diff options
Diffstat (limited to 'lass')
-rw-r--r-- | lass/1systems/coaxmetal/config.nix | 2 | ||||
-rw-r--r-- | lass/1systems/neoprism/config.nix | 18 | ||||
-rw-r--r-- | lass/1systems/radio/config.nix | 24 | ||||
-rw-r--r-- | lass/1systems/radio/physical.nix | 7 | ||||
-rw-r--r-- | lass/1systems/shodan/config.nix | 2 | ||||
-rw-r--r-- | lass/1systems/yellow/config.nix | 105 | ||||
-rw-r--r-- | lass/2configs/radio/default.nix | 10 | ||||
-rw-r--r-- | lass/2configs/radio/radio.liq | 6 | ||||
-rw-r--r-- | lass/2configs/radio/weather.nix | 13 | ||||
-rw-r--r-- | lass/2configs/radio/weather_for_ips.py | 49 | ||||
-rw-r--r-- | lass/2configs/riot.nix | 59 | ||||
-rw-r--r-- | lass/2configs/yellow-host.nix | 14 | ||||
-rw-r--r-- | lass/2configs/yellow-mounts/samba.nix (renamed from lass/2configs/prism-mounts/samba.nix) | 4 | ||||
-rw-r--r-- | lass/3modules/sync-containers3.nix | 108 |
14 files changed, 312 insertions, 109 deletions
diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix index dd8308bbd..2c88b68cc 100644 --- a/lass/1systems/coaxmetal/config.nix +++ b/lass/1systems/coaxmetal/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/prism-mounts/samba.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/bitcoin.nix> diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 89ad8cfdc..f203abc07 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -4,21 +4,9 @@ imports = [ <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/libvirt.nix> - { # TODO make new hfos.nix out of this vv - users.users.riot = { - uid = pkgs.stockholm.lib.genid_uint31 "riot"; - isNormalUser = true; - extraGroups = [ "libvirtd" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" - ]; - }; - # krebs.iptables.tables.filter.FORWARD.rules = [ - # { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } - # { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } - # ]; - } + <stockholm/lass/2configs/consul.nix> + <stockholm/lass/2configs/yellow-host.nix> + <stockholm/lass/2configs/riot.nix> ]; krebs.build.host = config.krebs.hosts.neoprism; diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix new file mode 100644 index 000000000..2fd23a448 --- /dev/null +++ b/lass/1systems/radio/config.nix @@ -0,0 +1,24 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/radio> + ]; + + krebs.build.host = config.krebs.hosts.radio; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@lassul.us"; + }; + + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt"; + }; +} diff --git a/lass/1systems/radio/physical.nix b/lass/1systems/radio/physical.nix new file mode 100644 index 000000000..8577daf34 --- /dev/null +++ b/lass/1systems/radio/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = true; +} diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index ef538f339..5e48c216a 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/green-host.nix> <stockholm/krebs/2configs/news-host.nix> - <stockholm/lass/2configs/prism-mounts/samba.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/consul.nix> <stockholm/lass/2configs/red-host.nix> diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index ecf0337ed..552dd7f00 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -9,20 +9,23 @@ in { krebs.build.host = config.krebs.hosts.yellow; + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; + }; + users.groups.download.members = [ "transmission" ]; networking.useHostResolvConf = false; networking.useNetworkd = true; - systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; - systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; services.transmission = { enable = true; + home = "/var/state/transmission"; group = "download"; downloadDirPermissions = "775"; settings = { - download-dir = "/var/download/finished"; - incomplete-dir = "/var/download/incoming"; - incomplete-dir-enable = true; + download-dir = "/var/download/transmission"; + incomplete-dir-enabled = false; rpc-bind-address = "::"; message-level = 1; umask = 18; @@ -40,11 +43,8 @@ in { }; virtualHosts.default = { default = true; - locations."