# systemd implementation of autossh
#
# On $CLIENT
#  * Create keypair (no passphrase):
#    ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_$SERVER
#  * Show pubkey:
#    cat ~/.ssh/id_ed25519_$SERVER.pub
#
# On $SERVER
#  * Create locked-down user
#    adduser --system --group --force-badname $CLIENT
#  * Accept connections from $CLIENT (copy pubkey from above):
#    su -s /bin/sh -c "mkdir -p ~/.ssh" - $CLIENT
#    su -s /bin/sh -c "echo '$PUBKEY' > ~/.ssh/authorized_keys" - $CLIENT
#
# On $CLIENT
#  * Test (and approve) connection to $SERVER:
#    ssh -i /root/.ssh/id_ed25519_$SERVER $CLIENT@$SERVER
#  * Copy this file to /etc/systemd/system/autossh@.service
#  * Register with systemd, activate, and verify:
#    systemctl enable autossh@$SERVER
#    service autossh@$SERVER start
#    service autossh@$SERVER status
#
# On $SERVER
#  * Locate port:
#    lsof -nai TCP -a -u $CLIENT
#  * Connect:
#    ssh -p $PORT 127.0.0.1

[Unit]
Description=SSH tunnel for %i

[Service]
Type=simple
Restart=always
RestartSec=1min
ExecStart=/usr/bin/ssh -i /root/.ssh/id_ed25519_%i -o BatchMode=yes -o ExitOnForwardFailure=yes -o IPQoS=lowdelay -o ServerAliveInterval=10 -CNR 0:127.0.0.1:22 %H@%i

[Install]
WantedBy=multi-user.target