diff options
Diffstat (limited to 'lass')
-rw-r--r-- | lass/2configs/red-host.nix | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/lass/2configs/red-host.nix b/lass/2configs/red-host.nix new file mode 100644 index 000000000..cbd9c097e --- /dev/null +++ b/lass/2configs/red-host.nix @@ -0,0 +1,167 @@ +{ config, lib, pkgs, ... }: +let + ctr.name = "red"; +in +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + ]; + + + lass.sync-containers3.containers.red = { + sshKey = "${toString <secrets>}/containers/red/sync.key"; + ephemeral = true; + }; + + # containers.${ctr.name} = { + # config = { + # environment.systemPackages = [ + # pkgs.dhcpcd + # pkgs.git + # pkgs.jq + # ]; + # networking.useDHCP = lib.mkForce true; + # systemd.services.autoswitch = { + # environment = { + # NIX_REMOTE = "daemon"; + # }; + # wantedBy = [ "multi-user.target" ]; + # serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' + # if test -e /var/src/nixos-config; then + # /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + # fi + # ''; + # unitConfig.X-StopOnRemoval = false; + # }; + # }; + # autoStart = false; + # enableTun = true; + # privateNetwork = true; + # hostBridge = "ctr0"; + # bindMounts = { + # "/etc/resolv.conf".hostPath = "/etc/resolv.conf"; + # "/var/lib/self-state/disk-image" = { + # hostPath = "/var/lib/sync-containers3/${ctr.name}"; + # isReadOnly = true; + # }; + # }; + # }; + + # systemd.services."${ctr.name}_scheduler" = { + # wantedBy = [ "multi-user.target" ]; + # path = with pkgs; [ + # coreutils + # consul + # cryptsetup + # mount + # util-linux + # systemd + # untilport + # ]; + # serviceConfig = { + # Restart = "always"; + # RestartSec = "15s"; + # ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" '' + # set -efux + # trap ${pkgs.writers.writeDash "stop-${ctr.name}" '' + # set -efux + # /run/current-system/sw/bin/nixos-container stop ${ctr.name} || : + # umount /var/lib/nixos-containers/${ctr.name}/var/state || : + # cryptsetup luksClose ${ctr.name} || : + # ''} INT TERM EXIT + # consul kv put containers/${ctr.name}/host ${config.networking.hostName} + # cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} + # mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state + # mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state + # ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src + # /run/current-system/sw/bin/nixos-container start ${ctr.name} + # set +x + # until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done + # while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done + # ''}"; + # }; + # }; + + # users.groups."container_${ctr.name}" = {}; + # users.users."container_${ctr.name}" = { + # group = "container_${ctr.name}"; + # isSystemUser = true; + # home = "/var/lib/sync-containers3/${ctr.name}"; + # createHome = true; + # homeMode = "705"; + # openssh.authorizedKeys.keys = [ + # config.krebs.users.lass.pubkey + # ]; + # }; + + # systemd.timers."${ctr.name}_syncer" = { + # timerConfig = { + # RandomizedDelaySec = 300; + # }; + # }; + # systemd.services."${ctr.name}_syncer" = { + # path = with pkgs; [ + # coreutils + # rsync + # openssh + # systemd + # ]; + # startAt = "*:0/1"; + # serviceConfig = { + # User = "container_${ctr.name}"; + # LoadCredential = [ + # "ssh_key:${toString <secrets>}/containers/${ctr.name}/sync.key" + # ]; + # ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" '' + # set -efu + # ! systemctl is-active --quiet container@${ctr.name}.service + # ''; + # ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" '' + # set -efu + # rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk + # ''; + # }; + # }; + + # # networking + # networking.networkmanager.unmanaged = [ "ctr0" ]; + # networking.interfaces.dummy0.virtual = true; + # networking.bridges.ctr0.interfaces = [ "dummy0" ]; + # networking.interfaces.ctr0.ipv4.addresses = [{ + # address = "10.233.0.1"; + # prefixLength = 24; + # }]; + # systemd.services."dhcpd-ctr0" = { + # wantedBy = [ "multi-user.target" ]; + # after = [ "network.target" ]; + # serviceConfig = { + # Type = "forking"; + # Restart = "always"; + # DynamicUser = true; + # StateDirectory = "dhcpd-ctr0"; + # User = "dhcpd-ctr0"; + # Group = "dhcpd-ctr0"; + # AmbientCapabilities = [ + # "CAP_NET_RAW" # to send ICMP messages + # "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) + # ]; + # ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases"; + # ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" '' + # default-lease-time 600; + # max-lease-time 7200; + # authoritative; + # ddns-update-style interim; + # log-facility local1; # see dhcpd.nix + + # option subnet-mask 255.255.255.0; + # option routers 10.233.0.1; + # # option domain-name-servers 8.8.8.8; # TODO configure dns server + # subnet 10.233.0.0 netmask 255.255.255.0 { + # range 10.233.0.10 10.233.0.250; + # } + # ''} ctr0"; + # }; + # }; + +} + |