{ config, lib, pkgs, ... }: with import ; let all_hosts = [ "icarus" "shodan" "daedalus" "skynet" "prism" ]; remote_hosts = filter (h: h != config.networking.hostName) all_hosts; in { imports = [ { #hack for already defined systemd.services."container@blue".reloadIfChanged = mkForce false; systemd.services."container@blue".preStart = '' ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' ''; systemd.services."container@blue".preStop = '' /run/wrappers/bin/fusermount -u /var/lib/containers/blue ''; } ]; system.activationScripts.containerPermissions = '' mkdir -p /var/lib/containers chmod 711 /var/lib/containers ''; containers.blue = { config = { ... }: { environment.systemPackages = [ pkgs.git pkgs.rxvt_unicode.terminfo ]; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey ]; }; autoStart = false; enableTun = true; privateNetwork = true; hostAddress = "10.233.2.9"; localAddress = "10.233.2.10"; }; systemd.services = builtins.listToAttrs (map (host: let in nameValuePair "sync-blue-${host}" { bindsTo = [ "container@blue.service" ]; wantedBy = [ "container@blue.service" ]; # ssh needed for rsync path = [ pkgs.openssh ]; serviceConfig = { Restart = "always"; RestartSec = 10; ExecStart = pkgs.writeDash "sync-blue-${host}" '' set -efu #make sure blue is running /run/wrappers/bin/ping -c1 blue.r > /dev/null #make sure the container is unlocked ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' #make sure our target is reachable ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null #start sync ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" '' settings { nodaemon = true, inotifyMode = "CloseWrite or Modify", } sync { default.rsyncssh, source = "/var/lib/containers/.blue", host = "${host}.r", targetdir = "/var/lib/containers/.blue", rsync = { owner = true, group = true, }; ssh = { binary = "${pkgs.openssh}/bin/ssh"; identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa", }, } ''} ''; }; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; } ) remote_hosts); environment.systemPackages = [ (pkgs.writeDashBin "start-blue" '' set -ef if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then ${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue fi nixos-container start blue nixos-container run blue -- nixos-rebuild -I /var/src dry-build if ping -c1 blue.r >/dev/null; then echo 'blue is already running. bailing out' exit 23 fi nixos-container run blue -- nixos-rebuild -I /var/src switch '') ]; }