{ config, lib, pkgs, ... }: let ctr.name = "red"; in { imports = [ <stockholm/lass/2configs/container-networking.nix> ]; krebs.sync-containers3.containers.red = { sshKey = "${toString <secrets>}/containers/red/sync.key"; ephemeral = true; }; # containers.${ctr.name} = { # config = { # environment.systemPackages = [ # pkgs.dhcpcd # pkgs.git # pkgs.jq # ]; # networking.useDHCP = lib.mkForce true; # systemd.services.autoswitch = { # environment = { # NIX_REMOTE = "daemon"; # }; # wantedBy = [ "multi-user.target" ]; # serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' # if test -e /var/src/nixos-config; then # /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : # fi # ''; # unitConfig.X-StopOnRemoval = false; # }; # }; # autoStart = false; # enableTun = true; # privateNetwork = true; # hostBridge = "ctr0"; # bindMounts = { # "/etc/resolv.conf".hostPath = "/etc/resolv.conf"; # "/var/lib/self-state/disk-image" = { # hostPath = "/var/lib/sync-containers3/${ctr.name}"; # isReadOnly = true; # }; # }; # }; # systemd.services."${ctr.name}_scheduler" = { # wantedBy = [ "multi-user.target" ]; # path = with pkgs; [ # coreutils # consul # cryptsetup # mount # util-linux # systemd # untilport # ]; # serviceConfig = { # Restart = "always"; # RestartSec = "15s"; # ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" '' # set -efux # trap ${pkgs.writers.writeDash "stop-${ctr.name}" '' # set -efux # /run/current-system/sw/bin/nixos-container stop ${ctr.name} || : # umount /var/lib/nixos-containers/${ctr.name}/var/state || : # cryptsetup luksClose ${ctr.name} || : # ''} INT TERM EXIT # consul kv put containers/${ctr.name}/host ${config.networking.hostName} # cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} # mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state # mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state # ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src # /run/current-system/sw/bin/nixos-container start ${ctr.name} # set +x # until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done # while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done # ''}"; # }; # }; # users.groups."container_${ctr.name}" = {}; # users.users."container_${ctr.name}" = { # group = "container_${ctr.name}"; # isSystemUser = true; # home = "/var/lib/sync-containers3/${ctr.name}"; # createHome = true; # homeMode = "705"; # openssh.authorizedKeys.keys = [ # config.krebs.users.lass.pubkey # ]; # }; # systemd.timers."${ctr.name}_syncer" = { # timerConfig = { # RandomizedDelaySec = 300; # }; # }; # systemd.services."${ctr.name}_syncer" = { # path = with pkgs; [ # coreutils # rsync # openssh # systemd # ]; # startAt = "*:0/1"; # serviceConfig = { # User = "container_${ctr.name}"; # LoadCredential = [ # "ssh_key:${toString <secrets>}/containers/${ctr.name}/sync.key" # ]; # ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" '' # set -efu # ! systemctl is-active --quiet container@${ctr.name}.service # ''; # ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" '' # set -efu # rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk # ''; # }; # }; # # networking # networking.networkmanager.unmanaged = [ "ctr0" ]; # networking.interfaces.dummy0.virtual = true; # networking.bridges.ctr0.interfaces = [ "dummy0" ]; # networking.interfaces.ctr0.ipv4.addresses = [{ # address = "10.233.0.1"; # prefixLength = 24; # }]; # systemd.services."dhcpd-ctr0" = { # wantedBy = [ "multi-user.target" ]; # after = [ "network.target" ]; # serviceConfig = { # Type = "forking"; # Restart = "always"; # DynamicUser = true; # StateDirectory = "dhcpd-ctr0"; # User = "dhcpd-ctr0"; # Group = "dhcpd-ctr0"; # AmbientCapabilities = [ # "CAP_NET_RAW" # to send ICMP messages # "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) # ]; # ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases"; # ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" '' # default-lease-time 600; # max-lease-time 7200; # authoritative; # ddns-update-style interim; # log-facility local1; # see dhcpd.nix # option subnet-mask 255.255.255.0; # option routers 10.233.0.1; # # option domain-name-servers 8.8.8.8; # TODO configure dns server # subnet 10.233.0.0 netmask 255.255.255.0 { # range 10.233.0.10 10.233.0.250; # } # ''} ctr0"; # }; # }; }