dotfiles/nixos/systems/blowhole/ywecur-anp.nix

{
  inputs',
  pkgs,
  ...
}: let
in {
  systemd.services."container@ywecur-anp-setup" = {
    before = ["container@ywecur-anp.service"];
    wantedBy = ["container@ywecur-anp.service"];

    serviceConfig = {
      Type = "oneshot";
      ExecStart = pkgs.writeShellScript "setup-tap.sh" ''
        if ! [ -e /dev/net/tap ] ; then
          mknod /dev/net/tap c 10 200
        fi
        chmod 666 /dev/net/tap
      '';
    };
  };

  containers.ywecur-anp = {
    ephemeral = true;
    autoStart = true;

    privateNetwork = true;
    hostAddress = "172.20.69.1";
    localAddress = "172.20.69.2";

    bindMounts = {
      "/home/ywecur" = {
        hostPath = "/mnt/kyle/infrastructure/ywecur/";
        isReadOnly = false;
      };
      "/dev/net/tap" = {
        hostPath = "/dev/net/tap";
        isReadOnly = false;
      };
    };
    nixpkgs = inputs'.buildbot-nix.inputs.nixpkgs;

    allowedDevices = [
      {
        node = "/dev/net/tap";
        modifier = "rw";
      }
    ];

    config = {
      config,
      pkgs,
      ...
    }: {
      boot.isContainer = true;
      networking.hostName = "ywecur-anp";

      environment.systemPackages = with pkgs; [
        git
        tcpdump
      ];

      services.openssh = {
        enable = true;
        settings = {
          PasswordAuthentication = false;
          PermitRootLogin = "no";
        };
      };

      programs.direnv.enable = true;

      security.wrappers = {
        cap_raise = {
          owner = "root";
          group = "root";
          source = "/run/current-system/sw/bin/bash";
          capabilities = "cap_net_admin+pie";
        };
      };

      security.pam.services.sshd.rules.auth.pam_cap = {
        modulePath = "${pkgs.libcap.pam}/lib/security/pam_cap.so";
        args = [
          "config=${pkgs.writeText "pam_cap.conf" ''
            cap_net_admin ywecur
          ''}"
        ];
        control = "required";
        order = config.security.pam.services.sshd.rules.session.limits.order + 10;
      };

      users.users.ywecur = {
        isNormalUser = true;
        home = "/home/ywecur";
        description = "ywecur";
        shell = "/run/wrappers/bin/cap_raise";

        uid = 1500;

        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEJYOmH+AFTYTWi894bAqaYbEHwiSQwiQ7xM5NpiH1u (none)"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVkFvalffJ/SMjJGG3WPiqCqFygnWzhGUaeALBIoCsJ (none)"
        ];
      };
    };
  };
}
Setup ANP container Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-09-17 23:11:24 +02:00			`{`
			`inputs',`
			`pkgs,`
			`...`
			`}: let`
			`in {`
			`systemd.services."container@ywecur-anp-setup" = {`
			`before = ["container@ywecur-anp.service"];`
			`wantedBy = ["container@ywecur-anp.service"];`

			`serviceConfig = {`
			`Type = "oneshot";`
			`ExecStart = pkgs.writeShellScript "setup-tap.sh" ''`
			`if ! [ -e /dev/net/tap ] ; then`
			`mknod /dev/net/tap c 10 200`
			`fi`
			`chmod 666 /dev/net/tap`
			`'';`
			`};`
			`};`

			`containers.ywecur-anp = {`
			`ephemeral = true;`
			`autoStart = true;`

			`privateNetwork = true;`
			`hostAddress = "172.20.69.1";`
			`localAddress = "172.20.69.2";`

			`bindMounts = {`
			`"/home/ywecur" = {`
			`hostPath = "/mnt/kyle/infrastructure/ywecur/";`
			`isReadOnly = false;`
			`};`
			`"/dev/net/tap" = {`
			`hostPath = "/dev/net/tap";`
			`isReadOnly = false;`
			`};`
			`};`
			`nixpkgs = inputs'.buildbot-nix.inputs.nixpkgs;`

			`allowedDevices = [`
			`{`
			`node = "/dev/net/tap";`
			`modifier = "rw";`
			`}`
			`];`

			`config = {`
			`config,`
			`pkgs,`
			`...`
			`}: {`
			`boot.isContainer = true;`
			`networking.hostName = "ywecur-anp";`

			`environment.systemPackages = with pkgs; [`
			`git`
			`tcpdump`
			`];`

			`services.openssh = {`
			`enable = true;`
			`settings = {`
			`PasswordAuthentication = false;`
			`PermitRootLogin = "no";`
			`};`
			`};`

			`programs.direnv.enable = true;`

			`security.wrappers = {`
			`cap_raise = {`
			`owner = "root";`
			`group = "root";`
			`source = "/run/current-system/sw/bin/bash";`
			`capabilities = "cap_net_admin+pie";`
			`};`
			`};`

			`security.pam.services.sshd.rules.auth.pam_cap = {`
			`modulePath = "${pkgs.libcap.pam}/lib/security/pam_cap.so";`
			`args = [`
			`"config=${pkgs.writeText "pam_cap.conf" ''`
			`cap_net_admin ywecur`
			`''}"`
			`];`
			`control = "required";`
			`order = config.security.pam.services.sshd.rules.session.limits.order + 10;`
			`};`

			`users.users.ywecur = {`
			`isNormalUser = true;`
			`home = "/home/ywecur";`
			`description = "ywecur";`
			`shell = "/run/wrappers/bin/cap_raise";`

			`uid = 1500;`

			`openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEJYOmH+AFTYTWi894bAqaYbEHwiSQwiQ7xM5NpiH1u (none)"`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVkFvalffJ/SMjJGG3WPiqCqFygnWzhGUaeALBIoCsJ (none)"`
			`];`
			`};`
			`};`
			`};`
			`}`