stockholm/lass/2configs/red-host.nix

168 lines
5.4 KiB
Nix
Raw Normal View History

2022-11-22 08:05:18 +00:00
{ config, lib, pkgs, ... }:
let
ctr.name = "red";
in
{
imports = [
<stockholm/lass/2configs/container-networking.nix>
];
lass.sync-containers3.containers.red = {
sshKey = "${toString <secrets>}/containers/red/sync.key";
ephemeral = true;
};
# containers.${ctr.name} = {
# config = {
# environment.systemPackages = [
# pkgs.dhcpcd
# pkgs.git
# pkgs.jq
# ];
# networking.useDHCP = lib.mkForce true;
# systemd.services.autoswitch = {
# environment = {
# NIX_REMOTE = "daemon";
# };
# wantedBy = [ "multi-user.target" ];
# serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
# if test -e /var/src/nixos-config; then
# /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
# fi
# '';
# unitConfig.X-StopOnRemoval = false;
# };
# };
# autoStart = false;
# enableTun = true;
# privateNetwork = true;
# hostBridge = "ctr0";
# bindMounts = {
# "/etc/resolv.conf".hostPath = "/etc/resolv.conf";
# "/var/lib/self-state/disk-image" = {
# hostPath = "/var/lib/sync-containers3/${ctr.name}";
# isReadOnly = true;
# };
# };
# };
# systemd.services."${ctr.name}_scheduler" = {
# wantedBy = [ "multi-user.target" ];
# path = with pkgs; [
# coreutils
# consul
# cryptsetup
# mount
# util-linux
# systemd
# untilport
# ];
# serviceConfig = {
# Restart = "always";
# RestartSec = "15s";
# ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" ''
# set -efux
# trap ${pkgs.writers.writeDash "stop-${ctr.name}" ''
# set -efux
# /run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
# umount /var/lib/nixos-containers/${ctr.name}/var/state || :
# cryptsetup luksClose ${ctr.name} || :
# ''} INT TERM EXIT
# consul kv put containers/${ctr.name}/host ${config.networking.hostName}
# cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name}
# mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state
# mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state
# ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src
# /run/current-system/sw/bin/nixos-container start ${ctr.name}
# set +x
# until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
# while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
# ''}";
# };
# };
# users.groups."container_${ctr.name}" = {};
# users.users."container_${ctr.name}" = {
# group = "container_${ctr.name}";
# isSystemUser = true;
# home = "/var/lib/sync-containers3/${ctr.name}";
# createHome = true;
# homeMode = "705";
# openssh.authorizedKeys.keys = [
# config.krebs.users.lass.pubkey
# ];
# };
# systemd.timers."${ctr.name}_syncer" = {
# timerConfig = {
# RandomizedDelaySec = 300;
# };
# };
# systemd.services."${ctr.name}_syncer" = {
# path = with pkgs; [
# coreutils
# rsync
# openssh
# systemd
# ];
# startAt = "*:0/1";
# serviceConfig = {
# User = "container_${ctr.name}";
# LoadCredential = [
# "ssh_key:${toString <secrets>}/containers/${ctr.name}/sync.key"
# ];
# ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
# set -efu
# ! systemctl is-active --quiet container@${ctr.name}.service
# '';
# ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
# set -efu
# rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk
# '';
# };
# };
# # networking
# networking.networkmanager.unmanaged = [ "ctr0" ];
# networking.interfaces.dummy0.virtual = true;
# networking.bridges.ctr0.interfaces = [ "dummy0" ];
# networking.interfaces.ctr0.ipv4.addresses = [{
# address = "10.233.0.1";
# prefixLength = 24;
# }];
# systemd.services."dhcpd-ctr0" = {
# wantedBy = [ "multi-user.target" ];
# after = [ "network.target" ];
# serviceConfig = {
# Type = "forking";
# Restart = "always";
# DynamicUser = true;
# StateDirectory = "dhcpd-ctr0";
# User = "dhcpd-ctr0";
# Group = "dhcpd-ctr0";
# AmbientCapabilities = [
# "CAP_NET_RAW" # to send ICMP messages
# "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
# ];
# ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
# ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
# default-lease-time 600;
# max-lease-time 7200;
# authoritative;
# ddns-update-style interim;
# log-facility local1; # see dhcpd.nix
# option subnet-mask 255.255.255.0;
# option routers 10.233.0.1;
# # option domain-name-servers 8.8.8.8; # TODO configure dns server
# subnet 10.233.0.0 netmask 255.255.255.0 {
# range 10.233.0.10 10.233.0.250;
# }
# ''} ctr0";
# };
# };
}