From eb240268e4efa5eb6475da9f3bfd1e5524a93a11 Mon Sep 17 00:00:00 2001 From: albert Date: Tue, 26 Mar 2024 09:00:46 +0900 Subject: [PATCH] update keys --- lib/default.nix | 20 ++++++--- nixos/containers/default.nix | 6 ++- nixos/containers/rdesktop/default.nix | 5 ++- nixos/hosts/framework-server/containers.nix | 19 ++++++-- secrets/containers/rdesktop.yaml | 50 ++++++++++++++------- 5 files changed, 72 insertions(+), 28 deletions(-) diff --git a/lib/default.nix b/lib/default.nix index f51a13ed..02c58fac 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -39,6 +39,7 @@ type ? "default", repo ? "nixpkgs", unfree ? false, + ip ? null, pkgs ? import inputs.${repo} { inherit system; config.allowUnfree = unfree; hostPlatform = system; }, pkgs-unstable ? import inputs.nixpkgs-unstable @@ -49,16 +50,21 @@ ( import ../nixos/containers/${hostname}/mounts.nix ) ]; autoStart = true; - privateNetwork = false; + privateNetwork = true; + localAddress = "192.168.2.${ip}/32"; + hostAddress = "192.168.2.1"; restartIfChanged = true; + enableTun = true; + additionalCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" ]; specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion; }; config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ... }: { - # Choose whether to pull from stable or unstable - nixpkgs.pkgs = import inputs.${repo} { - inherit system; - config.allowUnfree = unfree; - hostPlatform = system; - }; + # Choose whether to pull from stable or unstable + nixpkgs.pkgs = import inputs.${repo} { + inherit system; + config.allowUnfree = unfree; + hostPlatform = system; + }; + imports = [ ../nixos/containers inputs.sops-nix.nixosModules.sops diff --git a/nixos/containers/default.nix b/nixos/containers/default.nix index e4499d98..0e6a5da4 100644 --- a/nixos/containers/default.nix +++ b/nixos/containers/default.nix @@ -1,4 +1,4 @@ -{ hostname, username, ... }: { +{ stateVersion, hostname, username, ... }: { imports = [ ./${hostname} ../users/${username} @@ -20,6 +20,10 @@ "tailscaled-autoconnect.service" ]; }; + + boot.isContainer = true; services.tailscale.authKeyFile = "/run/secrets/tailscale_key"; networking.hostName = "${hostname}"; + networking.interfaces."eth0".useDHCP = true; + system.stateVersion = stateVersion; } diff --git a/nixos/containers/rdesktop/default.nix b/nixos/containers/rdesktop/default.nix index 713997fa..4e3cdc77 100644 --- a/nixos/containers/rdesktop/default.nix +++ b/nixos/containers/rdesktop/default.nix @@ -1,7 +1,8 @@ -{ lib, desktop, ... }: { +{ ... }: { imports = [ ../../common/software/packages.nix - ] ++ lib.optional (builtins.isString desktop) ../../common/desktops/${desktop}; + ../../common/desktops/xfce + ]; networking.firewall.allowedTCPPorts = [ 3389 ]; services.xrdp.enable = true; diff --git a/nixos/hosts/framework-server/containers.nix b/nixos/hosts/framework-server/containers.nix index 8e1a6719..16621259 100644 --- a/nixos/hosts/framework-server/containers.nix +++ b/nixos/hosts/framework-server/containers.nix @@ -1,9 +1,22 @@ -{ lib, self, inputs, outputs, stateVersion, hmStateVersion, pkgs, pkgs-unstable, ... }: +{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: let libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; in { - # Secrets containers = { - rdesktop = libx.mkContainer { hostname = "rdesktop"; unfree = true; repo = "nixpkgs-unstable"; desktop = "xfce"; }; + rdesktop = libx.mkContainer { hostname = "rdesktop"; }; }; + + + networking = { + bridges.br0.interfaces = "enp0s13f0u4"; + interfaces.bro.ipv4.addresses = [{ address = "192.168.2.1"; prefixLength = 24; }]; + }; + +# networking.nat = { +# enable = true; +# internalInterfaces = [ +# "ve-rdesktop" +# ]; +# externalInterface = "enp0s13f0u4"; +# }; } diff --git a/secrets/containers/rdesktop.yaml b/secrets/containers/rdesktop.yaml index 830a1294..fa0b60f2 100644 --- a/secrets/containers/rdesktop.yaml +++ b/secrets/containers/rdesktop.yaml @@ -8,25 +8,45 @@ sops: lastmodified: "2024-03-25T03:46:39Z" mac: ENC[AES256_GCM,data:R7SWM8rB0j97ax0hCRlw/CNLwnv43DmeDBQe5UuoQfAiELn3849+mW4jGDVt/aQiJ7BF4j0LHuYXIMSQYbUJalx08SsA+deWCl2kANLHZCPbvASkmnVvDSYYRMgnBVc4Bl9/qX8wW2LhsASYUE+mXavIF5vFw2Bnz7Fyrv/KJ24=,iv:QhisO42F3fXKh3yoaVhuh4nRJG7kg/OHN8noUViMYPg=,tag:TQ6D0DlRPQJtpvOsvv6b6Q==,type:str] pgp: - - created_at: "2024-03-25T02:57:12Z" + - created_at: "2024-03-26T00:00:33Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAx+imH9kwOLOARAAl+SEO7uBSKVXN9iKrHYBBohaNB5M89cgj94W8DsPNWfs - A7lqpkJJfQGmE4GnmAuMp38UHMOu906LSleAcecCxPUDOaKwz8Lbfs8awxk+jJ5H - OuqFkWo1ErqDZxZYQmeM0KG2+oc45gXVbIg3/B/rS26TLpOUxOrzwKIXu+4dw2ME - v90AXEW4uRrItdm7EOU/fyzuC4sm/gsEwRyW6NMHuWQxwpLi3d/KLEyxB00Akiwg - ct8UfyenG7XUyKRpdyo0sFvB2xxYKsjvX0In75o81AA6A5mLoyabItJSzTcIK/rr - IsBsp2YAd2bCEwMAU9QCexgSicvh2jpczvIryAYdMIp/vVOf6+X6/z4Iyju5mfSQ - JsNhs7tLQOQ4bjyLYZqtx7YaZjHjXWpSwBW24IfQRQ1BUjrmzZjPXuftAr2mT5fd - KJlWfnN0yKaRgh8vtqE1RmqX15eid/0h3VJ6gGl+1juLOv4/CLtAcNkhZS2hN1wP - SBJqZMzNIVrkj/WSnXFXIJbkvfxbX12elyvvLSChBNjpE77JddQcFLareNDLr3k1 - W+t456Ql7AGlfz1lZE7s07Nuu1XofTR/VqcN/xsgCnXl+cDUUBHox7L0C4IRneF0 - vLC+neAjGecR3oAIZuyBfFcXPxaebXBblWCw4XafiU+ppziG8TSIBy9Q3pv6KjfS - VgE7MciCKsl3JeKKTn7rugsMcBDY54l8AKgKElKU2cg6ExAey8hINCamUj5RoF82 - r9JE7H+RAWVU4wP+VqaF7JNMyPxbfHfjv2ybwR+Bm9IFqzD01Oxl - =xeiz + hQIMAx+imH9kwOLOARAAiwdTa55CLbwuweRV0oxe+YK8XtX0cBQW25syfyHOlvMg + gYDw4ADlu9sOQ4MZnoQXZiNOSBraNwInbadHeQDWBBUfoSukDK0TOXlVtKiSw2gL + N9JhmRfiKchxJL5LX3qmqjw0I0cPiCtIxFfDBqClMO90Im5qHFvjRz24XkukARCK + AmVbn3GjESx8kiLCT6JlOwBhZPMO9N1YZaeEPbBCdkLde85CShIFW1g9BKq1kJLY + IyO+x1yPVswPGZKS9BiX3S2QqU7ALK2JP0YRGd+7UjT+oxZY33WMkY7ajbwfkiNv + afGMRehZ2vXCvlDPMvGDXU2R1TGHe6C66kO4kBHawivOci8qwTXeeQx26YeyQJMK + sMKK2Oe+IXxGO+AuGgMwQpsHTJj+B7bLbWiU401ft7W50LsFspGKfeCUBsnFfmyw + 0w3lafS/oCpBuAAQ8OgDSQDhb3UrkKfvv5zEvCj8QfspBgWiSoCEcZruMRsJkb2d + DyNM6okmU6z+Iqh7J2awwtkbMnUDEpxc9lBDfUBwBWv3mlj17PEJZj9/c4N6Vi+/ + Y7JK7qcGoIpLbAc8VtmyfXOOKZlwn7xIBOjnQCzbqV0Iag+d0Z1fxzJMdMYAsdwL + 1/euYMJhGt195YH5/Qd+mYTIhQ9UT20yQduJoqfwwo/+c3PRDVcXKOZD9Ce/bdfS + VgHm+ON76WFr7GEOXQxPFV/rGQ2xrlQ+jCa1iGlvZz8XGYUjGEG+pyrIbypDvKOx + FrZH8Rr9z2xVoSf06ziV/dm+g/Uut/I+byZyAynuIeS+5EDHYJQU + =+uVi -----END PGP MESSAGE----- fp: D98BBC6C9A27324654C2D8C464F6C4EB46C4543A + - created_at: "2024-03-26T00:00:33Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6d9aNxyfPUrARAAhov6FXAFSZCSYSDplJp5A1a7CpWDXv4+WbeZP2qVPjHc + fyc9jJCocbH9dL0dcrMubBil82o+ZfS5GLU4S9jir2TQ52e+wfX6VOcJ7a9TI1Vn + KllSLLKcjHCe02zDoqWv5OZei/vwTOA1H1cq9vDdAACJ1ySmsq2HaEGggSk1StZB + Tzj6Jm9Dqe4+S4Tot65hZwADUGA80+XL42Bq+hqYCS8na1I1Slmi/p3fkyAs/3S3 + Okhb7C2uTLnSvLCThjy3sG8YtAgsJlA39zgvbTQGj2+IlK25wD1rKBvMTJlt852D + jX3CYgM5DYx0/El0jFItCU0RcIHoga4hS/s8x4Dnnz+6IkYK4wSk7a76ErW8nf/S + srRpILBhUNS36FCnN9m76v2HewAf0Z2ExV6lm/Tw8AgViyAtSTAFxxkADoApl10n + J/SorOTf/b1APPrAk3b+l9UnlDf8vgxRBjzXFbJlfEQfLWr0DoOc9zGsVdIt18zz + Erz5WJmgILjoaj6oMX9EobsInxXRc49rbcsIMH3ghi1yT/S4CsOuSx9N42+wkWPY + bSTs4RBwohc7b6EZf5WsTOqcktjl7zOrTOqz6Kl2nwYHWlYC5fYS0d4fMkjJoJCk + D4t2QvjQtuGSejeiXZjhUW41V/f/gsbTrg/xw/6JJ94DYlUGLti0Phr6xDZAT0vS + VgGxBz12bfS03iXtu0SM7LmNy/U3hYzJq8NXbk0uN0RYuxIiHoWwdWWBVlLjxttH + s2hZE7x/qThF2lqP+CqaAjeQZ827ZdPYO9gVZAQFMO/eGwrTRNP8 + =V6sY + -----END PGP MESSAGE----- + fp: dfd3a496aba156fa521e82ada77d68dc727cf52b unencrypted_suffix: _unencrypted version: 3.8.1