From 1766d24d38f2c43f8579e21f37390069b331d63d Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Wed, 20 Oct 2021 10:03:03 -0400
Subject: [PATCH] create ssh-tunnel service module

---
 modules/ssh-tunnel.nix | 71 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 modules/ssh-tunnel.nix

diff --git a/modules/ssh-tunnel.nix b/modules/ssh-tunnel.nix
new file mode 100644
index 0000000..21de4f6
--- /dev/null
+++ b/modules/ssh-tunnel.nix
@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.ssh-tunnel;
+in
+{
+  options.services.ssh-tunnel = {
+    enable = mkEnableOption "SSH tunneling service";
+
+    server = mkOption {
+      type = with types; uniq string;
+      default = null;
+      description = "The SSH server to connect for port forwarding";
+    };
+
+    requiredBy = mkOption {
+      type = types.list;
+      default = [ ];
+      description = "List of systemd services that require the SSH tunnels";
+    };
+
+    forwards = mkOption {
+      type = types.submodule {
+        options = {
+          dynamic = mkOption {
+            type = types.list;
+            default = [ ];
+            description = "List of dynamic ports to open through the ssh tunnel. See ssh(1) for ``-D``";
+          };
+          local = mkOption {
+            type = types.list;
+            default = [ ];
+            description = "List of local ports to open throgh the ssh tunnel. See ssh(1) for ``-L``";
+          };
+          remote = mkOption {
+            type = types.list;
+            default = [ ];
+            description = "List of remote ports to open throgh the ssh tunnel. See ssh(1) for ``-R``";
+          };
+        };
+      };
+    };
+  };
+
+  config.systemd.services.ssh-tunnel = mkIf cf.enable (
+    let
+      mkParams = flag: concatMapStringsSep " " (x: "${flag} x");
+
+      dynamic = mkParams "-D" cfg.forwards.dynamic;
+      local = mkParams "-L" cfg.forwards.local;
+      remote = mkParams "-R" cfg.forwards.remote;
+
+      options = mkParams "-o" (mapAttrsToList (n: v: "${n}=${v}") {
+        ServerAliveInterval = 60;
+        ExitOnForwardFailure = "yes";
+        KbdInteractiveAuthentication = "no";
+      });
+    in
+    {
+      script = ''
+        ${pkgs.openssh}/bin/ssh ${cfg.server} -NTn \
+          ${options} ${dynamic} ${local} ${remote}
+      '';
+      requiredBy = cfg.requiredBy;
+      serviceConfig = {
+        RestartSec = 5;
+        Restart = "always";
+      };
+    }
+  );
+}