From 7f119a684466848fe069f560eb67c6a04853a7f9 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Fri, 27 Sep 2024 23:13:34 +0300 Subject: [PATCH] modules: remove private network and ssh from containers --- hosts/home/configuration.nix | 14 +++- .../configs/window-manager/xmonad/default.nix | 1 + .../window-manager/xmonad/xmonad_config.hs | 4 +- modules/machine.nix | 12 +++- modules/nixos/configs/sound.nix | 30 +++++++-- modules/nixos/programs/browsers/default.nix | 67 ++----------------- .../programs/communication/simplex-chat.nix | 1 - .../nixos/programs/communication/skype.nix | 58 +--------------- .../nixos/programs/communication/telegram.nix | 58 +--------------- 9 files changed, 61 insertions(+), 184 deletions(-) diff --git a/hosts/home/configuration.nix b/hosts/home/configuration.nix index 7604e06..9e4260d 100644 --- a/hosts/home/configuration.nix +++ b/hosts/home/configuration.nix @@ -70,9 +70,17 @@ "/tmp/.X11-unix" = { }; "/run/opengl-driver/lib" = { }; "/run/opengl-driver-32/lib" = { }; - "/dev/kfd" = { }; - "/dev/dri" = { }; }; + allowedDevices = [ + { + modifier = "r"; + node = "/dev/kfd"; + } + { + modifier = "r"; + node = "/dev/dri"; + } + ]; config = { pkgs, ... }: { nixpkgs.config.allowUnfree = true; system.stateVersion = "23.11"; @@ -96,6 +104,8 @@ innoextract vim unzip + p7zip + unrar-wrapper wget ]; }; diff --git a/modules/home-manager/configs/window-manager/xmonad/default.nix b/modules/home-manager/configs/window-manager/xmonad/default.nix index 02642f6..71cb596 100644 --- a/modules/home-manager/configs/window-manager/xmonad/default.nix +++ b/modules/home-manager/configs/window-manager/xmonad/default.nix @@ -63,6 +63,7 @@ in xclip # access x clipboard from a console dmenu # menu for x window system nitrogen # wallpaper manager + rofimoji # emoji picker ]; programs.rofi.pass = { diff --git a/modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs b/modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs index 5fe4993..33e9553 100644 --- a/modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs +++ b/modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs @@ -283,7 +283,9 @@ myKeys conf = -- launch 'dmenu_run' to choose applications ("M-r", spawn "dmenu_run"), -- launch 'rofi-pass' to use password manager - ("M-p", spawn "rofi-pass --last-used") + ("M-p", spawn "rofi-pass --last-used"), + -- launch 'rofimoji' to pick emoji + ("M-e", spawn "rofimoji --action copy") -- Open calculator -- ("", spawn "gnome-calculator"), ] diff --git a/modules/machine.nix b/modules/machine.nix index 68a1053..70d53ce 100644 --- a/modules/machine.nix +++ b/modules/machine.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, pkgs, ... }: { imports = [ ./common.nix ]; @@ -36,4 +36,14 @@ local.programs.pass.enable = lib.mkDefault true; local.programs.browsers.librewolf.enable = lib.mkDefault true; + + security.sudo.extraRules = [{ + commands = [ + { + command = "/run/current-system/sw/bin/nixos-container"; + options = [ "NOPASSWD" ]; + } + ]; + groups = [ "wheel" ]; + }]; } diff --git a/modules/nixos/configs/sound.nix b/modules/nixos/configs/sound.nix index 5306396..6242f7e 100644 --- a/modules/nixos/configs/sound.nix +++ b/modules/nixos/configs/sound.nix @@ -1,17 +1,35 @@ { config, pkgs, lib, ... }: +let + cfg = config.local.sound; +in { - options.local.sound.enable = lib.mkEnableOption "sound"; + options.local.sound = { + enable = lib.mkEnableOption "sound"; + systemWide = lib.mkEnableOption "systemWide"; + }; - config = lib.mkIf config.local.sound.enable { + config = lib.mkIf cfg.enable { sound = { enable = true; mediaKeys.enable = true; }; - hardware.pulseaudio = { - enable = true; - package = pkgs.pulseaudioFull; - }; + hardware.pulseaudio = lib.mkMerge [ + { + enable = true; + package = pkgs.pulseaudioFull; + } + (lib.mkIf cfg.systemWide { + systemWide = true; + support32Bit = true; + tcp = { + enable = true; + anonymousClients.allowedIpRanges = [ "127.0.0.1" ]; + }; + }) + ]; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.systemWide [ 4713 ]; }; } diff --git a/modules/nixos/programs/browsers/default.nix b/modules/nixos/programs/browsers/default.nix index a754c22..e945d60 100644 --- a/modules/nixos/programs/browsers/default.nix +++ b/modules/nixos/programs/browsers/default.nix @@ -3,9 +3,6 @@ let cfg = config.local.programs.browsers; - hostAddress = "192.168.7.10"; - localAddress = "192.168.7.11"; - contPackages = lib.optional cfg.tor-browser.enable cfg.tor-browser.package ++ lib.optional cfg.librewolf.enable cfg.librewolf.package @@ -14,11 +11,7 @@ let hostPackages = lib.flip map contPackages (p: let hostRunBrowser = pkgs.writeScript "cont-run-browser" '' - host=browsers.containers - if [ -z "$(ssh-keygen -F $host)" ]; then - ssh-keyscan -H $host >> ~/.ssh/known_hosts - fi - ssh -o PubkeyAuthentication=no kira@$host $@ + sudo nixos-container run browsers -- su -l kira -c $@ ''; hostBrowserScript = pkgs.writeScriptBin "${p.meta.mainProgram}" '' @@ -46,43 +39,15 @@ in config = lib.mkIf isEnable { environment.systemPackages = hostPackages; - hardware.pulseaudio = { - systemWide = true; - support32Bit = true; - tcp = { - enable = true; - anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; - }; - }; - - networking = { - firewall = { - allowedTCPPorts = [ 4713 ]; - allowedTCPPortRanges = [ - { from = 3000; to = 3999; } - { from = 5000; to = 5999; } - { from = 8000; to = 9999; } - { from = 32000; to = 33999; } - ]; - trustedInterfaces = [ "ve-*" ]; - }; - nat = { - enable = true; - internalInterfaces = [ "ve-browsers" ]; - externalInterface = "wg0"; - }; - }; + local.sound.systemWide = true; containers.browsers = { autoStart = true; ephemeral = true; - privateNetwork = true; - inherit hostAddress localAddress; - bindMounts = lib.mkMerge [ { - "/tmp/.X11-unix" = {}; + "/tmp/.X11-unix" = { }; "/etc/ssh/keys" = { isReadOnly = false; hostPath = "/persistent/per-machine/browsers/etc/ssh/keys"; @@ -109,35 +74,11 @@ in config = { pkgs, ... }: { system.stateVersion = "23.11"; - # Inherit configs from host - networking.hosts = lib.mkMerge [ - config.networking.hosts - { "${hostAddress}" = [ "host" ]; } - ]; fonts = { inherit (config.fonts) enableDefaultPackages packages; fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; }; }; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = true; - MaxAuthTries = 2; - }; - hostKeys = [ - { - bits = 4096; - path = "/etc/ssh/keys/ssh_host_rsa_key"; - type = "rsa"; - } - { - path = "/etc/ssh/keys/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - users.users.kira = { isNormalUser = true; home = "/home/kira"; @@ -148,7 +89,7 @@ in environment.sessionVariables = { DISPLAY = ":0"; - PULSE_SERVER = "tcp:${hostAddress}:4713"; + PULSE_SERVER = "tcp:127.0.0.1:4713"; }; }; }; diff --git a/modules/nixos/programs/communication/simplex-chat.nix b/modules/nixos/programs/communication/simplex-chat.nix index 64accb9..412f774 100644 --- a/modules/nixos/programs/communication/simplex-chat.nix +++ b/modules/nixos/programs/communication/simplex-chat.nix @@ -15,7 +15,6 @@ in networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ 44000 ]; - trustedInterfaces = [ "wg0" ]; }; }; } diff --git a/modules/nixos/programs/communication/skype.nix b/modules/nixos/programs/communication/skype.nix index 80d1122..55e9268 100644 --- a/modules/nixos/programs/communication/skype.nix +++ b/modules/nixos/programs/communication/skype.nix @@ -4,15 +4,8 @@ let cfg = config.local.programs.communication.skype; - hostAddress = "192.168.7.10"; - localAddress = "192.168.7.20"; - hostRunPackage = pkgs.writeScript "cont-run" '' - host=skype.containers - if [ -z "$(ssh-keygen -F $host)" ]; then - ssh-keyscan -H $host >> ~/.ssh/known_hosts - fi - ssh -o PubkeyAuthentication=no kira@$host $@ + sudo nixos-container run skype su -l kira -c $@ ''; hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" '' @@ -34,41 +27,15 @@ in config = lib.mkIf cfg.enable { environment.systemPackages = [ hostSkype ]; - hardware.pulseaudio = { - systemWide = true; - support32Bit = true; - tcp = { - enable = true; - anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; - }; - }; - - networking = { - firewall = { - allowedTCPPorts = [ 4713 ]; - trustedInterfaces = [ "ve-*" ]; - }; - nat = { - enable = true; - internalInterfaces = [ "ve-skype" ]; - externalInterface = "wg0"; - }; - }; + local.sound.systemWide = true; containers.skype = { autoStart = true; ephemeral = true; - privateNetwork = true; - inherit hostAddress localAddress; - bindMounts = lib.mkMerge [ { "/tmp/.X11-unix" = { }; - "/etc/ssh/keys" = { - isReadOnly = false; - hostPath = "/persistent/per-machine/skype/etc/ssh/keys"; - }; } (lib.mkIf config.hardware.graphics.enable { "/run/opengl-driver/lib" = { }; @@ -87,25 +54,6 @@ in fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; }; }; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = true; - MaxAuthTries = 2; - }; - hostKeys = [ - { - bits = 4096; - path = "/etc/ssh/keys/ssh_host_rsa_key"; - type = "rsa"; - } - { - path = "/etc/ssh/keys/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - users.users.kira = { isNormalUser = true; home = "/home/kira"; @@ -116,7 +64,7 @@ in environment.sessionVariables = { DISPLAY = ":0"; - PULSE_SERVER = "tcp:${hostAddress}:4713"; + PULSE_SERVER = "tcp:127.0.0.1:4713"; }; }; }; diff --git a/modules/nixos/programs/communication/telegram.nix b/modules/nixos/programs/communication/telegram.nix index 94f4bf4..f3903eb 100644 --- a/modules/nixos/programs/communication/telegram.nix +++ b/modules/nixos/programs/communication/telegram.nix @@ -4,15 +4,8 @@ let cfg = config.local.programs.communication.telegram; - hostAddress = "192.168.7.10"; - localAddress = "192.168.7.21"; - hostRunPackage = pkgs.writeScript "cont-run" '' - host=telegram.containers - if [ -z "$(ssh-keygen -F $host)" ]; then - ssh-keyscan -H $host >> ~/.ssh/known_hosts - fi - ssh -o PubkeyAuthentication=no kira@$host $@ + sudo nixos-container run telegram su -l kira -c $@ ''; hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" '' @@ -34,41 +27,15 @@ in config = lib.mkIf cfg.enable { environment.systemPackages = [ hostTelegram ]; - hardware.pulseaudio = { - systemWide = true; - support32Bit = true; - tcp = { - enable = true; - anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; - }; - }; - - networking = { - firewall = { - allowedTCPPorts = [ 4713 ]; - trustedInterfaces = [ "ve-*" ]; - }; - nat = { - enable = true; - internalInterfaces = [ "ve-telegram" ]; - externalInterface = "wg0"; - }; - }; + local.sound.systemWide = true; containers.telegram = { autoStart = true; ephemeral = true; - privateNetwork = true; - inherit hostAddress localAddress; - bindMounts = lib.mkMerge [ { "/tmp/.X11-unix" = { }; - "/etc/ssh/keys" = { - isReadOnly = false; - hostPath = "/persistent/per-machine/telegram/etc/ssh/keys"; - }; } (lib.mkIf config.hardware.graphics.enable { "/run/opengl-driver/lib" = { }; @@ -86,25 +53,6 @@ in fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; }; }; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = true; - MaxAuthTries = 2; - }; - hostKeys = [ - { - bits = 4096; - path = "/etc/ssh/keys/ssh_host_rsa_key"; - type = "rsa"; - } - { - path = "/etc/ssh/keys/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - users.users.kira = { isNormalUser = true; home = "/home/kira"; @@ -115,7 +63,7 @@ in environment.sessionVariables = { DISPLAY = ":0"; - PULSE_SERVER = "tcp:${hostAddress}:4713"; + PULSE_SERVER = "tcp:127.0.0.1:4713"; }; }; };