diff options
Diffstat (limited to 'lass/2configs/riot.nix')
-rw-r--r-- | lass/2configs/riot.nix | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix new file mode 100644 index 000000000..37a6298ca --- /dev/null +++ b/lass/2configs/riot.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: +{ + containers.riot = { + config = { + environment.systemPackages = [ + pkgs.dhcpcd + pkgs.git + pkgs.jq + ]; + networking.useDHCP = lib.mkForce true; + networking.firewall.enable = false; + systemd.services.autoswitch = { + environment = { + NIX_REMOTE = "daemon"; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' + set -efu + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + unitConfig.X-StopOnRemoval = false; + }; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.1.1"; + localAddress = "10.233.1.2"; + forwardPorts = [ + { hostPort = 45622; containerPort = 22; } + ]; + }; + + systemd.network.networks."50-ve-riot" = { + matchConfig.Name = "ve-riot"; + + networkConfig = { + IPForward = "yes"; + # weirdly we have to use POSTROUTING MASQUERADE here + # IPMasquerade = "both"; + LinkLocalAddressing = "no"; + KeepConfiguration = "static"; + }; + }; + + # networking.nat can be used instead of this + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ve-riot"; target = "ACCEPT"; } + { predicate = "-o ve-riot"; target = "ACCEPT"; } + ]; +} |