Working containers!
This commit is contained in:
parent
5b3c1036ec
commit
86415eb3e9
7 changed files with 67 additions and 28 deletions
|
@ -3,7 +3,7 @@
|
||||||
xwayland.enable = true;
|
xwayland.enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
monitor = [
|
monitor = [
|
||||||
"DP-4, highrr, 2560x0, 1"
|
"DP-4, highrr, 3840x0, 1"
|
||||||
"DP-5, highrr, 0x0, 1"
|
"DP-5, highrr, 0x0, 1"
|
||||||
];
|
];
|
||||||
env = [
|
env = [
|
||||||
|
|
|
@ -50,15 +50,15 @@
|
||||||
( import ../nixos/containers/mounts.nix )
|
( import ../nixos/containers/mounts.nix )
|
||||||
( import ../nixos/containers/${hostname}/mounts.nix )
|
( import ../nixos/containers/${hostname}/mounts.nix )
|
||||||
];
|
];
|
||||||
ephemeral = ephemeral;
|
ephemeral = false;
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.2.1";
|
hostBridge = "nix-br0";
|
||||||
localAddress = "192.168.2.2";
|
localAddress = "192.168.2.${ip}";
|
||||||
restartIfChanged = true;
|
restartIfChanged = true;
|
||||||
enableTun = false;
|
enableTun = true;
|
||||||
specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion; };
|
specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion ip; };
|
||||||
config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ... }: {
|
config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ip, ... }: {
|
||||||
nixpkgs.pkgs = import inputs.${repo} {
|
nixpkgs.pkgs = import inputs.${repo} {
|
||||||
inherit system;
|
inherit system;
|
||||||
config.allowUnfree = unfree;
|
config.allowUnfree = unfree;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, hostname, ... }: {
|
{ pkgs, ... }: {
|
||||||
# Telegraf Monitoring
|
# Telegraf Monitoring
|
||||||
|
|
||||||
# Set up the secrets file for the token:
|
# Set up the secrets file for the token:
|
||||||
|
@ -74,4 +74,4 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,21 +1,32 @@
|
||||||
{ stateVersion, hostname, username, ... }: {
|
{ ip, config, pkgs, stateVersion, hostname, username, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
./${hostname}
|
./${hostname}
|
||||||
../users/${username}
|
# Modules
|
||||||
../common/modules/nixos.nix
|
../common/modules/nixos.nix
|
||||||
# ../common/modules/networking.nix
|
../common/modules/networking.nix
|
||||||
# Services
|
# Services
|
||||||
../common/services/promtail.nix
|
../common/services/promtail.nix
|
||||||
../common/services/telegraf.nix
|
../common/services/telegraf.nix
|
||||||
../common/services/openssh.nix
|
../common/services/openssh.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "192.168.2.${ip}";
|
||||||
|
prefixLength = 24;
|
||||||
|
}];
|
||||||
|
|
||||||
|
# We can access the internet through this interface.
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.2.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
boot.isContainer = true;
|
boot.isContainer = true;
|
||||||
system.stateVersion = stateVersion;
|
system.stateVersion = stateVersion;
|
||||||
networking.hostName = "${hostname}";
|
networking.hostName = "${hostname}";
|
||||||
|
|
||||||
# Set up the secrets file:
|
# Set up the secrets file:
|
||||||
sops.secrets."tailscale_key" = {
|
sops.secrets."tailscale_key" = {
|
||||||
owner = "root";
|
owner = "root";
|
||||||
sopsFile = ../../secrets/containers/${hostname}.yaml;
|
sopsFile = ../../secrets/containers/${hostname}.yaml;
|
||||||
restartUnits = [
|
restartUnits = [
|
||||||
|
@ -26,7 +37,17 @@
|
||||||
|
|
||||||
services.tailscale = {
|
services.tailscale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
authKeyFile = "/run/secrets/tailscale_key";
|
interfaceName = "tailscale0";
|
||||||
interfaceName = "userspace-networking";
|
extraUpFlags = [
|
||||||
|
"--login-server=https://headscale.sysctl.io"
|
||||||
|
"--accept-dns"
|
||||||
|
"--accept-routes"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ];
|
||||||
|
networking.firewall.checkReversePath = "loose";
|
||||||
|
networking.extraHosts = ''
|
||||||
|
100.64.0.14 influx.sysctl.io
|
||||||
|
100.64.0.14 loki.sysctl.io
|
||||||
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
{ desktop, ... }: {
|
{ username, ... }:
|
||||||
|
let
|
||||||
|
unfree = true;
|
||||||
|
desktop = "xfce";
|
||||||
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
|
../../users/${username}
|
||||||
../../common/desktops/${desktop}
|
../../common/desktops/${desktop}
|
||||||
../../common/software/packages.nix
|
../../common/software/packages.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,17 +1,30 @@
|
||||||
{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
|
{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
|
||||||
let
|
let
|
||||||
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
|
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
|
||||||
lanInterface = "enp0s13f0u4";
|
|
||||||
in {
|
in {
|
||||||
containers = {
|
|
||||||
rdesktop = libx.mkContainer { hostname = "rdesktop"; unfree = true; desktop = "xfce"; ephemeral = true; };
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
containers = {
|
||||||
nat.enable = true;
|
rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; };
|
||||||
nat.internalInterfaces = [ "ve-+" ];
|
|
||||||
nat.externalInterface = lanInterface;
|
|
||||||
firewall.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Networking config
|
||||||
|
networking.bridges.nix-br0.interfaces = [];
