From 859a6d1e732bfc40e65f5ed7b33d4014d77740a8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 17:34:59 +0100 Subject: l bindfs: add clearTarget option --- lass/3modules/bindfs.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lass/3modules') diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix index 5c8df8dc5..c489ef163 100644 --- a/lass/3modules/bindfs.nix +++ b/lass/3modules/bindfs.nix @@ -28,6 +28,13 @@ in { type = types.listOf types.str; default = []; }; + clearTarget = mkOption { + description = '' + whether to clear the target folder before mounting + ''; + type = types.bool; + default = false; + }; }; })); default = {}; @@ -41,6 +48,9 @@ in { path = [ pkgs.coreutils ]; serviceConfig = { ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' + ${optionalString mount.clearTarget '' + rm -rf '${mount.target}' + ''} mkdir -p '${mount.source}' mkdir -p '${mount.target}' ''; -- cgit v1.3.1 From 1fb7abde922545b3b1ea3887bd5a3f2a57bbb0be Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 17:35:53 +0100 Subject: l sync-containers: fix ecryptfs startup bug --- lass/3modules/sync-containers.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lass/3modules') diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix index ca81458a9..25ba2589b 100644 --- a/lass/3modules/sync-containers.nix +++ b/lass/3modules/sync-containers.nix @@ -10,6 +10,8 @@ with import ; plain = '' ''; ecryptfs = '' + # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails + echo 4 | ${pkgs.ecryptfs}/bin/ecryptfs-manager if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state -- cgit v1.3.1 From 7a654da5dec445482ef40c4b9642f92e19693f2c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 17:36:12 +0100 Subject: l sync-containers: shutdown container if already up --- lass/3modules/sync-containers.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lass/3modules') diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix index 25ba2589b..ebf440c4e 100644 --- a/lass/3modules/sync-containers.nix +++ b/lass/3modules/sync-containers.nix @@ -155,6 +155,8 @@ in { if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch + else + ${(stop ctr.name).${ctr.format}} fi '') (pkgs.writeDashBin "stop-${ctr.name}" '' -- cgit v1.3.1 From 8adbc446bfe2e577d4140d63e0f5bd1f8adf2c31 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 20:59:54 +0100 Subject: l: remove ejabberd --- lass/1systems/prism/config.nix | 10 --- lass/3modules/default.nix | 1 - lass/3modules/ejabberd/config.nix | 128 ------------------------------------- lass/3modules/ejabberd/default.nix | 103 ----------------------------- 4 files changed, 242 deletions(-) delete mode 100644 lass/3modules/ejabberd/config.nix delete mode 100644 lass/3modules/ejabberd/default.nix (limited to 'lass/3modules') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 54ba0089f..81159573d 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -138,16 +138,6 @@ with import ; enable = true; }; } - { - lass.ejabberd = { - enable = true; - hosts = [ "lassul.us" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } - { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } - ]; - } { imports = [ diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 8bee08caa..3587e0f88 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -3,7 +3,6 @@ _: imports = [ ./bindfs.nix ./dnsmasq.nix - ./ejabberd ./folderPerms.nix ./hosts.nix ./klem.nix diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix deleted file mode 100644 index 4630f25c1..000000000 --- a/lass/3modules/ejabberd/config.nix +++ /dev/null @@ -1,128 +0,0 @@ -with import ; -{ config, ... }: let - - # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example - - ciphers = concatStringsSep ":" [ - "ECDHE-ECDSA-AES256-GCM-SHA384" - "ECDHE-RSA-AES256-GCM-SHA384" - "ECDHE-ECDSA-CHACHA20-POLY1305" - "ECDHE-RSA-CHACHA20-POLY1305" - "ECDHE-ECDSA-AES128-GCM-SHA256" - "ECDHE-RSA-AES128-GCM-SHA256" - "ECDHE-ECDSA-AES256-SHA384" - "ECDHE-RSA-AES256-SHA384" - "ECDHE-ECDSA-AES128-SHA256" - "ECDHE-RSA-AES128-SHA256" - ]; - - protocol_options = [ - "no_sslv2" - "no_sslv3" - "no_tlsv1" - "no_tlsv1_10" - ]; - -in /* yaml */ '' - - access_rules: - announce: - - allow: admin - local: - - allow: local - configure: - - allow: admin - register: - - allow - s2s: - - allow - trusted_network: - - allow: loopback - - acl: - local: - user_regexp: "" - loopback: - ip: - - "127.0.0.0/8" - - "::1/128" - - "::FFFF:127.0.0.1/128" - - hosts: ${toJSON config.hosts} - - language: "en" - - listen: - - - port: 5222 - ip: "::" - module: ejabberd_c2s - shaper: c2s_shaper - certfile: ${toJSON config.certfile.path} - ciphers: ${toJSON ciphers} - dhfile: ${toJSON config.dhfile.path} - protocol_options: ${toJSON protocol_options} - starttls: true - starttls_required: true - tls: false - tls_compression: false - max_stanza_size: 65536 - - - port: 5269 - ip: "::" - module: ejabberd_s2s_in - shaper: s2s_shaper - max_stanza_size: 131072 - - loglevel: 4 - - modules: - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - mod_disco: {} - mod_echo: {} - mod_bosh: {} - mod_last: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_privacy: {} - mod_private: {} - mod_register: - access_from: allow - access: register - # ip_access: trusted_network - registration_watchers: ${toJSON config.registration_watchers} - mod_roster: {} - mod_shared_roster: {} - mod_stats: {} - mod_time: {} - mod_vcard: - search: false - mod_version: {} - mod_http_api: {} - - s2s_access: s2s - s2s_certfile: ${toJSON config.s2s_certfile.path} - s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: ${toJSON config.dhfile.path} - s2s_protocol_options: ${toJSON protocol_options} - s2s_tls_compression: false - s2s_use_starttls: required - - shaper_rules: - max_user_offline_messages: - - 5000: admin - - 100 - max_user_sessions: 10 - c2s_shaper: - - none: admin - - normal - s2s_shaper: fast -'' diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix deleted file mode 100644 index 20a38d572..000000000 --- a/lass/3modules/ejabberd/default.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ config, lib, pkgs, ... }@args: with import ; let - cfg = config.lass.ejabberd; - - gen-dhparam = pkgs.writeDash "gen-dhparam" '' - set -efu - path=$1 - bits=2048 - # TODO regenerate dhfile after some time? - if ! test -e "$path"; then - ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" - fi - ''; - -in { - options.lass.ejabberd = { - enable = mkEnableOption "lass.ejabberd"; - certfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-certfile"; - path = "${cfg.user.home}/ejabberd.pem"; - owner = cfg.user; - source-path = "/var/lib/acme/lassul.us/full.pem"; - }; - }; - dhfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-dhfile"; - path = "${cfg.user.home}/dhparams.pem"; - owner = cfg.user; - source-path = "/dev/null"; - }; - }; - hosts = mkOption { - type = with types; listOf str; - }; - pkgs.ejabberdctl = mkOption { - type = types.package; - default = pkgs.writeDashBin "ejabberdctl" '' - exec ${pkgs.ejabberd}/bin/ejabberdctl \ - --config ${toFile "ejabberd.yaml" (import ./config.nix { - inherit pkgs; - config = cfg; - })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ - "$@" - ''; - }; - registration_watchers = mkOption { - type = types.listOf types.str; - default = [ - config.krebs.users.tv.mail - ]; - }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; - user = mkOption { - type = types.user; - default = { - name = "ejabberd"; - home = "/var/ejabberd"; - }; - }; - }; - config = lib.mkIf cfg.enable { - environment.systemPackages = [ cfg.pkgs.ejabberdctl ]; - - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; - - systemd.services.ejabberd = { - wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - ]; - serviceConfig = { - ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; - PermissionsStartOnly = true; - SyslogIdentifier = "ejabberd"; - User = cfg.user.name; - TimeoutStartSec = 60; - }; - }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - }; - }; -} -- cgit v1.3.1 From 5433345ad4c042313d30709b413d12dbbda3ed99 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 10:23:23 +0100 Subject: l: move ecryptfs-hack to wrapper --- lass/3modules/sync-containers.nix | 2 -- lass/5pkgs/ecrypt/default.nix | 5 ++++- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'lass/3modules') diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix index ebf440c4e..4dd0fd722 100644 --- a/lass/3modules/sync-containers.nix +++ b/lass/3modules/sync-containers.nix @@ -10,8 +10,6 @@ with import ; plain = '' ''; ecryptfs = '' - # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails - echo 4 | ${pkgs.ecryptfs}/bin/ecryptfs-manager if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state diff --git a/lass/5pkgs/ecrypt/default.nix b/lass/5pkgs/ecrypt/default.nix index 9bb35a8dc..f83f8cfe7 100644 --- a/lass/5pkgs/ecrypt/default.nix +++ b/lass/5pkgs/ecrypt/default.nix @@ -3,7 +3,6 @@ #usage: ecrypt mount /var/crypted /var/unencrypted pkgs.writers.writeDashBin "ecrypt" '' set -euf - set -x PATH=${lib.makeBinPath (with pkgs; [ coreutils @@ -32,6 +31,8 @@ pkgs.writers.writeDashBin "ecrypt" '' echo 'destination dir is not empty, aborting' exit 1 else + # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails + echo 4 | ecryptfs-manager stty -echo printf "passphrase: " read passphrase @@ -59,6 +60,8 @@ pkgs.writers.writeDashBin "ecrypt" '' if keyctl list @u | grep -q "$old_sig"; then echo 'pw already saved' else + # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails + echo 4 | ecryptfs-manager stty -echo printf "passphrase: " read passphrase -- cgit v1.3.1 From ea0b43654e20ee3cbe85c154a35d5363baaaca97 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 10:41:47 +0100 Subject: sync-containers: lass -> krebs --- krebs/3modules/default.nix | 1 + krebs/3modules/sync-containers.nix | 168 +++++++++++++++++++++++++++++++++++++ lass/2configs/green-host.nix | 2 +- lass/3modules/default.nix | 1 - lass/3modules/sync-containers.nix | 168 ------------------------------------- 5 files changed, 170 insertions(+), 170 deletions(-) create mode 100644 krebs/3modules/sync-containers.nix delete mode 100644 lass/3modules/sync-containers.nix (limited to 'lass/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 0b3d2c791..285db40f9 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -51,6 +51,7 @@ let ./secret.nix ./setuid.nix ./shadow.nix + ./sync-containers.nix ./tinc.nix ./tinc_graphs.nix ./urlwatch.nix diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix new file mode 100644 index 000000000..81316fb0d --- /dev/null +++ b/krebs/3modules/sync-containers.nix @@ -0,0 +1,168 @@ +with import ; +{ config, pkgs, ... }: let + cfg = config.krebs.sync-containers; + paths = cname: { + plain = "/var/lib/containers/${cname}/var/state"; + ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; + securefs = "${cfg.dataLocation}/${cname}/securefs"; + }; + start = cname: { + plain = '' + ''; + ecryptfs = '' + if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then + if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then + ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + else + ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + fi + fi + ''; + securefs = '' + ## TODO init file systems if it does not exist + # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs + if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then + ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions + fi + ''; + }; + stop = cname: { + plain = '' + ''; + ecryptfs = '' + ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + ''; + securefs = '' + umount /var/lib/containers/${cname}/var/state + ''; + }; +in { + options.krebs.sync-containers = { + dataLocation = mkOption { + description = '' + location where the encrypted sync-container lie around + ''; + default = "/var/lib/sync-containers"; + type = types.absolute-pathname; + }; + containers = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + description = '' + name of the container + ''; + default = config._module.args.name; + type = types.str; + }; + peers = mkOption { + description = '' + syncthing peers to share this container with + ''; + default = []; + type = types.listOf types.str; + }; + hostIp = mkOption { # TODO find this automatically + description = '' + hostAddress of the privateNetwork + ''; + example = "10.233.2.15"; + type = types.str; + }; + localIp = mkOption { # TODO find this automatically + description = '' + localAddress of the privateNetwork + ''; + example = "10.233.2.16"; + type = types.str; + }; + format = mkOption { + description = '' + file system encrption format of the container + ''; + type = types.enum [ "plain" "ecryptfs" "securefs" ]; + }; + }; + })); + default = {}; + }; + }; + + config = mkIf (cfg.containers != {}) { + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + devices = ctr.peers; + ignorePerms = false; + })) cfg.containers); + + krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + })) cfg.containers); + + systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({ + reloadIfChanged = mkForce false; + })) cfg.containers; + + containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({ + config = { ... }: { + environment.systemPackages = [ + pkgs.git + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = ctr.hostIp; + localAddress = ctr.localIp; + })) cfg.containers; + + environment.systemPackages = flatten (mapAttrsToList (n: ctr: [ + (pkgs.writeDashBin "start-${ctr.name}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${ctr.name}/var/state + + ${(start ctr.name).