dotfiles/nixos/systems/blowhole/ywecur-anp.nix

{
  inputs',
  pkgs,
  ...
}: let
in {
  systemd.services."container@ywecur-anp-setup" = {
    before = ["container@ywecur-anp.service"];
    wantedBy = ["container@ywecur-anp.service"];

    serviceConfig = {
      Type = "oneshot";
      ExecStart = pkgs.writeShellScript "setup-tap.sh" ''
        if ! [ -e /dev/net/tap ] ; then
          mknod /dev/net/tap c 10 200
        fi
        chmod 666 /dev/net/tap
      '';
    };
  };

  containers.ywecur-anp = {
    ephemeral = true;
    autoStart = true;

    privateNetwork = true;
    hostAddress = "172.20.69.1";
    localAddress = "172.20.69.2";

    bindMounts = {
      "/home/ywecur" = {
        hostPath = "/mnt/kyle/infrastructure/ywecur/";
        isReadOnly = false;
      };
      "/etc/ssh" = {
        hostPath = "/mnt/kyle/infrastructure/ywecur/.ssh-system";
        isReadOnly = false;
      };
      "/dev/net/tap" = {
        hostPath = "/dev/net/tap";
        isReadOnly = false;
      };
    };
    nixpkgs = inputs'.nixpkgs-stable;

    allowedDevices = [
      {
        node = "/dev/net/tap";
        modifier = "rw";
      }
    ];

    config = {
      config,
      pkgs,
      lib,
      ...
    }: {
      boot.isContainer = true;
      networking.hostName = "ywecur-anp";

      environment.systemPackages = with pkgs; [
        git
        ccls
        libcap
        tcpdump
        vscode-fhs
      ];

      nixpkgs.config.allowUnfreePredicate = pkg:
        builtins.elem (lib.getName pkg) [
          "code"
          "vscode"
        ];

      nixpkgs.overlays = [
        (final: prev: {
          bubblewrap = prev.bubblewrap.overrideAttrs (final': prev': {
            patches = [inputs'.self.patches.bubblewrap.dont-bail-on-caps] ++ prev'.patches or [];
          });
        })
      ];

      programs.nix-ld.enable = true;

      services.openssh = {
        enable = true;
        settings = {
          PasswordAuthentication = false;
          PermitRootLogin = "no";
        };
      };

      programs.direnv.enable = true;

      security.wrappers = {
        cap_raise = {
          owner = "root";
          group = "root";
          source = pkgs.writeShellScript "cap_raise.sh" ''
            exec /usr/bin/env bash -l
          '';
          capabilities = "cap_net_admin=+pie cap_net_raw=+pie";
        };
      };

      security.pam.services.sshd.rules.auth.pam_cap = {
        modulePath = "${pkgs.libcap.pam}/lib/security/pam_cap.so";
        args = [
          "config=${pkgs.writeText "pam_cap.conf" ''
            cap_net_admin ywecur
          ''}"
        ];
        control = "required";
        order = config.security.pam.services.sshd.rules.session.limits.order + 10;
      };

      users.users.ywecur = {
        isNormalUser = true;
        home = "/home/ywecur";
        description = "ywecur";
        shell = "/run/wrappers/bin/cap_raise";

        uid = 1500;

        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEJYOmH+AFTYTWi894bAqaYbEHwiSQwiQ7xM5NpiH1u (none)"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVkFvalffJ/SMjJGG3WPiqCqFygnWzhGUaeALBIoCsJ (none)"
        ];
      };
    };
  };
}