summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/binary-cache/server.nix6
-rw-r--r--lass/2configs/bitlbee.nix22
-rw-r--r--lass/2configs/browsers.nix2
-rw-r--r--lass/2configs/c-base.nix2
-rw-r--r--lass/2configs/codimd.nix20
-rw-r--r--lass/2configs/consul.nix3
-rw-r--r--lass/2configs/default.nix15
-rw-r--r--lass/2configs/exim-smarthost.nix16
-rw-r--r--lass/2configs/fysiirc.nix17
-rw-r--r--lass/2configs/gc.nix2
-rw-r--r--lass/2configs/gg23.nix8
-rw-r--r--lass/2configs/git-brain.nix1
-rw-r--r--lass/2configs/green-hosts/cryfs.nix95
-rw-r--r--lass/2configs/green-hosts/ecryptfs.nix99
-rw-r--r--lass/2configs/green-hosts/plain-bindfs.nix90
-rw-r--r--lass/2configs/green-hosts/plain-permown.nix88
-rw-r--r--lass/2configs/green-hosts/plain.nix87
-rw-r--r--lass/2configs/green-hosts/securefs.nix101
-rw-r--r--lass/2configs/gsm-wiki.nix20
-rw-r--r--lass/2configs/hfos.nix9
-rw-r--r--lass/2configs/home-media.nix78
-rw-r--r--lass/2configs/matrix.nix20
-rw-r--r--lass/2configs/minecraft.nix6
-rw-r--r--lass/2configs/monitoring/telegraf.nix175
-rw-r--r--lass/2configs/muchsync.nix1
-rw-r--r--lass/2configs/murmur.nix37
-rw-r--r--lass/2configs/orange-host.nix4
-rw-r--r--lass/2configs/pass.nix3
-rw-r--r--lass/2configs/paste.nix17
-rw-r--r--lass/2configs/print.nix5
-rw-r--r--lass/2configs/realwallpaper.nix8
-rw-r--r--lass/2configs/red-host.nix4
-rw-r--r--lass/2configs/retiolum.nix9
-rw-r--r--lass/2configs/riot.nix34
-rw-r--r--lass/2configs/services/coms/proxy.nix13
-rw-r--r--lass/2configs/services/radio/default.nix18
-rw-r--r--lass/2configs/services/radio/news.nix11
-rw-r--r--lass/2configs/snapclient.nix2
-rw-r--r--lass/2configs/snapserver.nix23
-rw-r--r--lass/2configs/steam.nix4
-rw-r--r--lass/2configs/telegraf.nix67
-rw-r--r--lass/2configs/tor-ssh.nix2
-rw-r--r--lass/2configs/vim.nix45
-rw-r--r--lass/2configs/websites/default.nix2
-rw-r--r--lass/2configs/websites/domsen.nix28
-rw-r--r--lass/2configs/websites/flix.lassul.us.nix13
-rw-r--r--lass/2configs/weechat.nix11
-rw-r--r--lass/2configs/wine.nix2
-rw-r--r--lass/2configs/wiregrill.nix10
-rw-r--r--lass/2configs/xmonad.nix30
-rw-r--r--lass/2configs/yubikey.nix15
51 files changed, 1109 insertions, 291 deletions
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index bdd568c15..490601641 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -1,8 +1,8 @@
{ config, lib, pkgs, ...}:
{
- nixpkgs.config.packageOverrides = p: {
- nix-serve = p.haskellPackages.nix-serve-ng;
- };
+ # nixpkgs.config.packageOverrides = p: {
+ # nix-serve = p.haskellPackages.nix-serve-ng;
+ # };
# generate private key with:
# nix-store --generate-binary-cache-key my-secret-key my-public-key
services.nix-serve = {
diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix
index 84f06e587..43573d893 100644
--- a/lass/2configs/bitlbee.nix
+++ b/lass/2configs/bitlbee.nix
@@ -15,18 +15,20 @@ with (import <stockholm/lib>);
# pkgs.tdlib-purple
# pkgs.purple-gowhatsapp
];
+ configDir = "/var/state/bitlbee";
};
- users.users.bitlbee = {
- uid = genid_uint31 "bitlbee";
- isSystemUser = true;
- group = "bitlbee";
- };
- users.groups.bitlbee = {};
-
systemd.services.bitlbee.serviceConfig = {
- DynamicUser = lib.mkForce false;
- User = "bitlbee";
- StateDirectory = lib.mkForce null;
+ ExecStartPre = [
+ "+${pkgs.writeDash "setup-bitlbee" ''
+ ${pkgs.coreutils}/bin/chown bitlbee:bitlbee /var/state/bitlbee || :
+ ''}"
+ ];
+ ReadWritePaths = [
+ "/var/state/bitlbee"
+ ];
};
+ systemd.tmpfiles.rules = [
+ "d /var/state/bitlbee 0700 - - -"
+ ];
}
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index ea6fb644b..92ee8e30f 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -3,6 +3,6 @@
programs.firefox.nativeMessagingHosts.tridactyl = true;
environment.variables.BROWSER = "${pkgs.firefox}/bin/firefox";
environment.systemPackages = [
- pkgs.firefox
+ pkgs.firefox-devedition
];
}
diff --git a/lass/2configs/c-base.nix b/lass/2configs/c-base.nix
index a8dd3dd1d..c9ad8cf68 100644
--- a/lass/2configs/c-base.nix
+++ b/lass/2configs/c-base.nix
@@ -17,7 +17,7 @@ in {
};
routes = [
{ routeConfig = {
- Destination = "10.0.1.0/24";
