From 32bac4e0549b6b41aa6062aee48f1aa7eb493a3f Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Sun, 3 Sep 2023 11:57:19 +0200
Subject: [PATCH] l green-hosts: add different implementations
---
lass/2configs/green-hosts/cryfs.nix | 95 ++++++++++++++++++
lass/2configs/green-hosts/ecryptfs.nix | 99 +++++++++++++++++++
lass/2configs/green-hosts/plain-bindfs.nix | 90 +++++++++++++++++
lass/2configs/green-hosts/plain-permown.nix | 88 +++++++++++++++++
lass/2configs/green-hosts/plain.nix | 87 +++++++++++++++++
lass/2configs/green-hosts/securefs.nix | 101 ++++++++++++++++++++
6 files changed, 560 insertions(+)
create mode 100644 lass/2configs/green-hosts/cryfs.nix
create mode 100644 lass/2configs/green-hosts/ecryptfs.nix
create mode 100644 lass/2configs/green-hosts/plain-bindfs.nix
create mode 100644 lass/2configs/green-hosts/plain-permown.nix
create mode 100644 lass/2configs/green-hosts/plain.nix
create mode 100644 lass/2configs/green-hosts/securefs.nix
diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix
new file mode 100644
index 000000000..d60dc5951
--- /dev/null
+++ b/lass/2configs/green-hosts/cryfs.nix
@@ -0,0 +1,95 @@
+# seems to work, very slow though
+
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green-cryfs";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = {
+ source = "/var/lib/sync-containers/${cname}/cryfs";
+ options = [
+ "-M ${toString config.users.users.syncthing.uid} -u root -g root"
+ ];
+ };
+
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "init-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/sync-containers/${cname}/cryfs
+ '')
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ '')
+ ];
+}
diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix
new file mode 100644
index 000000000..2c335f6f2
--- /dev/null
+++ b/lass/2configs/green-hosts/ecryptfs.nix
@@ -0,0 +1,99 @@
+
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = {
+ file-mode = "u+rw";
+ directory-mode = "u+rwx";
+ owner = "syncthing";
+ keepGoing = false;
+ };
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ pkgs.ecryptfs
+ pkgs.keyutils
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
+ if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then
+ ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ else
+ ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ fi
+ fi
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ '')
+ ];
+}
+
diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix
new file mode 100644
index 000000000..81d8f20c2
--- /dev/null
+++ b/lass/2configs/green-hosts/plain-bindfs.nix
@@ -0,0 +1,90 @@
+# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them,
+
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green-plain";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ lass.bindfs."/var/lib/containers/${cname}/var/state" = {
+ source = "/var/lib/containers/${cname}/var/state";
+ options = [
+ "-M ${toString config.users.users.syncthing.uid} -u root -g root"
+ ];
+ };
+
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ '')
+ ];
+}
+
diff --git a/lass/2configs/green-hosts/plain-permown.nix b/lass/2configs/green-hosts/plain-permown.nix
new file mode 100644
index 000000000..21a7d0085
--- /dev/null
+++ b/lass/2configs/green-hosts/plain-permown.nix
@@ -0,0 +1,88 @@
+# this seems to work fine, downsides are, all state is owned by syncthing and could be read by the guests syncthing
+
+
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green-plain";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ krebs.permown."/var/lib/containers/${cname}/var/state" = {
+ file-mode = "u+rw";
+ directory-mode = "u+rwx";
+ owner = "syncthing";
+ keepGoing = true;
+ };
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ '')
+ ];
+}
+
diff --git a/lass/2configs/green-hosts/plain.nix b/lass/2configs/green-hosts/plain.nix
new file mode 100644
index 000000000..58f54b748
--- /dev/null
+++ b/lass/2configs/green-hosts/plain.nix
@@ -0,0 +1,87 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green-plain";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ krebs.permown."/var/lib/containers/${cname}/var/state" = {
+ file-mode = "u+rw";
+ directory-mode = "u+rwx";
+ owner = "syncthing";
+ keepGoing = true;
+ };
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ '')
+ ];
+}
+
diff --git a/lass/2configs/green-hosts/securefs.nix b/lass/2configs/green-hosts/securefs.nix
new file mode 100644
index 000000000..a69cfe6ca
--- /dev/null
+++ b/lass/2configs/green-hosts/securefs.nix
@@ -0,0 +1,101 @@
+# broken, muchsync cant sync into the folders which should be handles by bindfs
+# ls -la also does not show the full directory permissions
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ cname = "green";
+
+in {
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/securefs" = {
+ devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ];
+ ignorePerms = false;
+ };
+
+ krebs.permown."/var/lib/sync-containers/${cname}/securefs" = {
+ file-mode = "u+rw";
+ directory-mode = "u+rwx";
+ owner = "syncthing";
+ keepGoing = false;
+ };
+
+ systemd.services."container@${cname}".reloadIfChanged = mkForce false;
+ containers.${cname} = {
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt-unicode-unwrapped.terminfo
+ ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
+ localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
+ };
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-${cname}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${cname}/var/state
+
+ if ! mount | grep -q 'securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
+ if ! ${pkgs.securefs}/bin/securefs info /var/lib/sync-containers/${cname}/securefs; then
+ ${pkgs.securefs}/bin/securefs create --format 4 /var/lib/sync-containers/${cname}/securefs
+ fi
+
+ ${pkgs.securefs}/bin/securefs mount -b \
+ -o allow_other -o default_permissions \
+ --log /var/lib/sync-containers/${cname}/securefs.log \
+ /var/lib/sync-containers/${cname}/securefs /var/lib/containers/${cname}/var/state
+ fi
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${cname}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${cname}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
+ umount /var/lib/containers/${cname}/var/state
+ '')
+ ];
+}
+