From d554acc06850a83399de48ff3bbcb3afdf38b4bb Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 15 Oct 2020 20:19:57 +0200 Subject: l green-host: use cryfs & nixos-containers --- lass/2configs/green-host.nix | 109 +++++++++++++++++++++++++------------------ 1 file changed, 63 insertions(+), 46 deletions(-) diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix index 0cccbc30e..6cccab4b3 100644 --- a/lass/2configs/green-host.nix +++ b/lass/2configs/green-host.nix @@ -1,38 +1,44 @@ { config, lib, pkgs, ... }: with import ; -{ +let + + cname = "green"; + cryfs = pkgs.cryfs.overrideAttrs (old: { + patches = [ + (pkgs.writeText "file_mode.patch" '' + --- a/src/cryfs/filesystem/CryNode.cpp + +++ b/src/cryfs/filesystem/CryNode.cpp + @@ -171,7 +171,7 @@ CryNode::stat_info CryNode::stat() const { + result.uid = fspp::uid_t(getuid()); + result.gid = fspp::gid_t(getgid()); + #endif + - result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag(); + + result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag().addGroupReadFlag().addGroupExecFlag().addOtherReadFlag().addOtherExecFlag();; + result.size = fsblobstore::DirBlob::DIR_LSTAT_SIZE; + //TODO If possible without performance loss, then for a directory, st_nlink should return number of dir entries (including "." and "..") + result.nlink = 1; + '') + ] ++ old.patches; + }); + +in { imports = [ - { #hack for already defined - systemd.services."container@green".reloadIfChanged = mkForce false; - systemd.services."container@green".preStart = '' - ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green ' - ''; - systemd.services."container@green".postStop = '' - set -x - ${pkgs.umount}/bin/umount /var/lib/containers/green - ls -la /dev/mapper/control - ${pkgs.devicemapper}/bin/dmsetup ls - ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img - ''; - } ]; - services.syncthing.declarative.folders."/var/lib/sync-containers".devices = [ "icarus" "skynet" "littleT" "shodan" ]; - krebs.permown."/var/lib/sync-containers" = { - owner = "root"; - group = "syncthing"; - umask = "0007"; - }; + programs.fuse.userAllowOther = true; - system.activationScripts.containerPermissions = '' - mkdir -p /var/lib/containers - chmod 711 /var/lib/containers - ''; + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}".devices = [ "icarus" "skynet" "littleT" "shodan" ]; + # krebs.permown."/var/lib/sync-containers/${cname}" = { + # owner = "root"; + # group = "syncthing"; + # umask = "0007"; + # }; - containers.green = { + systemd.services."container@green".reloadIfChanged = mkForce false; + containers.${cname} = { config = { ... }: { environment.systemPackages = [ pkgs.git @@ -42,41 +48,52 @@ with import ; users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; autoStart = false; enableTun = true; privateNetwork = true; - hostAddress = "10.233.2.15"; - localAddress = "10.233.2.16"; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs }; environment.systemPackages = [ - (pkgs.writeDashBin "start-green" '' - set -fu - CONTAINER='green' - IMAGE='/var/lib/sync-containers/green.img' - - ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null - if [ "$?" -ne 0 ]; then - ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER" - fi - - mkdir -p /var/lib/containers/"$CONTAINER" + (pkgs.writeDashBin "start-${cname}" '' + set -euf - ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" " - if [ "$?" -ne 0 ]; then - ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER" + mkdir -p /var/lib/containers/${cname}/var/state + chown ${config.services.syncthing.user}: /var/lib/containers/${cname}/var/state + if ! ${pkgs.mount}/bin/mount | grep -q '^cryfs@/var/lib/sync-containers/${cname} on /var/lib/containers/${cname}/var/state '; then + /run/wrappers/bin/sudo -u "${config.services.syncthing.user}" \ + ${cryfs}/bin/cryfs /var/lib/sync-containers/${cname} /var/lib/containers/${cname}/var/state -o allow_other -o default_permissions fi - STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER") + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER" + ${pkgs.nixos-container}/bin/nixos-container start ${cname} fi - ping -c1 green.r - if [ "$?" -ne 0 ]; then - ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch + + if ! ping -c1 -q -w5 ${cname}.r && [ -d /var/lib/containers/${cname}/var/src ]; then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + mkdir -p /var/state/var_src + ln -sf state/var_Src /var/src + nixos-rebuild -I /var/src switch + ''} fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + ${cryfs}/bin/cryfs-unmount /var/lib/containers/${cname}/var/state '') ]; } -- cgit v1.2.3