+ Destination = "10.0.0.0/23";
Gateway = "172.31.77.1";
};}
{ routeConfig = {
diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix
index ccca49fac..d0ba8912c 100644
--- a/lass/2configs/codimd.nix
+++ b/lass/2configs/codimd.nix
@@ -2,7 +2,8 @@
with import <stockholm/lib>;
let
domain = "pad.lassul.us";
-in {
+in
+{
# redirect legacy domain to new one
services.nginx.virtualHosts."codi.lassul.us" = {
@@ -25,13 +26,26 @@ in {
security.dhparams = {
enable = true;
- params.hedgedoc = {};
+ params.hedgedoc = { };
};
systemd.services.hedgedoc.environment = {
CMD_COOKIE_POLICY = "none";
CMD_CSP_ALLOW_FRAMING = "true";
};
+
+ services.borgbackup.jobs.hetzner.paths = [
+ "/var/backup"
+ "/var/lib/hedgedoc"
+ ];
+ systemd.services.hedgedoc-backup = {
+ startAt = "daily";
+ serviceConfig = {
+ ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"'';
+ Type = "oneshot";
+ };
+ };
+
services.hedgedoc = {
enable = true;
configuration.allowOrigin = [ domain ];
@@ -51,8 +65,6 @@ in {
sslCertPath = "/var/lib/acme/${domain}/cert.pem";
sslKeyPath = "/var/lib/acme/${domain}/key.pem";
dhParamPath = config.security.dhparams.params.hedgedoc.path;
-
};
};
}
-
diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix
index b8d925de5..67467364e 100644
--- a/lass/2configs/consul.nix
+++ b/lass/2configs/consul.nix
@@ -17,9 +17,6 @@
# try to fix random lock loss on leader reelection
retry_interval = "3s";
- performance = {
- raft_multiplier = 8;
- };
};
};
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 72dbfc480..6d4230c68 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -40,6 +40,7 @@ with import <stockholm/lib>;
"video"
"fuse"
"wheel"
+ "tor"
];
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
@@ -74,6 +75,7 @@ with import <stockholm/lib>;
krebs = {
enable = true;
build.user = config.krebs.users.lass;
+ ssl.trustIntermediate = true;
};
nix.useSandbox = true;
@@ -93,12 +95,15 @@ with import <stockholm/lib>;
#stockholm
deploy
git
+ git-absorb
git-preview
gnumake
jq
+ nix-output-monitor
#style
rxvt-unicode-unwrapped.terminfo
+ alacritty.terminfo
#monitoring tools
htop
@@ -109,6 +114,7 @@ with import <stockholm/lib>;
iftop
tcpdump
mosh
+ eternal-terminal
sshify
#stuff for dl
@@ -226,13 +232,18 @@ with import <stockholm/lib>;
noipv4ll
'';
+ networking.extraHosts = ''
+ 10.42.0.1 styx.gg23
+ '';
+
+ nix.extraOptions = ''
+ experimental-features = nix-command flakes
+ '';
# use 24:00 time format, the default got sneakily changed around 20.03
i18n.defaultLocale = mkDefault "C.UTF-8";
time.timeZone = mkDefault"Europe/Berlin";
- system.stateVersion = mkDefault "20.03";
-
# disable doc usually
documentation.nixos.enable = mkDefault false;
}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index cb9abd43a..2a3a6b1e5 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -14,18 +14,22 @@ in {
dkim = [
{ domain = "lassul.us"; }
];
+ ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem";
+ ssl_key = "/var/lib/acme/mail.lassul.us/key.pem";
primary_hostname = "lassul.us";
sender_domains = [
"lassul.us"
];
relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [
+ config.krebs.hosts.aergia
config.krebs.hosts.blue
config.krebs.hosts.coaxmetal
config.krebs.hosts.green
config.krebs.hosts.mors
config.krebs.hosts.xerxes
];
- internet-aliases = map (from: { inherit from to; }) mails;
+ internet-aliases = map (from: { inherit from to; }) mails ++ [
+ ];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
@@ -45,4 +49,14 @@ in {
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
];
+
+ security.acme.certs."mail.lassul.us" = {
+ group = "lasscert";
+ webroot = "/var/lib/acme/acme-challenge";
+ };
+ users.groups.lasscert.members = [
+ "dovecot2"
+ "exim"
+ "nginx"
+ ];
}
diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix
index 809298df4..b2912d894 100644
--- a/lass/2configs/fysiirc.nix
+++ b/lass/2configs/fysiirc.nix
@@ -1,13 +1,13 @@
{ config, lib, pkgs, ... }: let
format-github-message = pkgs.writeDashBin "format-github-message" ''
- set -xefu
+ set -efu
export PATH=${lib.makeBinPath [
pkgs.jq
]}
INPUT=$(jq -c .)
