From 1fb7abde922545b3b1ea3887bd5a3f2a57bbb0be Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 17:35:53 +0100 Subject: l sync-containers: fix ecryptfs startup bug --- lass/3modules/sync-containers.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lass/3modules/sync-containers.nix') diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix index ca81458a..25ba2589 100644 --- a/lass/3modules/sync-containers.nix +++ b/lass/3modules/sync-containers.nix @@ -10,6 +10,8 @@ with import ; plain = '' ''; ecryptfs = '' + # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails + echo 4 | ${pkgs.ecryptfs}/bin/ecryptfs-manager if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state -- cgit v1.2.3 From 7a654da5dec445482ef40c4b9642f92e19693f2c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 17:36:12 +0100 Subject: l sync-containers: shutdown container if already up --- lass/3modules/sync-containers.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lass/3modules/sync-containers.nix') diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix index 25ba2589..ebf440c4 100644 --- a/lass/3modules/sync-containers.nix +++ b/lass/3modules/sync-containers.nix @@ -155,6 +155,8 @@ in { if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch + else + ${(stop ctr.name).${ctr.format}} fi '') (pkgs.writeDashBin "stop-${ctr.name}" '' -- cgit v1.2.3 From 5433345ad4c042313d30709b413d12dbbda3ed99 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 10:23:23 +0100 Subject: l: move ecryptfs-hack to wrapper --- lass/3modules/sync-containers.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'lass/3modules/sync-containers.nix') diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix index ebf440c4..4dd0fd72 100644 --- a/lass/3modules/sync-containers.nix +++ b/lass/3modules/sync-containers.nix @@ -10,8 +10,6 @@ with import ; plain = '' ''; ecryptfs = '' - # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails - echo 4 | ${pkgs.ecryptfs}/bin/ecryptfs-manager if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state -- cgit v1.2.3 From ea0b43654e20ee3cbe85c154a35d5363baaaca97 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 10:41:47 +0100 Subject: sync-containers: lass -> krebs --- lass/3modules/sync-containers.nix | 168 -------------------------------------- 1 file changed, 168 deletions(-) delete mode 100644 lass/3modules/sync-containers.nix (limited to 'lass/3modules/sync-containers.nix') diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix deleted file mode 100644 index 4dd0fd72..00000000 --- a/lass/3modules/sync-containers.nix +++ /dev/null @@ -1,168 +0,0 @@ -with import ; -{ config, pkgs, ... }: let - cfg = config.lass.sync-containers; - paths = cname: { - plain = "/var/lib/containers/${cname}/var/state"; - ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; - securefs = "${cfg.dataLocation}/${cname}/securefs"; - }; - start = cname: { - plain = '' - ''; - ecryptfs = '' - if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then - if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then - ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - else - ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - fi - fi - ''; - securefs = '' - ## TODO init file systems if it does not exist - # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs - if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then - ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions - fi - ''; - }; - stop = cname: { - plain = '' - ''; - ecryptfs = '' - ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - ''; - securefs = '' - umount /var/lib/containers/${cname}/var/state - ''; - }; -in { - options.lass.sync-containers = { - dataLocation = mkOption { - description = '' - location where the encrypted sync-container lie around - ''; - default = "/var/lib/sync-containers"; - type = types.absolute-pathname; - }; - containers = mkOption { - type = types.attrsOf (types.submodule ({ config, ... }: { - options = { - name = mkOption { - description = '' - name of the container - ''; - default = config._module.args.name; - type = types.str; - }; - peers = mkOption { - description = '' - syncthing peers to share this container with - ''; - default = []; - type = types.listOf types.str; - }; - hostIp = mkOption { # TODO find this automatically - description = '' - hostAddress of the privateNetwork - ''; - example = "10.233.2.15"; - type = types.str; - }; - localIp = mkOption { # TODO find this automatically - description = '' - localAddress of the privateNetwork - ''; - example = "10.233.2.16"; - type = types.str; - }; - format = mkOption { - description = '' - file system encrption format of the container - ''; - type = types.enum [ "plain" "ecryptfs" "securefs" ]; - }; - }; - })); - default = {}; - }; - }; - - config = mkIf (cfg.containers != {}) { - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ - devices = ctr.peers; - ignorePerms = false; - })) cfg.containers); - - krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = false; - })) cfg.containers); - - systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({ - reloadIfChanged = mkForce false; - })) cfg.containers; - - containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({ - config = { ... }: { - environment.systemPackages = [ - pkgs.git - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = ctr.hostIp; - localAddress = ctr.localIp; - })) cfg.containers; - - environment.systemPackages = flatten (mapAttrsToList (n: ctr: [ - (pkgs.writeDashBin "start-${ctr.name}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${ctr.name}/var/state - - ${(start ctr.name).${ctr.format}} - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch - else - ${(stop ctr.name).${ctr.format}} - fi - '') - (pkgs.writeDashBin "stop-${ctr.name}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name} - ${(stop ctr.name).${ctr.format}} - '') - ]) cfg.containers); - }; -} -- cgit v1.2.3