${ctr.format}} + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch + else + ${(stop ctr.name).${ctr.format}} + fi + '') + (pkgs.writeDashBin "stop-${ctr.name}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name} + ${(stop ctr.name).${ctr.format}} + '') + ]) cfg.containers); + }; +} diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix index a5328943c..355daba9c 100644 --- a/lass/2configs/green-host.nix +++ b/lass/2configs/green-host.nix @@ -4,7 +4,7 @@ ]; - lass.sync-containers.containers.green = { + krebs.sync-containers.containers.green = { peers = [ "icarus" "shodan" diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 3587e0f88..9f8ae98e5 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -12,7 +12,6 @@ _: ./pyload.nix ./restic.nix ./screenlock.nix - ./sync-containers.nix ./usershadow.nix ./xjail.nix ./autowifi.nix diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix deleted file mode 100644 index 4dd0fd722..000000000 --- a/lass/3modules/sync-containers.nix +++ /dev/null @@ -1,168 +0,0 @@ -with import ; -{ config, pkgs, ... }: let - cfg = config.lass.sync-containers; - paths = cname: { - plain = "/var/lib/containers/${cname}/var/state"; - ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; - securefs = "${cfg.dataLocation}/${cname}/securefs"; - }; - start = cname: { - plain = '' - ''; - ecryptfs = '' - if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then - if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then - ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - else - ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - fi - fi - ''; - securefs = '' - ## TODO init file systems if it does not exist - # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs - if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then - ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions - fi - ''; - }; - stop = cname: { - plain = '' - ''; - ecryptfs = '' - ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - ''; - securefs = '' - umount /var/lib/containers/${cname}/var/state - ''; - }; -in { - options.lass.sync-containers = { - dataLocation = mkOption { - description = '' - location where the encrypted sync-container lie around - ''; - default = "/var/lib/sync-containers"; - type = types.absolute-pathname; - }; - containers = mkOption { - type = types.attrsOf (types.submodule ({ config, ... }: { - options = { - name = mkOption { - description = '' - name of the container - ''; - default = config._module.args.name; - type = types.str; - }; - peers = mkOption { - description = '' - syncthing peers to share this container with - ''; - default = []; - type = types.listOf types.str; - }; - hostIp = mkOption { # TODO find this automatically - description = '' - hostAddress of the privateNetwork - ''; - example = "10.233.2.15"; - type = types.str; - }; - localIp = mkOption { # TODO find this automatically - description = '' - localAddress of the privateNetwork - ''; - example = "10.233.2.16"; - type = types.str; - }; - format = mkOption { - description = '' - file system encrption format of the container - ''; - type = types.enum [ "plain" "ecryptfs" "securefs" ]; - }; - }; - })); - default = {}; - }; - }; - - config = mkIf (cfg.containers != {}) { - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ - devices = ctr.peers; - ignorePerms = false; - })) cfg.containers); - - krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = false; - })) cfg.containers); - - systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({ - reloadIfChanged = mkForce false; - })) cfg.containers; - - containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({ - config = { ... }: { - environment.systemPackages = [ - pkgs.git - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = ctr.hostIp; - localAddress = ctr.localIp; - })) cfg.containers; - - environment.systemPackages = flatten (mapAttrsToList (n: ctr: [ - (pkgs.writeDashBin "start-${ctr.name}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${ctr.name}/var/state - - ${(start ctr.name).${ctr.format}} - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch - else - ${(stop ctr.name).${ctr.format}} - fi - '') - (pkgs.writeDashBin "stop-${ctr.name}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name} - ${(stop ctr.name).