/dl".extraConfig = '' - return 301 /; - ''; locations."/" = { - root = "/var/download/finished"; + root = "/var/download"; extraConfig = '' fancyindex on; fancyindex_footer "/fancy.html"; @@ -136,6 +136,58 @@ in { ''}; ''; }; + virtualHosts."jelly.r" = { + locations."/".extraConfig = '' + proxy_pass http://localhost:8096/; + proxy_set_header Accept-Encoding ""; + ''; + }; + }; + + services.samba = { + enable = true; + enableNmbd = false; + extraConfig = '' + workgroup = WORKGROUP + server string = ${config.networking.hostName} + # only allow retiolum addresses + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 + + # Use sendfile() for performance gain + use sendfile = true + + # No NetBIOS is needed + disable netbios = true + + # Only mangle non-valid NTFS names, don't care about DOS support + mangled names = illegal + + # Performance optimizations + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 + + # Disable all printing + load printers = false + disable spoolss = true + printcap name = /dev/null + + map to guest = Bad User + max log size = 50 + dns proxy = no + security = user + + [global] + syslog only = yes + ''; + shares.public = { + comment = "Warez"; + path = "/var/download"; + public = "yes"; + "only guest" = "yes"; + "create mask" = "0644"; + "directory mask" = "2777"; + writable = "no"; + printable = "no"; + }; }; systemd.services.bruellwuerfel = @@ -164,14 +216,33 @@ in { tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web - { predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin + { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr + { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr + { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr + + # smbd + { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; tables.filter.OUTPUT = { policy = "DROP"; rules = [ + { predicate = "-o lo"; target = "ACCEPT"; } { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } { predicate = "-o tun0"; target = "ACCEPT"; } { predicate = "-o retiolum"; target = "ACCEPT"; } @@ -279,7 +350,7 @@ in { ExecStart = pkgs.writers.writeDash "flix-index" '' set -efu - DIR=/var/download/finished + DIR=/var/download cd "$DIR" while inotifywait -rq -e create -e move -e delete "$DIR"; do find . -type f > "$DIR"/index.tmp @@ -294,9 +365,15 @@ in { group = "download"; }; - services.magnetico = { + services.radarr = { + enable = true; + }; + + services.sonarr = { + enable = true; + }; + + services.prowlarr = { enable = true; - web.address = "0.0.0.0"; - web.port = 9092; }; } diff --git a/lass/2configs/radio/default.nix b/lass/2configs/radio/default.nix index dfb3d7e0b..46540969b 100644 --- a/lass/2configs/radio/default.nix +++ b/lass/2configs/radio/default.nix @@ -3,7 +3,7 @@ let name = "radio"; - music_dir = "/home/radio/music"; + music_dir = "/var/music"; skip_track = pkgs.writers.writeBashBin "skip_track" '' set -eu @@ -303,10 +303,10 @@ in { ''; }; services.syncthing.declarative.folders."the_playlist" = { - path = "/home/radio/music/the_playlist"; + path = "/var/music/the_playlist"; devices = [ "mors" "phone" "prism" "omo" ]; }; - krebs.acl."/home/radio/music/the_playlist"."u:syncthing:X".parents = true; - krebs.acl."/home/radio/music/the_playlist"."u:syncthing:rwX" = {}; - krebs.acl."/home/radio/music/the_playlist"."u:radio:rwX" = {}; + krebs.acl."/var/music/the_playlist"."u:syncthing:X".parents = true; + krebs.acl."/var/music/the_playlist"."u:syncthing:rwX" = {}; + krebs.acl."