sys/platform/[lustrated], home/ssh: setup for hv SSH over vsock

2 files changed, 60 insertions, 0 deletions

diff --git a/sys/net/default.nix b/sys/net/default.nix
index 608806d..7990bb5 100644
--- a/sys/net/default.nix
+++ b/sys/net/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./fail2ban.nix
     ./interfaces.nix
+    ./vsock.nix
   ];
 }
diff --git a/sys/net/vsock.nix b/sys/net/vsock.nix
new file mode 100644
index 0000000..d1bd250
--- /dev/null
+++ b/sys/net/vsock.nix
@@ -0,0 +1,59 @@
+{ lib, config, pkgs, ... }:
+with lib; let
+  cfg = config.local.net.vsock;
+in
+{
+  options.local.net.vsock = {
+    connect = mkOption {
+      default = { };
+      type = with lib.types; attrsOf (submodule ({ name, ... }: {
+        options = {
+          enable = mkEnableOption "vsock connect '${name}'";
+
+          cid = mkOption {
+            type = ints.u32;
+            default = 2;
+          };
+
+          localPort = mkOption {
+            type = port;
+          };
+
+          vsockPort = mkOption {
+            type = port;
+          };
+        };
+      }));
+    };
+  };
+
+  config = {
+    systemd =
+      let
+        connects = mapAttrs
+          (_: connect: {
+            service.serviceConfig = {
+              Type = "simple";
+              ExecStart = "${getExe pkgs.socat} - VSOCK:${toString connect.cid}:${toString connect.vsockPort}";
+              StandardInput = "socket";
+            };
+
+            socket = {
+              wantedBy = [ "sockets.target" ];
+
+              socketConfig = {
+                Accept = true;
+                ListenStream = "[::1]:${toString connect.localPort}";
+              };
+
+              unitConfig.ConditionVirtualization = "kvm";
+            };
+          })
+          cfg.connect;
+      in
+      {
+        sockets = mapAttrs' (name: connect: nameValuePair "vsock-${name}" connect.socket) connects;
+        services = mapAttrs' (name: connect: nameValuePair "vsock-${name}@" connect.service) connects;
+      };
+  };
+}