${ctr.format}} - '') - ]) cfg.containers); - }; -} -- cgit v1.3.1 From cefb50f5f1509c06f92453e09fb63ad71a746fe0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 11:26:39 +0100 Subject: bindfs: l -> krebs --- krebs/3modules/bindfs.nix | 61 ++++++++++++++++++++++++++++++++++++++++++ krebs/3modules/default.nix | 1 + lass/1systems/green/config.nix | 2 +- lass/3modules/bindfs.nix | 61 ------------------------------------------ lass/3modules/default.nix | 1 - 5 files changed, 63 insertions(+), 63 deletions(-) create mode 100644 krebs/3modules/bindfs.nix delete mode 100644 lass/3modules/bindfs.nix (limited to 'lass/3modules') diff --git a/krebs/3modules/bindfs.nix b/krebs/3modules/bindfs.nix new file mode 100644 index 000000000..7e3730e86 --- /dev/null +++ b/krebs/3modules/bindfs.nix @@ -0,0 +1,61 @@ +with import ; +{ config, pkgs, ... }: +let + cfg = config.krebs.bindfs; +in { + options.krebs.bindfs = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + target = mkOption { + description = '' + destination where bindfs mounts to. + second positional argument to bindfs. + ''; + default = config._module.args.name; + type = types.absolute-pathname; + }; + source = mkOption { + description = '' + source folder where the mounted directory is originally. + first positional argument to bindfs. + ''; + type = types.absolute-pathname; + }; + options = mkOption { + description = '' + additional arguments to bindfs + ''; + type = types.listOf types.str; + default = []; + }; + clearTarget = mkOption { + description = '' + whether to clear the target folder before mounting + ''; + type = types.bool; + default = false; + }; + }; + })); + default = {}; + }; + + config = mkIf (cfg != {}) { + systemd.services = mapAttrs' (n: mount: let + name = replaceStrings [ "/" ] [ "_" ] n; + in nameValuePair "bindfs-${name}" { + wantedBy = [ "local-fs.target" ]; + path = [ pkgs.coreutils ]; + serviceConfig = { + ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' + ${optionalString mount.clearTarget '' + rm -rf '${mount.target}' + ''} + mkdir -p '${mount.source}' + mkdir -p '${mount.target}' + ''; + ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; + }; + }) cfg; + }; +} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 285db40f9..e7d04ead8 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -11,6 +11,7 @@ let ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix + ./bindfs.nix ./brockman.nix ./buildbot/master.nix ./buildbot/slave.nix diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index d7683ff5f..fbd2d223f 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -26,7 +26,7 @@ with import ; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMe23IAHn4Ow4J4i8M9GJshqvY80U11NKPLum6b1XLn" # weechat ssh tunnel ]; - lass.bindfs = { + krebs.bindfs = { "/home/lass/.weechat" = { source = "/var/state/lass_weechat"; options = [ diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix deleted file mode 100644 index c489ef163..000000000 --- a/lass/3modules/bindfs.nix +++ /dev/null @@ -1,61 +0,0 @@ -with import ; -{ config, pkgs, ... }: -let - cfg = config.lass.bindfs; -in { - options.lass.bindfs = mkOption { - type = types.attrsOf (types.submodule ({ config, ... }: { - options = { - target = mkOption { - description = '' - destination where bindfs mounts to. - second positional argument to bindfs. - ''; - default = config._module.args.name; - type = types.absolute-pathname; - }; - source = mkOption { - description = '' - source folder where the mounted directory is originally. - first positional argument to bindfs. - ''; - type = types.absolute-pathname; - }; - options = mkOption { - description = '' - additional arguments to bindfs - ''; - type = types.listOf types.str; - default = []; - }; - clearTarget = mkOption { - description = '' - whether to clear the target folder before mounting - ''; - type = types.bool; - default = false; - }; - }; - })); - default = {}; - }; - - config = mkIf (cfg != {}) { - systemd.services = mapAttrs' (n: mount: let - name = replaceStrings [ "/" ] [ "_" ] n; - in nameValuePair "bindfs-${name}" { - wantedBy = [ "local-fs.target" ]; - path = [ pkgs.coreutils ]; - serviceConfig = { - ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' - ${optionalString mount.clearTarget '' - rm -rf '${mount.target}' - ''} - mkdir -p '${mount.source}' - mkdir -p '${mount.target}' - ''; - ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; - }; - }) cfg; - }; -} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 9f8ae98e5..1ce88b238 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,7 +1,6 @@ _: { imports = [ - ./bindfs.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix -- cgit v1.3.1