Add sish tcp forwarding

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-01 16:33:35 +01:00
parent f7112f73d7
commit 20b38b0467
4 changed files with 20 additions and 2 deletions
--- a/hosts/elara/default.nix
+++ b/hosts/elara/default.nix
@@ -27,6 +27,7 @@
    ../common/configs/system/podman
    ../common/configs/system/sops
    ../common/configs/system/ssh
+    ../common/configs/system/sshd
    ../common/configs/system/sudo
    ../common/configs/system/system
    ../common/configs/system/users
--- a/hosts/elara/users/nikara/default.nix
+++ b/hosts/elara/users/nikara/default.nix
@@ -84,6 +84,10 @@ in
    ];
    linger = true;
    uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [
+      "${inputs.secrets}/domains/personal/id_ed25519.pub"
+      "${inputs.secrets}/domains/sas/id_ed25519.pub"
+    ];
  };

  wsl.defaultUser = user;
--- a/hosts/himalia/default.nix
+++ b/hosts/himalia/default.nix
@@ -40,6 +40,7 @@
    ../common/configs/system/smartmontools
    ../common/configs/system/sops
    ../common/configs/system/ssh
+    ../common/configs/system/sshd
    ../common/configs/system/sudo
    ../common/configs/system/system
    ../common/configs/system/timezone
--- a/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
@@ -11,7 +11,15 @@ let
  inherit (hmConfig.virtualisation.quadlet) networks;
 in
 {
-  networking.firewall.allowedTCPPorts = [ 2222 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 2222 ];
+    allowedTCPPortRanges = [
+      {
+        from = 61000;
+        to = 61999;
+      }
+    ];
+  };

  home-manager.users.${user} = {
    sops.secrets."sish/ssh/key".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
@@ -44,7 +52,10 @@ in
            "traefik.http.routers.sish.rule=HostRegexp(`^(.+\.)?tunnel\.karaolidis\.com$`)"
            "traefik.http.services.sish.loadbalancer.server.port=80"
          ];
-          publishPorts = [ "2222:2222/tcp" ];
+          publishPorts = [
+            "2222:2222/tcp"
+            "61000-61999:61000-61999/tcp"
+          ];
          exec = [
            "--ssh-address=0.0.0.0:2222"
            "--http-address=0.0.0.0:80"
@@ -55,6 +66,7 @@ in
            "--bind-random-ports=false"
            "--bind-random-aliases=false"
            "--bind-random-subdomains=false"
+            "--port-bind-range=61000-61999"
            "--welcome-message=\"\""
            "--domain=tunnel.karaolidis.com"
            "--proxy-ssl-termination=true"