l neoprism.r: add riot container

2023-01-04 18:33:44 +01:00 · 2023-01-04 18:33:44 +01:00 · 7cb49c556e
commit 7cb49c556e
parent 4555a8858d
2 changed files with 57 additions and 14 deletions
--- a/lass/1systems/neoprism/config.nix
+++ b/lass/1systems/neoprism/config.nix
@ -6,20 +6,7 @@
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/consul.nix>
    <stockholm/lass/2configs/yellow-host.nix>
-    { # TODO make new hfos.nix out of this vv
-      users.users.riot = {
-        uid = pkgs.stockholm.lib.genid_uint31 "riot";
-        isNormalUser = true;
-        extraGroups = [ "libvirtd" ];
-        openssh.authorizedKeys.keys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
-        ];
-      };
-      # krebs.iptables.tables.filter.FORWARD.rules = [
-      #   { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
-      #   { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
-      # ];
-    }
+    <stockholm/lass/2configs/riot.nix>
  ];

  krebs.build.host = config.krebs.hosts.neoprism;
--- a/lass/2configs/riot.nix
+++ b/lass/2configs/riot.nix
@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+{
+  containers.riot = {
+    config = {
+      environment.systemPackages = [
+        pkgs.dhcpcd
+        pkgs.git
+        pkgs.jq
+      ];
+      networking.useDHCP = lib.mkForce true;
+      networking.firewall.enable = false;
+      systemd.services.autoswitch = {
+        environment = {
+          NIX_REMOTE = "daemon";
+        };
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
+          set -efu
+          if test -e /var/src/nixos-config; then
+            /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
+          fi
+        '';
+        unitConfig.X-StopOnRemoval = false;
+      };
+    };
+    autoStart = true;
+    enableTun = true;
+    privateNetwork = true;
+    hostAddress = "10.233.1.1";
+    localAddress = "10.233.1.2";
+    forwardPorts = [
+      { hostPort = 45622; containerPort = 22; }
+    ];
+  };
+
+  systemd.network.networks."50-ve-riot" = {
+    matchConfig.Name = "ve-riot";
+
+    networkConfig = {
+      IPForward = "yes";
+      # weirdly we have to use POSTROUTING MASQUERADE here
+      # IPMasquerade = "both";
+      LinkLocalAddressing = "no";
+      KeepConfiguration = "static";
+    };
+  };
+
+  # networking.nat can be used instead of this
+  krebs.iptables.tables.nat.POSTROUTING.rules = [
+    { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; }
+  ];
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { predicate = "-i ve-riot"; target = "ACCEPT"; }
+    { predicate = "-o ve-riot"; target = "ACCEPT"; }
+  ];
+}