diff --git a/lib/default.nix b/lib/default.nix index dd80908b..f51a13ed 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -50,6 +50,7 @@ ]; autoStart = true; privateNetwork = false; + restartIfChanged = true; specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion; }; config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ... }: { # Choose whether to pull from stable or unstable @@ -60,6 +61,7 @@ }; imports = [ ../nixos/containers + inputs.sops-nix.nixosModules.sops ]; }; }; diff --git a/nixos/containers/default.nix b/nixos/containers/default.nix index 60e0b429..8beac9ee 100644 --- a/nixos/containers/default.nix +++ b/nixos/containers/default.nix @@ -11,14 +11,14 @@ ]; # Generic Tailscale configs are in /nixos/common/services/tailscale.nix # Set up the secrets file: - sops.secrets."tailscale_key" = { - owner = "root"; - sopsFile = ../../../secrets/containers/${hostname}.yaml; - restartUnits = [ - "tailscaled.service" - "tailscaled-autoconnect.service" - ]; - }; - services.tailscale.authKeyFile = "/run/secrets/tailscale_key"; +# sops.secrets."tailscale_key" = { +# owner = "root"; +# sopsFile = ../../secrets/containers/${hostname}.yaml; +# restartUnits = [ +# "tailscaled.service" +# "tailscaled-autoconnect.service" +# ]; +# }; +# services.tailscale.authKeyFile = "/run/secrets/tailscale_key"; networking.hostName = "${hostname}"; } diff --git a/nixos/containers/mounts.nix b/nixos/containers/mounts.nix new file mode 100644 index 00000000..d0abada3 --- /dev/null +++ b/nixos/containers/mounts.nix @@ -0,0 +1,7 @@ +{ + "/etc/ssh" = { + hostPath = "/etc/ssh"; + mountPath = "/etc/ssh"; + isReadOnly = true; + }; +} diff --git a/nixos/hosts/framework-server/containers.nix b/nixos/hosts/framework-server/containers.nix index 5adc564d..8e1a6719 100644 --- a/nixos/hosts/framework-server/containers.nix +++ b/nixos/hosts/framework-server/containers.nix @@ -2,7 +2,7 @@ let libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; in { - # Set up the bridge network: + # Secrets containers = { rdesktop = libx.mkContainer { hostname = "rdesktop"; unfree = true; repo = "nixpkgs-unstable"; desktop = "xfce"; }; }; diff --git a/secrets/containers/rdesktop.yaml b/secrets/containers/rdesktop.yaml new file mode 100644 index 00000000..4a54be81 --- /dev/null +++ b/secrets/containers/rdesktop.yaml @@ -0,0 +1,33 @@ +tailscale_keys: + rdesktop: ENC[AES256_GCM,data:NF6ZzqsINETWp6cOO9ykVcHuEWsI85yOnAFdAnBdrLsb+4wQl4zkU+6rUmST2Mnt,iv:08Q/B4vjxk3ZyVR/+QWWquNwRX4laSXgNUUfy6ag9C0=,tag:yinP9KSf81amHWs/n/eAig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-25T02:59:43Z" + mac: ENC[AES256_GCM,data:2NroS77r0+0r25xYPpVtUKlEWCrsyPx6OvFMsQhMY3soqdmhA+VmP63FwzQKvU78rgsRdgupnKFBGo5QoRS/5gI26Vys08AfCULScBDCQN/DXJnKkK0dku0A1T1vUwkO52si/AeUZRH8tCslueLzu9YFgwbodBmvisanDBA4NT8=,iv:8XGSXryVanta6kPKbllu11KmI4kDV095+YnG7TCHg3I=,tag:lZcKrVTprtdtdAH3zDqXLA==,type:str] + pgp: + - created_at: "2024-03-25T02:57:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAx+imH9kwOLOARAAl+SEO7uBSKVXN9iKrHYBBohaNB5M89cgj94W8DsPNWfs + A7lqpkJJfQGmE4GnmAuMp38UHMOu906LSleAcecCxPUDOaKwz8Lbfs8awxk+jJ5H + OuqFkWo1ErqDZxZYQmeM0KG2+oc45gXVbIg3/B/rS26TLpOUxOrzwKIXu+4dw2ME + v90AXEW4uRrItdm7EOU/fyzuC4sm/gsEwRyW6NMHuWQxwpLi3d/KLEyxB00Akiwg + ct8UfyenG7XUyKRpdyo0sFvB2xxYKsjvX0In75o81AA6A5mLoyabItJSzTcIK/rr + IsBsp2YAd2bCEwMAU9QCexgSicvh2jpczvIryAYdMIp/vVOf6+X6/z4Iyju5mfSQ + JsNhs7tLQOQ4bjyLYZqtx7YaZjHjXWpSwBW24IfQRQ1BUjrmzZjPXuftAr2mT5fd + KJlWfnN0yKaRgh8vtqE1RmqX15eid/0h3VJ6gGl+1juLOv4/CLtAcNkhZS2hN1wP + SBJqZMzNIVrkj/WSnXFXIJbkvfxbX12elyvvLSChBNjpE77JddQcFLareNDLr3k1 + W+t456Ql7AGlfz1lZE7s07Nuu1XofTR/VqcN/xsgCnXl+cDUUBHox7L0C4IRneF0 + vLC+neAjGecR3oAIZuyBfFcXPxaebXBblWCw4XafiU+ppziG8TSIBy9Q3pv6KjfS + VgE7MciCKsl3JeKKTn7rugsMcBDY54l8AKgKElKU2cg6ExAey8hINCamUj5RoF82 + r9JE7H+RAWVU4wP+VqaF7JNMyPxbfHfjv2ybwR+Bm9IFqzD01Oxl + =xeiz + -----END PGP MESSAGE----- + fp: D98BBC6C9A27324654C2D8C464F6C4EB46C4543A + unencrypted_suffix: _unencrypted + version: 3.8.1