From 5e3955c79a0e33a379795be787f5a3496191d35b Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 20 Nov 2018 01:13:48 +0100
Subject: l blue-host: add start/stop scripts
---
lass/2configs/blue-host.nix | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 83c235f3e..a40685775 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -20,4 +20,23 @@ with import <stockholm/lib>;
hostAddress = "10.233.2.9";
localAddress = "10.233.2.10";
};
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-blue" ''
+ set -ef
+ if ping -c1 blue.r; then
+ echo 'blue is already running. bailing out'
+ exit 23
+ fi
+ if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
+ ${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
+ fi
+ nixos-container start blue
+ nixos-container run blue -- nixos-rebuild -I /var/src switch
+ '')
+ (pkgs.writeDashBin "stop-blue" ''
+ set -ef
+ nixos-container stop blue
+ fusermount -u /var/lib/containers/blue
+ '')
+ ];
}
--
cgit v1.2.3
From 021d4960dbb1401245bd2a509b4529eae74c49a1 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 20 Nov 2018 01:14:08 +0100
Subject: l blue-host: add rxvt_unicode.terminfo
---
lass/2configs/blue-host.nix | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index a40685775..f9da05073 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -8,7 +8,10 @@ with import <stockholm/lib>;
systemd.services."container@blue".reloadIfChanged = mkForce false;
containers.blue = {
config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt_unicode.terminfo
+ ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
--
cgit v1.2.3
From 0646503bfbad54a61315da7d77679722d90e79d8 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 20 Nov 2018 01:14:21 +0100
Subject: l blue-host: don't autostart
---
lass/2configs/blue-host.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index f9da05073..2302c70ec 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -17,7 +17,7 @@ with import <stockholm/lib>;
config.krebs.users.lass.pubkey
];
};
- autoStart = true;
+ autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.9";
--
cgit v1.2.3
From 9807d6823b31f36eb6b255cf7a01431e7e44a74e Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 20 Nov 2018 23:02:17 +0100
Subject: l blue-host: sync state, start only when safe
---
lass/2configs/blue-host.nix | 74 ++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 66 insertions(+), 8 deletions(-)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 2302c70ec..be9f68c08 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -1,11 +1,28 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
+let
+ all_hosts = [
+ "icarus"
+ "shodan"
+ "daedalus"
+ "skynet"
+ "prism"
+ ];
+ remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
-{
+in {
imports = [
<stockholm/lass/2configs/container-networking.nix>
+ { #hack for already defined
+ systemd.services."container@blue".reloadIfChanged = mkForce false;
+ systemd.services."container@blue".preStart = ''
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+ '';
+ systemd.services."container@blue".preStop = ''
+ /run/wrappers/bin/fusermount -u /var/lib/containers/blue
+ '';
+ }
];
- systemd.services."container@blue".reloadIfChanged = mkForce false;
containers.blue = {
config = { ... }: {
environment.systemPackages = [
@@ -23,10 +40,56 @@ with import <stockholm/lib>;
hostAddress = "10.233.2.9";
localAddress = "10.233.2.10";
};
+
+
+ systemd.services = builtins.listToAttrs (map (host:
+ let
+ in nameValuePair "sync-blue-${host}" {
+ bindsTo = [ "container@blue.service" ];
+ wantedBy = [ "container@blue.service" ];
+ # ssh needed for rsync
+ path = [ pkgs.openssh ];
+ serviceConfig = {
+ Restart = "always";
+ RestartSec = 10;
+ ExecStart = pkgs.writeDash "sync-blue-${host}" ''
+ set -efu
+ #make sure blue is running
+ /run/wrappers/bin/ping -c1 blue.r > /dev/null
+
+ #make sure the container is unlocked
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+
+ #make sure our target is reachable
+ ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
+
+ #start sync
+ ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
+ settings {
+ nodaemon = true,
+ inotifyMode = "CloseWrite or Modify",
+ }
+ sync {
+ default.rsyncssh,
+ source = "/var/lib/containers/.blue",
+ host = "${host}.r",
+ targetdir = "/var/lib/containers/.blue",
+ ssh = {
+ binary = "${pkgs.openssh}/bin/ssh";
+ identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
+ },
+ }
+ ''}
+ '';
+ };
+ unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
+ }
+ ) remote_hosts);
+
environment.systemPackages = [
(pkgs.writeDashBin "start-blue" ''
set -ef
- if ping -c1 blue.r; then
+ if ping -c1 blue.r >/dev/null; then
echo 'blue is already running. bailing out'
exit 23
fi
@@ -36,10 +99,5 @@ with import <stockholm/lib>;
nixos-container start blue
nixos-container run blue -- nixos-rebuild -I /var/src switch
'')
- (pkgs.writeDashBin "stop-blue" ''
- set -ef
- nixos-container stop blue
- fusermount -u /var/lib/containers/blue
- '')
];
}
--
cgit v1.2.3
From 9f9a53723bd79b029d398c0542a686bd8ed56151 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 27 Nov 2018 00:59:40 +0100
Subject: l blue-host: fix permissions
---
lass/2configs/blue-host.nix | 6 ++++++
1 file changed, 6 insertions(+)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index be9f68c08..e80ce326a 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -23,6 +23,12 @@ in {
'';
}
];
+
+ system.activationScripts.containerPermissions = ''
+ mkdir -p /var/lib/containers
+ chmod 711 /var/lib/containers
+ '';
+
containers.blue = {
config = { ... }: {
environment.systemPackages = [
--
cgit v1.2.3
From 304059b1da4ac256d1487e83a7280d0db6615c2d Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 27 Nov 2018 01:00:14 +0100
Subject: l blue-host: sync also owner and group
---
lass/2configs/blue-host.nix | 4 ++++
1 file changed, 4 insertions(+)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index e80ce326a..6d46cb8c1 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -80,6 +80,10 @@ in {
source = "/var/lib/containers/.blue",
host = "${host}.r",
targetdir = "/var/lib/containers/.blue",
+ rsync = {
+ owner = true,
+ group = true,
+ };
ssh = {
binary = "${pkgs.openssh}/bin/ssh";
identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
--
cgit v1.2.3
From a1c261d61b243549bb2525da57bf3fada805f7f5 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 27 Nov 2018 01:00:59 +0100
Subject: l blue-host: dry-build blue first
---
lass/2configs/blue-host.nix | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 6d46cb8c1..fba996743 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -99,14 +99,15 @@ in {
environment.systemPackages = [
(pkgs.writeDashBin "start-blue" ''
set -ef
- if ping -c1 blue.r >/dev/null; then
- echo 'blue is already running. bailing out'
- exit 23
- fi
if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
fi
nixos-container start blue
+ nixos-container run blue -- nixos-rebuild -I /var/src dry-build
+ if ping -c1 blue.r >/dev/null; then
+ echo 'blue is already running. bailing out'
+ exit 23
+ fi
nixos-container run blue -- nixos-rebuild -I /var/src switch
'')
];
--
cgit v1.2.3
From c84b3c35f9f248fcf3081fa7eb0cee706fd8ebeb Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 3 Dec 2018 05:02:12 +0100
Subject: l blue-host: sync all permissions
---
lass/2configs/blue-host.nix | 1 +
1 file changed, 1 insertion(+)
(limited to 'lass/2configs/blue-host.nix')
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index fba996743..9cf294afd 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -81,6 +81,7 @@ in {
host = "${host}.r",
targetdir = "/var/lib/containers/.blue",
rsync = {
+ archive = true,
owner = true,
group = true,
};
--
cgit v1.2.3