{ inputs', pkgs, ... }: let in { systemd.services."container@ywecur-anp-setup" = { before = ["container@ywecur-anp.service"]; wantedBy = ["container@ywecur-anp.service"]; serviceConfig = { Type = "oneshot"; ExecStart = pkgs.writeShellScript "setup-tap.sh" '' if ! [ -e /dev/net/tap ] ; then mknod /dev/net/tap c 10 200 fi chmod 666 /dev/net/tap ''; }; }; containers.ywecur-anp = { ephemeral = true; autoStart = true; privateNetwork = true; hostAddress = "172.20.69.1"; localAddress = "172.20.69.2"; bindMounts = { "/home/ywecur" = { hostPath = "/mnt/kyle/infrastructure/ywecur/"; isReadOnly = false; }; "/dev/net/tap" = { hostPath = "/dev/net/tap"; isReadOnly = false; }; }; nixpkgs = inputs'.buildbot-nix.inputs.nixpkgs; allowedDevices = [ { node = "/dev/net/tap"; modifier = "rw"; } ]; config = { config, pkgs, ... }: { boot.isContainer = true; networking.hostName = "ywecur-anp"; environment.systemPackages = with pkgs; [ git tcpdump ]; services.openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; }; }; programs.direnv.enable = true; security.wrappers = { cap_raise = { owner = "root"; group = "root"; source = "/run/current-system/sw/bin/bash"; capabilities = "cap_net_admin+pie"; }; }; security.pam.services.sshd.rules.auth.pam_cap = { modulePath = "${pkgs.libcap.pam}/lib/security/pam_cap.so"; args = [ "config=${pkgs.writeText "pam_cap.conf" '' cap_net_admin ywecur ''}" ]; control = "required"; order = config.security.pam.services.sshd.rules.session.limits.order + 10; }; users.users.ywecur = { isNormalUser = true; home = "/home/ywecur"; description = "ywecur"; shell = "/run/wrappers/bin/cap_raise"; uid = 1500; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEJYOmH+AFTYTWi894bAqaYbEHwiSQwiQ7xM5NpiH1u (none)" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVkFvalffJ/SMjJGG3WPiqCqFygnWzhGUaeALBIoCsJ (none)" ]; }; }; }; }