/var/music/the_playlist"."u:radio:rwX" = {}; } diff --git a/lass/2configs/radio/radio.liq b/lass/2configs/radio/radio.liq index 70d316043..1366287a7 100644 --- a/lass/2configs/radio/radio.liq +++ b/lass/2configs/radio/radio.liq @@ -10,7 +10,7 @@ def stringify_attrs(attrs) = out end -def filter_graveyard(req) = +def filter_music(req) = filename = request.filename(req) if string.match(pattern = '.*/\\.graveyard/.*', filename) then false @@ -27,7 +27,7 @@ end env = environment() port = string.to_int(env["RADIO_PORT"], default = 8000) -all_music = playlist(env["MUSIC"], check_next = filter_graveyard) +all_music = playlist(env["MUSIC"], check_next = filter_music) wishlist = request.queue() tracks = fallback(track_sensitive = true, [wishlist, all_music]) tracks = blank.eat(tracks) @@ -36,7 +36,7 @@ last_metadata = ref([]) def on_metadata(m) = last_metadata := m print("changing tracks") - out = process.read(env["HOOK_TRACK_CHANGE"], env = m) + out = process.read(env["HOOK_TRACK_CHANGE"], env = m, timeout = 5.0) print(out) end tracks.on_metadata(on_metadata) diff --git a/lass/2configs/radio/weather.nix b/lass/2configs/radio/weather.nix index 704bf7218..ad96d8ec0 100644 --- a/lass/2configs/radio/weather.nix +++ b/lass/2configs/radio/weather.nix @@ -18,11 +18,14 @@ let MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY ss -no 'sport = :8000' | - jc --ss | jq -r '.[] | - select( - .local_address != "[::ffff:127.0.0.1]" - and .local_address != "[::1]" - ) | .peer_address | gsub("[\\[\\]]"; "") + jc --ss | jq -r ' + [ + .[] | + select( + .local_address != "[::ffff:127.0.0.1]" + and .local_address != "[::1]" + ) | .peer_address | gsub("[\\[\\]]"; "") + ] | unique[] ' | ${weather_for_ips}/bin/weather_for_ips ''; diff --git a/lass/2configs/radio/weather_for_ips.py b/lass/2configs/radio/weather_for_ips.py index 1f8489bd1..447c6389b 100644 --- a/lass/2configs/radio/weather_for_ips.py +++ b/lass/2configs/radio/weather_for_ips.py @@ -3,32 +3,43 @@ import fileinput import json import requests import os +import random geoip = geoip2.database.Reader(os.environ['MAXMIND_GEOIP_DB']) seen = {} output = [] for ip in fileinput.input(): - location = geoip.city(ip.strip()) - if location.city.geoname_id not in seen: - seen[location.city.geoname_id] = True - weather_api_key = os.environ['OPENWEATHER_API_KEY'] - url = ( - f'https://api.openweathermap.org/data/2.5/onecall' - f'?lat={location.location.latitude}' - f'&lon={location.location.longitude}' - f'&appid={weather_api_key}' - f'&units=metric' - ) - resp = requests.get(url) - weather = json.loads(resp.text) + if "80.147.140.51" in ip: output.append( - f'Weather report for {location.city.name}, {location.country.name}. ' - f'It is {weather["current"]["weather"][0]["description"]} outside ' - f'with a temperature of {weather["current"]["temp"]:.1f} degrees, ' - f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second ' - f'and a humidity of {weather["current"]["humidity"]} percent. ' - f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' + 'Weather report for c-base, space.' + 'It is empty space outside ' + 'with a temperature of -270 degrees, ' + 'a lightspeed of 299792 kilometers per second ' + 'and a humidity of Not a Number percent. ' + f'The probability of reincarnation is {random.randrange(0, 100)} percent.' ) + else: + location = geoip.city(ip.strip()) + if location.city.geoname_id not in seen: + seen[location.city.geoname_id] = True + weather_api_key = os.environ['OPENWEATHER_API_KEY'] + url = ( + f'https://api.openweathermap.org/data/2.5/onecall' + f'?lat={location.location.latitude}' + f'&lon={location.location.longitude}' + f'&appid={weather_api_key}' + f'&units=metric' + ) + resp = requests.get(url) + weather = json.loads(resp.text) + output.append( + f'Weather report for {location.city.name}, {location.country.name}. ' + f'It is {weather["current"]["weather"][0]["description"]} outside ' + f'with a temperature of {weather["current"]["temp"]:.1f} degrees, ' + f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second ' + f'and a humidity of {weather["current"]["humidity"]} percent. ' + f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' + ) print('\n'.join(output)) diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix new file mode 100644 index 000000000..559e7b20d --- /dev/null +++ b/lass/2configs/riot.