- if $(echo "$INPUT" | jq 'has("issue") or has("pull_request")'); then
- ${write_to_irc} "$(echo "$INPUT" | jq -r '
+ if $(printf '%s' "$INPUT" | jq 'has("issue") or has("pull_request")'); then
+ ${write_to_irc} "$(printf '%s' "$INPUT" | jq -r '
"\(.action): " +
"[\(.issue.title // .pull_request.title)] " +
"\(.comment.html_url // .issue.html_url // .pull_request.html_url) "
@@ -57,16 +57,7 @@ in {
case "$Method $Request_URI" in
"POST /")
payload=$(head -c "$req_content_length")
- raw=$(printf '%s' "$payload" | ${pkgs.curl}/bin/curl --data-binary @- http://p.krebsco.de | tail -1)
- payload2=$payload
- payload2=$(printf '%s' "$payload" | tr '\n' ' ' | tr -d '\r')
- if [ "$payload" != "$payload2" ]; then
- echo "payload has been mangled" >&2
- else
- echo "payload not mangled" >&2
- fi
- echo "$payload2" | ${format-github-message}/bin/format-github-message
- ${write_to_irc} "$raw"
+ printf '%s' "$payload" | ${format-github-message}/bin/format-github-message
printf 'HTTP/1.1 200 OK\r\n'
printf 'Connection: close\r\n'
printf '\r\n'
diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix
index 224a6cbb9..d56e95368 100644
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@@ -3,7 +3,7 @@
with import <stockholm/lib>;
{
nix.gc = {
- automatic = ! (elem config.krebs.build.host.name [ "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer);
+ automatic = ! (elem config.krebs.build.host.name [ "aergia" "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer);
options = "--delete-older-than 15d";
};
}
diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix
index b35b0cb85..bb38f1f90 100644
--- a/lass/2configs/gg23.nix
+++ b/lass/2configs/gg23.nix
@@ -39,6 +39,14 @@ with import <stockholm/lib>;
# IPv6SendRA = "yes";
# DHCPPrefixDelegation = "yes";
};
+ dhcpServerStaticLeases = [
+ {
+ dhcpServerStaticLeaseConfig = {
+ Address = "10.42.0.4";
+ MACAddress = "3c:2a:f4:22:28:37";
+ };
+ }
+ ];
};
networking.networkmanager.unmanaged = [ "int0" ];
krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/2configs/git-brain.nix b/lass/2configs/git-brain.nix
index f4d1a27cd..d4ce263ef 100644
--- a/lass/2configs/git-brain.nix
+++ b/lass/2configs/git-brain.nix
@@ -7,7 +7,6 @@ let
krebs-repos = mapAttrs make-krebs-repo {
brain = { };
- krebs-secrets = { };
};
diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix
new file mode 100644
index 000000000..d60dc5951
--- /dev/null
+++ b/lass/2configs/green-hosts/cryfs.nix
@@ -0,0 +1,95 @@
+# seems to work, very slow though
+
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green-cryfs";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = {
+ source = "/var/lib/sync-containers/${cname}/cryfs";
+ options = [
+ "-M ${toString config.users.users.syncthing.uid} -u root -g root"
+ ];
+ };
+
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "init-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/sync-containers/${cname}/cryfs
+ '')
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ '')
+ ];
+}
diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix
new file mode 100644
index 000000000..2c335f6f2
--- /dev/null
+++ b/lass/2configs/green-hosts/ecryptfs.nix
@@ -0,0 +1,99 @@
+
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = {
+ file-mode = "u+rw";
+ directory-mode = "u+rwx";
+ owner = "syncthing";
+ keepGoing = false;
+ };
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ pkgs.ecryptfs
+ pkgs.keyutils
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
+ if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then
+ ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ else
+ ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ fi
+ fi
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ '')
+ ];
+}
+
diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix
new file mode 100644
index 000000000..81d8f20c2
--- /dev/null
+++ b/lass/2configs/green-hosts/plain-bindfs.nix
@@ -0,0 +1,90 @@
+# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them,
+
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green-plain";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ lass.bindfs."/var/lib/containers/${cname}/var/state" = {
+ source = "/var/lib/containers/${cname}/var/state";
+ options = [
+ "-M ${toString config.users.users.syncthing.uid} -u root -g root"
+ ];
+ };
+
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src