From 7cb49c556efce96b15b28807464b8d5cdf1ea999 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 4 Jan 2023 18:33:44 +0100
Subject: l neoprism.r: add riot container

---
 lass/1systems/neoprism/config.nix | 15 +----------
 lass/2configs/riot.nix            | 56 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 14 deletions(-)
 create mode 100644 lass/2configs/riot.nix

diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
index b7bf7afb..f203abc0 100644
--- a/lass/1systems/neoprism/config.nix
+++ b/lass/1systems/neoprism/config.nix
@@ -6,20 +6,7 @@
     <stockholm/lass/2configs/retiolum.nix>
     <stockholm/lass/2configs/consul.nix>
     <stockholm/lass/2configs/yellow-host.nix>
-    { # TODO make new hfos.nix out of this vv
-      users.users.riot = {
-        uid = pkgs.stockholm.lib.genid_uint31 "riot";
-        isNormalUser = true;
-        extraGroups = [ "libvirtd" ];
-        openssh.authorizedKeys.keys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
-        ];
-      };
-      # krebs.iptables.tables.filter.FORWARD.rules = [
-      #   { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
-      #   { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
-      # ];
-    }
+    <stockholm/lass/2configs/riot.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.neoprism;
diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix
new file mode 100644
index 00000000..37a6298c
--- /dev/null
+++ b/lass/2configs/riot.nix
@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+{
+  containers.riot = {
+    config = {
+      environment.systemPackages = [
+        pkgs.dhcpcd
+        pkgs.git
+        pkgs.jq
+      ];
+      networking.useDHCP = lib.mkForce true;
+      networking.firewall.enable = false;
+      systemd.services.autoswitch = {
+        environment = {
+          NIX_REMOTE = "daemon";
+        };
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
+          set -efu
+          if test -e /var/src/nixos-config; then
+            /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
+          fi
+        '';
+        unitConfig.X-StopOnRemoval = false;
+      };
+    };
+    autoStart = true;
+    enableTun = true;
+    privateNetwork = true;
+    hostAddress = "10.233.1.1";
+    localAddress = "10.233.1.2";
+    forwardPorts = [
+      { hostPort = 45622; containerPort = 22; }
+    ];
+  };
+
+  systemd.network.networks."50-ve-riot" = {
+    matchConfig.Name = "ve-riot";
+
+    networkConfig = {
+      IPForward = "yes";
+      # weirdly we have to use POSTROUTING MASQUERADE here
+      # IPMasquerade = "both";
+      LinkLocalAddressing = "no";
+      KeepConfiguration = "static";
+    };
+  };
+
+  # networking.nat can be used instead of this
+  krebs.iptables.tables.nat.POSTROUTING.rules = [
+    { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; }
+  ];
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { predicate = "-i ve-riot"; target = "ACCEPT"; }
+    { predicate = "-o ve-riot"; target = "ACCEPT"; }
+  ];
+}
-- 
cgit v1.2.3