2 files changed, 34 insertions, 11 deletions

diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index fdb96c8ba..e3108d88e 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -80,13 +80,25 @@ let
   };
 
   imp = {
-    system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
-      (concatMapStringsSep "\n"
-        (cfg: /* sh */ ''
-          ${cfg.activate}
-          rm -f ${cfg.wrapperDir}/${cfg.name}.real
-        '')
-        (attrValues config.krebs.setuid));
+    systemd.services."krebs.setuid" = {
+      wantedBy = [ "suid-sgid-wrappers.service" ];
+      after = [ "suid-sgid-wrappers.service" ];
+      path = [
+        pkgs.coreutils
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.writeDash "krebs.setuid.sh" ''
+          ${concatMapStringsSep "\n"
+            (getAttr "activate")
+            (attrValues config.krebs.setuid)
+          }
+        '';
+      };
+      unitConfig = {
+        DefaultDependencies = false;
+      };
+    };
   };
 
 in out
diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index 58446c82b..7373592a5 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -58,6 +58,8 @@ in {
             pkgs.jq
           ];
           networking.useDHCP = lib.mkForce true;
+          networking.useHostResolvConf = false;
+          services.resolved.enable = true;
           systemd.services.autoswitch = {
             environment = {
               NIX_REMOTE = "daemon";
@@ -155,7 +157,7 @@ in {
                         # echo 'container is reachable, continueing'
                         continue
                       else
-                        # echo 'container seems dead, killing'
+                        echo 'container seems dead, killing'
                         break
                       fi
                     else
@@ -246,6 +248,9 @@ in {
         }; }
         { "container@${ctr.name}" = lib.mkIf ctr.runContainer {
           serviceConfig = {
+            ExecStop = pkgs.writers.writeDash "remove_interface" ''
+              ${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
+            '';
             ExecStartPost = [
               (pkgs.writers.writeDash "bind-to-bridge" ''
                 ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
@@ -294,9 +299,6 @@ in {
     (lib.mkIf (cfg.containers != {}) {
       # networking
 
-      # needed because otherwise we lose local dns
-      environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
-
       boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
       systemd.network.networks.ctr0 = {
         name = "ctr0";
@@ -309,6 +311,9 @@ in {
           ConfigureWithoutCarrier = true;
           DHCPServer = "yes";
         };
+        dhcpServerConfig = {
+          DNS = "9.9.9.9";
+        };
       };
       systemd.network.netdevs.ctr0.netdevConfig = {
         Kind = "bridge";
@@ -341,6 +346,12 @@ in {
 
       networking.useHostResolvConf = false;
       networking.useNetworkd = true;
+      services.resolved = {
+        enable = true;
+        extraConfig = ''
+          Domains=~.
+        '';
+      };
       systemd.network = {
         enable = true;
         networks.eth0 = {