{ lib, config, pkgs, myData, ... }: { options.mj.services.ssh8022 = with lib.types; { client = { enable = lib.mkEnableOption "Enable ssh8022 client"; keyfile = lib.mkOption { type = str; }; }; server = { enable = lib.mkEnableOption "Enable ssh8022 server"; keyfile = lib.mkOption { type = str; }; openGlobalFirewall = lib.mkOption { type = bool; default = true; }; }; }; config = lib.mkMerge [ ( let cfg = config.mj.services.ssh8022.client; in lib.mkIf cfg.enable { programs.ssh.extraConfig = '' Host fra1-b.jakstys.lt jakstys.lt ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile} Host fra1-b HostName fra1-b.jakstys.lt ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile} ''; } ) ( let cfg = config.mj.services.ssh8022.server; in lib.mkIf cfg.enable { mj.services.friendlyport.ports = lib.mkIf (!cfg.openGlobalFirewall) [ { subnets = [ myData.subnets.tailscale.cidr ]; tcp = [ 22 ]; } ]; services = { openssh.openFirewall = cfg.openGlobalFirewall; spiped = { enable = true; config = { ssh8022 = { inherit (cfg) keyfile; decrypt = true; source = "[0.0.0.0]:8022"; target = "127.0.0.1:22"; }; }; }; }; networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ]; systemd.services."spiped@ssh8022" = { wantedBy = [ "multi-user.target" ]; overrideStrategy = "asDropin"; }; } ) ]; }