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: +{ + containers.riot = { + config = { + environment.systemPackages = [ + pkgs.dhcpcd + pkgs.git + pkgs.jq + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" + ]; + networking.defaultGateway = "10.233.1.1"; + systemd.services.autoswitch = { + environment = { + NIX_REMOTE = "daemon"; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' + set -efu + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + unitConfig.X-StopOnRemoval = false; + }; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.1.1"; + localAddress = "10.233.1.2"; + forwardPorts = [ + { hostPort = 45622; containerPort = 22; } + ]; + }; + + systemd.network.networks."50-ve-riot" = { + matchConfig.Name = "ve-riot"; + + networkConfig = { + IPForward = "yes"; + # weirdly we have to use POSTROUTING MASQUERADE here + # IPMasquerade = "both"; + LinkLocalAddressing = "no"; + KeepConfiguration = "static"; + }; + }; + + # networking.nat can be used instead of this + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ve-riot"; target = "ACCEPT"; } + { predicate = "-o ve-riot"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/yellow-host.nix b/lass/2configs/yellow-host.nix new file mode 100644 index 000000000..d07c222c6 --- /dev/null +++ b/lass/2configs/yellow-host.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: +{ + lass.sync-containers3.containers.yellow = { + sshKey = "${toString <secrets>}/yellow.sync.key"; + }; + containers.yellow.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/yellow/state"; + isReadOnly = false; + }; + containers.yellow.bindMounts."/var/download" = { + hostPath = "/var/download"; + isReadOnly = false; + }; +} diff --git a/lass/2configs/prism-mounts/samba.nix b/lass/2configs/yellow-mounts/samba.nix index 4b1475ef3..e16f1cc47 100644 --- a/lass/2configs/prism-mounts/samba.nix +++ b/lass/2configs/yellow-mounts/samba.nix @@ -1,6 +1,6 @@ { - fileSystems."/mnt/prism" = { - device = "//prism.r/public"; + fileSystems."/mnt/yellow" = { + device = "//yellow.r/public"; fsType = "cifs"; options = [ "guest" diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix index 1371d5233..86aa40f03 100644 --- a/lass/3modules/sync-containers3.nix +++ b/lass/3modules/sync-containers3.nix @@ -28,6 +28,10 @@ in { type = lib.types.bool; default = false; }; + runContainer = lib.mkOption { + type = lib.types.bool; + default = true; + }; }; })); }; @@ -50,7 +54,8 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' set -efu - ln -frs /var/state/var_src /var/src + mkdir -p /var/state/var_src + ln -Tfrs /var/state/var_src /var/src if test -e /var/src/nixos-config; then /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : fi @@ -64,7 +69,6 @@ in { privateNetwork = true; hostBridge = "ctr0"; bindMounts = { - "/etc/resolv.conf".hostPath = "/etc/resolv.conf"; "/var/lib/self/disk" = { hostPath = "/var/lib/sync-containers3/${ctr.name}/disk"; isReadOnly = false; @@ -74,7 +78,7 @@ in { isReadOnly = false; }; }; - }) cfg.containers; + }) (lib.filterAttrs (_: ctr: ctr.runContainer) cfg.containers); systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [ { "${ctr.name}_syncer" = { @@ -101,14 +105,14 @@ in { set -efux if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then touch "$HOME"/incomplete - rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk + rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk rm "$HOME"/incomplete fi ''} ''; }; }; } - { "${ctr.name}_watcher" = { + { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer { path = with pkgs; [ coreutils consul @@ -136,7 +140,8 @@ in { ;; 200) # echo 'got 200 from kv, will check payload' - export payload=$(consul kv get containers/${ctr.name}) + payload=$(consul kv get containers/${ctr.name}) || continue + export payload if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then # echo 'we are the host, trying to reach container' if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then @@ -163,7 +168,7 @@ in { ''; }; }; } - { "${ctr.name}_scheduler" = { + { "${ctr.name}_scheduler" = lib.mkIf ctr.runContainer { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils @@ -246,7 +251,7 @@ in { users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" { }) cfg.containers; users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({ - group = "container_${ctr.name}"; + group = "${ctr.name}_container"; isNormalUser = true; uid = slib.genid_uint31 "container_${ctr.name}"; home = "/var/lib/sync-containers3/${ctr.name}"; @@ -254,47 +259,51 @@ in { homeMode = "705"; })) cfg.containers; + environment.systemPackages = lib.mapAttrsToList (_: ctr: (pkgs.writers.writeDashBin "${ctr.name}_init" '' + set -efux + export PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.cryptsetup + pkgs.libxfs.bin + ]}:$PATH + truncate -s 5G /var/lib/sync-containers3/${ctr.name}/disk + cryptsetup luksFormat /var/lib/sync-containers3/${ctr.name}/disk ${ctr.luksKey} + cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} + mkfs.xfs /dev/mapper/${ctr.name} + mkdir -p /var/lib/sync-containers3/${ctr.name}/state + mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state + /run/current-system/sw/bin/nixos-container start ${ctr.name} + /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "init" '' + mkdir -p /var/state + ''} + '')) cfg.containers; }) (lib.mkIf (cfg.containers != {}) { # networking - networking.networkmanager.unmanaged = [ "ctr0" ]; - networking.interfaces.dummy0.virtual = true; - networking.bridges.ctr0.interfaces = [ "dummy0" ]; - networking.interfaces.ctr0.ipv4.addresses = [{ - address = "10.233.0.1"; - prefixLength = 24; - }]; - systemd.services."dhcpd-ctr0" = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - Type = "forking"; - Restart = "always"; - DynamicUser = true; - StateDirectory = "dhcpd-ctr0"; - User = "dhcpd-ctr0"; - Group = "dhcpd-ctr0"; - AmbientCapabilities = [ - "CAP_NET_RAW" # to send ICMP messages - "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) - ]; - ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases"; - ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" '' - default-lease-time 600; - max-lease-time 7200; - authoritative; - ddns-update-style interim; - log-facility local1; # see dhcpd.nix - - option subnet-mask 255.255.255.0; - option routers 10.233.0.1; - # option domain-name-servers 8.8.8.8; # TODO configure dns server - subnet 10.233.0.0 netmask 255.255.255.0 { - range 10.233.0.10 10.233.0.250; - } - ''} ctr0"; + systemd.network.networks.ctr0 = { + name = "ctr0"; + address = [ + "10.233.0.1/24" + ]; + networkConfig = { + IPForward = "yes"; + IPMasquerade = "both"; + ConfigureWithoutCarrier = true; + DHCPServer = "yes"; }; }; + systemd.network.netdevs.ctr0.netdevConfig = { + Kind = "bridge"; + Name = "ctr0"; + }; + networking.networkmanager.unmanaged = [ "ctr0" ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + { predicate = "-o ctr0"; target = "ACCEPT"; } + ]; }) (lib.mkIf cfg.inContainer.enable { users.groups.container_sync = {}; @@ -308,6 +317,17 @@ in { cfg.inContainer.pubkey ]; }; + + networking.useHostResolvConf = false; + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks.eth0 = { + matchConfig.Name = "eth0"; + DHCP = "yes"; + dhcpV4Config.UseDNS = true; + }; + }; }) ]; } |