|
||||||
|
|
||||||
|
# Add an IP address to the bridge interface.
|
||||||
|
networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
|
||||||
|
|
||||||
|
# Firewall commands allowing traffic to go in and out of the bridge interface
|
||||||
|
# (and to the guest LXD instance). Also sets up the actual NAT masquerade rule.
|
||||||
|
networking.firewall.extraCommands = ''
|
||||||
|
iptables -A INPUT -i nix-br0 -j ACCEPT
|
||||||
|
|
||||||
|
# These three technically aren't needed, since by default the FORWARD and
|
||||||
|
# OUTPUT firewalls accept everything everything, but lets keep them in just
|
||||||
|
# in case.
|
||||||
|
iptables -A FORWARD -o nix-br0 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i nix-br0 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o nix-br0 -j ACCEPT
|
||||||
|
|
||||||
|
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE
|
||||||
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
tailscale_key: ENC[AES256_GCM,data:sQoDZP79mnZ+YPqOmwaJ+S/AZ5AzBtpWmGObHibo2U+PA4Rv0uwAJv1LzPbQmsfr,iv:QEoQ2G4efR8HHsYr6RrRRFs7/Waw2+dMebZoERppJrY=,tag:BYqBw7jSCUaSpS5UO3dOZg==,type:str]
|
tailscale_key: ENC[AES256_GCM,data:YOhRxBDKhW+gv/HSj6cOmS0aWZZOMIM66nSQtaLv1S+c9IMstQBusww9ncIl6bIr,iv:UTLNPtN+G05wfsQoaTHg1PJdBCVeQopN4+WM3yLodUU=,tag:BKSZw2N9ow+kF+Wv5ny1uQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2024-03-25T03:46:39Z"
|
lastmodified: "2024-04-06T00:34:41Z"
|
||||||
mac: ENC[AES256_GCM,data:R7SWM8rB0j97ax0hCRlw/CNLwnv43DmeDBQe5UuoQfAiELn3849+mW4jGDVt/aQiJ7BF4j0LHuYXIMSQYbUJalx08SsA+deWCl2kANLHZCPbvASkmnVvDSYYRMgnBVc4Bl9/qX8wW2LhsASYUE+mXavIF5vFw2Bnz7Fyrv/KJ24=,iv:QhisO42F3fXKh3yoaVhuh4nRJG7kg/OHN8noUViMYPg=,tag:TQ6D0DlRPQJtpvOsvv6b6Q==,type:str]
|
mac: ENC[AES256_GCM,data:B+9Qa10AG/fzHqs7RqtDYQwQV9AO2QTjKiz1T0K0nyoEl3Axhrz/bctSlA3nssMPr4tUGVX8bupenVYa0TBRa+EeNs91OUPBOStR8O3Iuryfsk/vj70SnEk3mWrGqS9uioYk5gyIPVctjxb4xvqsxrsz3v2+rotlvUp0vGvxpdQ=,iv:O+kfDm06sakoTSheUrE5JN1RTdcJg6Q373HrxWLsuA0=,tag:apfkpnb55BCRBegDf/sYhQ==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-03-26T00:00:33Z"
|
- created_at: "2024-03-26T00:00:33Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
Loading…
Reference in a new issue