diff options
| author | jeschli <jeschli@gmail.com> | 2018-12-04 19:27:27 +0100 |
|---|---|---|
| committer | jeschli <jeschli@gmail.com> | 2018-12-04 19:27:27 +0100 |
| commit | 5030b74cc5c578bb82619a24592504a6008f1a10 (patch) | |
| tree | 0551e3ddb94353b7438bec02174bf3379bc89b87 /lass/2configs/blue-host.nix | |
| parent | 78b289201987675844aa37abeb4279eb4051ebe0 (diff) | |
| parent | 82988de84c177c247ebbe80940c4d50b9f073b4e (diff) | |
Merge branch 'master' of prism.r:stockholm
Diffstat (limited to 'lass/2configs/blue-host.nix')
| -rw-r--r-- | lass/2configs/blue-host.nix | 100 |
1 files changed, 96 insertions, 4 deletions
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix index 83c235f3e..9cf294afd 100644 --- a/lass/2configs/blue-host.nix +++ b/lass/2configs/blue-host.nix @@ -1,23 +1,115 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; +let + all_hosts = [ + "icarus" + "shodan" + "daedalus" + "skynet" + "prism" + ]; + remote_hosts = filter (h: h != config.networking.hostName) all_hosts; -{ +in { imports = [ <stockholm/lass/2configs/container-networking.nix> + { #hack for already defined + systemd.services."container@blue".reloadIfChanged = mkForce false; + systemd.services."container@blue".preStart = '' + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' + ''; + systemd.services."container@blue".preStop = '' + /run/wrappers/bin/fusermount -u /var/lib/containers/blue + ''; + } ]; - systemd.services."container@blue".reloadIfChanged = mkForce false; + + system.activationScripts.containerPermissions = '' + mkdir -p /var/lib/containers + chmod 711 /var/lib/containers + ''; + containers.blue = { config = { ... }: { - environment.systemPackages = [ pkgs.git ]; + environment.systemPackages = [ + pkgs.git + pkgs.rxvt_unicode.terminfo + ]; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey ]; }; - autoStart = true; + autoStart = false; enableTun = true; privateNetwork = true; hostAddress = "10.233.2.9"; localAddress = "10.233.2.10"; }; + + + systemd.services = builtins.listToAttrs (map (host: + let + in nameValuePair "sync-blue-${host}" { + bindsTo = [ "container@blue.service" ]; + wantedBy = [ "container@blue.service" ]; + # ssh needed for rsync + path = [ pkgs.openssh ]; + serviceConfig = { + Restart = "always"; + RestartSec = 10; + ExecStart = pkgs.writeDash "sync-blue-${host}" '' + set -efu + #make sure blue is running + /run/wrappers/bin/ping -c1 blue.r > /dev/null + + #make sure the container is unlocked + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' + + #make sure our target is reachable + ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null + + #start sync + ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" '' + settings { + nodaemon = true, + inotifyMode = "CloseWrite or Modify", + } + sync { + default.rsyncssh, + source = "/var/lib/containers/.blue", + host = "${host}.r", + targetdir = "/var/lib/containers/.blue", + rsync = { + archive = true, + owner = true, + group = true, + }; + ssh = { + binary = "${pkgs.openssh}/bin/ssh"; + identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa", + }, + } + ''} + ''; + }; + unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; + } + ) remote_hosts); + + environment.systemPackages = [ + (pkgs.writeDashBin "start-blue" '' + set -ef + if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then + ${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue + fi + nixos-container start blue + nixos-container run blue -- nixos-rebuild -I /var/src dry-build + if ping -c1 blue.r >/dev/null; then + echo 'blue is already running. bailing out' + exit 23 + fi + nixos-container run blue -- nixos-rebuild -I /var/src switch + '') + ]; } |