hosts/nixdesk/profiles/ssh-public-port-2050.nix

@@ -1,15 +1,16 @@
 {pkgs, ...}: {
-  systemd.services.ssh-port2050-natpmp = {
-    bindsTo = ["sshd.socket"];
-    after = ["sshd.socket"];
-    serviceConfig.Restart = "on-failure";
-    serviceConfig.ExecStart = pkgs.writeScript "ssh-port2050-natpmp" ''
-      #!${pkgs.bash}/bin/bash
-
+  # services.openssh.ports = [22 2050];
+  systemd.services.port2050-natpmp = {
+    bindsTo = ["sshd"]; # might not work
+    confinement = {
+      enable = true;
+      mode = "chroot-only";
+    };
+    serviceConfig.ExecStart = ''
       while true
       do
         ${pkgs.libnatpmp}/bin/natpmpc -a 2050 22 tcp 60
-        ${pkgs.coreutils}/bin/sleep 30
+        sleep 30
       done
     '';
   };

hosts/rackserv/profiles/wireguard-server.nix

@@ -31,7 +31,7 @@ in {
       peers;
   in {
     allowedTCPPorts = getPortsWithProtocol "tcp";
-    allowedUDPPorts = [51820] ++ getPortsWithProtocol "udp";
+    allowedUDPPorts = [51820 1234] ++ getPortsWithProtocol "udp";
     extraCommands = forPortIps ({
       IP,
       port,
@@ -72,6 +72,7 @@ in {
         })
         peers;
     };
+    "50-wg1" = lib.recursiveUpdate config.systemd.network.netdevs."50-wg0" {wireguardConig.ListenPort = 1234;};
   };
 
   systemd.network.networks.wg0 = {

sys/profiles/core/users.nix

@@ -16,7 +16,6 @@
       "render"
       "audio"
       "wireshark"
-      "rtkit"
     ];
 
     openssh.authorizedKeys.keys = with vars.sshKeys; [