From 86415eb3e974cfcbe86f2fb528ecc93b59d2995b Mon Sep 17 00:00:00 2001 From: albert Date: Sun, 7 Apr 2024 08:42:00 +0900 Subject: [PATCH] Working containers! --- .../desktops/hyprland/default.nix | 2 +- lib/default.nix | 12 +++---- nixos/common/services/telegraf.nix | 4 +-- nixos/containers/default.nix | 33 +++++++++++++++---- nixos/containers/rdesktop/default.nix | 7 +++- nixos/hosts/framework-server/containers.nix | 31 ++++++++++++----- secrets/containers/rdesktop.yaml | 6 ++-- 7 files changed, 67 insertions(+), 28 deletions(-) diff --git a/home-manager/hosts/nixos-desktop/desktops/hyprland/default.nix b/home-manager/hosts/nixos-desktop/desktops/hyprland/default.nix index 58a32063..f5e32c6e 100644 --- a/home-manager/hosts/nixos-desktop/desktops/hyprland/default.nix +++ b/home-manager/hosts/nixos-desktop/desktops/hyprland/default.nix @@ -3,7 +3,7 @@ xwayland.enable = true; settings = { monitor = [ - "DP-4, highrr, 2560x0, 1" + "DP-4, highrr, 3840x0, 1" "DP-5, highrr, 0x0, 1" ]; env = [ diff --git a/lib/default.nix b/lib/default.nix index a0940935..75c5a836 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -50,15 +50,15 @@ ( import ../nixos/containers/mounts.nix ) ( import ../nixos/containers/${hostname}/mounts.nix ) ]; - ephemeral = ephemeral; + ephemeral = false; autoStart = true; privateNetwork = true; - hostAddress = "192.168.2.1"; - localAddress = "192.168.2.2"; + hostBridge = "nix-br0"; + localAddress = "192.168.2.${ip}"; restartIfChanged = true; - enableTun = false; - specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion; }; - config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ... }: { + enableTun = true; + specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion ip; }; + config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ip, ... }: { nixpkgs.pkgs = import inputs.${repo} { inherit system; config.allowUnfree = unfree; diff --git a/nixos/common/services/telegraf.nix b/nixos/common/services/telegraf.nix index 92530a7d..fc5d30d0 100644 --- a/nixos/common/services/telegraf.nix +++ b/nixos/common/services/telegraf.nix @@ -1,4 +1,4 @@ -{ config, pkgs, hostname, ... }: { +{ pkgs, ... }: { # Telegraf Monitoring # Set up the secrets file for the token: @@ -74,4 +74,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/nixos/containers/default.nix b/nixos/containers/default.nix index 49adf092..10112c86 100644 --- a/nixos/containers/default.nix +++ b/nixos/containers/default.nix @@ -1,21 +1,32 @@ -{ stateVersion, hostname, username, ... }: { +{ ip, config, pkgs, stateVersion, hostname, username, ... }: { imports = [ ./${hostname} - ../users/${username} + # Modules ../common/modules/nixos.nix - # ../common/modules/networking.nix + ../common/modules/networking.nix # Services ../common/services/promtail.nix ../common/services/telegraf.nix ../common/services/openssh.nix ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "192.168.2.${ip}"; + prefixLength = 24; + }]; + + # We can access the internet through this interface. + networking.defaultGateway = { + address = "192.168.2.1"; + interface = "eth0"; + }; + boot.isContainer = true; system.stateVersion = stateVersion; networking.hostName = "${hostname}"; # Set up the secrets file: - sops.secrets."tailscale_key" = { + sops.secrets."tailscale_key" = { owner = "root"; sopsFile = ../../secrets/containers/${hostname}.yaml; restartUnits = [ @@ -26,7 +37,17 @@ services.tailscale = { enable = true; - authKeyFile = "/run/secrets/tailscale_key"; - interfaceName = "userspace-networking"; + interfaceName = "tailscale0"; + extraUpFlags = [ + "--login-server=https://headscale.sysctl.io" + "--accept-dns" + "--accept-routes" + ]; }; + networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ]; + networking.firewall.checkReversePath = "loose"; + networking.extraHosts = '' + 100.64.0.14 influx.sysctl.io + 100.64.0.14 loki.sysctl.io + ''; } diff --git a/nixos/containers/rdesktop/default.nix b/nixos/containers/rdesktop/default.nix index e2d611ab..54287b62 100644 --- a/nixos/containers/rdesktop/default.nix +++ b/nixos/containers/rdesktop/default.nix @@ -1,5 +1,10 @@ -{ desktop, ... }: { +{ username, ... }: + let + unfree = true; + desktop = "xfce"; + in { imports = [ + ../../users/${username} ../../common/desktops/${desktop} ../../common/software/packages.nix ]; diff --git a/nixos/hosts/framework-server/containers.nix b/nixos/hosts/framework-server/containers.nix index 875d610a..e2f50e4a 100644 --- a/nixos/hosts/framework-server/containers.nix +++ b/nixos/hosts/framework-server/containers.nix @@ -1,17 +1,30 @@ { lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: let libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; - lanInterface = "enp0s13f0u4"; in { - containers = { - rdesktop = libx.mkContainer { hostname = "rdesktop"; unfree = true; desktop = "xfce"; ephemeral = true; }; - }; - networking = { - nat.enable = true; - nat.internalInterfaces = [ "ve-+" ]; - nat.externalInterface = lanInterface; - firewall.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE''; + containers = { + rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; }; }; + # Networking config + networking.bridges.nix-br0.interfaces = []; + + # Add an IP address to the bridge interface. + networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0''; + + # Firewall commands allowing traffic to go in and out of the bridge interface + # (and to the guest LXD instance). Also sets up the actual NAT masquerade rule. + networking.firewall.extraCommands = '' + iptables -A INPUT -i nix-br0 -j ACCEPT + + # These three technically aren't needed, since by default the FORWARD and + # OUTPUT firewalls accept everything everything, but lets keep them in just + # in case. + iptables -A FORWARD -o nix-br0 -j ACCEPT + iptables -A FORWARD -i nix-br0 -j ACCEPT + iptables -A OUTPUT -o nix-br0 -j ACCEPT + + iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE + ''; } diff --git a/secrets/containers/rdesktop.yaml b/secrets/containers/rdesktop.yaml index fa0b60f2..b56b8e7e 100644 --- a/secrets/containers/rdesktop.yaml +++ b/secrets/containers/rdesktop.yaml @@ -1,12 +1,12 @@ -tailscale_key: ENC[AES256_GCM,data:sQoDZP79mnZ+YPqOmwaJ+S/AZ5AzBtpWmGObHibo2U+PA4Rv0uwAJv1LzPbQmsfr,iv:QEoQ2G4efR8HHsYr6RrRRFs7/Waw2+dMebZoERppJrY=,tag:BYqBw7jSCUaSpS5UO3dOZg==,type:str] +tailscale_key: ENC[AES256_GCM,data:YOhRxBDKhW+gv/HSj6cOmS0aWZZOMIM66nSQtaLv1S+c9IMstQBusww9ncIl6bIr,iv:UTLNPtN+G05wfsQoaTHg1PJdBCVeQopN4+WM3yLodUU=,tag:BKSZw2N9ow+kF+Wv5ny1uQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-03-25T03:46:39Z" - mac: ENC[AES256_GCM,data:R7SWM8rB0j97ax0hCRlw/CNLwnv43DmeDBQe5UuoQfAiELn3849+mW4jGDVt/aQiJ7BF4j0LHuYXIMSQYbUJalx08SsA+deWCl2kANLHZCPbvASkmnVvDSYYRMgnBVc4Bl9/qX8wW2LhsASYUE+mXavIF5vFw2Bnz7Fyrv/KJ24=,iv:QhisO42F3fXKh3yoaVhuh4nRJG7kg/OHN8noUViMYPg=,tag:TQ6D0DlRPQJtpvOsvv6b6Q==,type:str] + lastmodified: "2024-04-06T00:34:41Z" + mac: ENC[AES256_GCM,data:B+9Qa10AG/fzHqs7RqtDYQwQV9AO2QTjKiz1T0K0nyoEl3Axhrz/bctSlA3nssMPr4tUGVX8bupenVYa0TBRa+EeNs91OUPBOStR8O3Iuryfsk/vj70SnEk3mWrGqS9uioYk5gyIPVctjxb4xvqsxrsz3v2+rotlvUp0vGvxpdQ=,iv:O+kfDm06sakoTSheUrE5JN1RTdcJg6Q373HrxWLsuA0=,tag:apfkpnb55BCRBegDf/sYhQ==,type:str] pgp: - created_at: "2024-03-26T00:00:33Z" enc: |-