/default.nix
@ -19,7 +19,6 @@
    ../../profiles/shell.nix
    ../../profiles/domeneshop-dyndns
    #../../profiles/code-remote
    ../../profiles/remote-builders.nix
    #../../profiles/autossh-reverse-tunnels
  ];
--- a/profiles/remote-builders.nix
+++ b/profiles/remote-builders.nix
@ -33,14 +33,15 @@ let
    isThis = fqdn == config.networking.fqdn;
  in mkIf (!isThis) ( lib.mkMerge [
    # out
-    (lib.mkIf (isBuilder && thisHostIsConsumer) {
+    (lib.mkIf (thisHostIsConsumer && isBuilder) {
      nix.buildMachines = [ buildMachine ];
    })
    # out or jump
-    (lib.mkIf (host.ssh ? listenPublicKey && thisHostIsConsumer) {
+    (lib.mkIf (thisHostIsConsumer && host.ssh ? listenPublicKey) {
      programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey;
      # TODO: use nix.buildMachines.*.publicHostKey ?
      # timeouts are great when remote is unresponsive. nix doesn't care
      programs.ssh.extraConfig = ''
@ -48,12 +49,12 @@ let
          ConnectTimeout 3
          Port ${builtins.toString host.ssh.listenPort}
          ${lib.optionalString (host.ssh ? proxyJump) ''
-            ProxyJump ${host.ssh.proxyJump}
+            ProxyJump ${jump.ssh.listenUser}@${host.ssh.proxyJump}:${builtins.toString jump.ssh.listenPort}
          ''}
      '';
    })
    # in
-    (mkIf (isConsumer && (thisHostIsBuilder || thisHostIsHopHost) ) {
+    (mkIf ((thisHostIsBuilder || thisHostIsHopHost) && isConsumer) {
      nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
      nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
--- a/todos.md
+++ b/todos.md
@ -17,7 +17,8 @@
 * [ ] switch to systemd networkd
 * [x] Setup some remote-development and deploy flow
 * [ ] zfs, declarative pools?
-* [ ] figure out how to reuse system flake lock while deplying, leave the night job to upgrade
+* [ ] zfs, fix export
 * [ ] figure out how to reuse system flake lock while deploying, leave the night job to upgrade
 * [ ] some tunneling for NFS hosts
 * [ ] https://nix-community.org/community-builder/
 # ricing
--- a/users/pbsds/home/default.nix
+++ b/users/pbsds/home/default.nix
@ -32,6 +32,11 @@
      #nix-shell -p atom --run "atom $(printf "%q " "$@") --no-sandbox"
      nix run nixpkgs#atom -- --disable-gpu --in-process-gpu --no-sandbox "$@"
    }
    function vpn {
    	ip="$(dig +short -x a $1 | tail -n 1)"
    	( set -x; sshuttle 0.0.0.0/0 --disable-ipv6 --dns -r "$1" -x $ip -x 127.0.0.1 -x 172.0.0.0/8 )
    }
  '';
  home.packages = with pkgs; [
@ -76,12 +81,13 @@
    cachix
    #nix-template
    nix-output-monitor
-    nixpkgs-review
+    unstable.nixpkgs-review
    unstable.nixpkgs-hammering
    unstable.nix-update
    unstable.nix-init
    unstable.deadnix
    unstable.statix
    (pkgs.nixfmt-rfc-style or unstable.nixfmt-rfc-style or null)
    nurl
    manix
    #comma # collides with nix-index-database
--- a/users/pbsds/home/gnome.nix
+++ b/users/pbsds/home/gnome.nix
@ -7,5 +7,6 @@
    ./profiles/mpv.nix
    ./profiles/desktop.nix
    ./profiles/salert.nix
    ./profiles/sshuttle.nix
  ];
 }
--- a/users/pbsds/home/profiles/shell.nix
+++ b/users/pbsds/home/profiles/shell.nix
@ -90,7 +90,7 @@
    curl
    wget
-    sshuttle
+    wakeonlan
    #tldr
    entr
--- a/users/pbsds/home/profiles/ssh.nix
+++ b/users/pbsds/home/profiles/ssh.nix
@ -5,9 +5,6 @@
    if test -f ~/.ssh/config; then
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" ssh
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" rssh
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" vpn
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" lvpn
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" dvpn
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" scp
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" remote-init
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" remote-add
--- a/users/pbsds/home/profiles/sshuttle.nix
+++ b/users/pbsds/home/profiles/sshuttle.nix
@ -0,0 +1,21 @@
 # https://nix-community.github.io/home-manager/options.html
 { pkgs, config, ... }:
 {
  home.packages = with pkgs; [
    sshuttle
  ];
  programs.bash.initExtra = ''
    function vpn (
    	ip="$(dig +short -x a $1 | tail -n 1)"
      set -x
      sshuttle 0.0.0.0/0 --disable-ipv6 --dns -r "$1" -x $ip -x 127.0.0.1 -x 172.0.0.0/8
    )
    if test -f ~/.ssh/config; then
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" vpn
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" lvpn
      complete -W "$(cat ~/.ssh/config | grep "^Host " | cut -d" " -f2- | grep -v '\*')" dvpn
    fi
  '';
 }