modules: remove private network and ssh from containers

This commit is contained in:
Dmitriy Pleshevskiy 2024-09-27 23:13:34 +03:00
parent c2b4b94f0e
commit 7f119a6844
Signed by: pleshevskiy
GPG key ID: 17041163DA10A9A2
9 changed files with 61 additions and 184 deletions

View file

@ -70,9 +70,17 @@
"/tmp/.X11-unix" = { }; "/tmp/.X11-unix" = { };
"/run/opengl-driver/lib" = { }; "/run/opengl-driver/lib" = { };
"/run/opengl-driver-32/lib" = { }; "/run/opengl-driver-32/lib" = { };
"/dev/kfd" = { };
"/dev/dri" = { };
}; };
allowedDevices = [
{
modifier = "r";
node = "/dev/kfd";
}
{
modifier = "r";
node = "/dev/dri";
}
];
config = { pkgs, ... }: { config = { pkgs, ... }: {
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
system.stateVersion = "23.11"; system.stateVersion = "23.11";
@ -96,6 +104,8 @@
innoextract innoextract
vim vim
unzip unzip
p7zip
unrar-wrapper
wget wget
]; ];
}; };

View file

@ -63,6 +63,7 @@ in
xclip # access x clipboard from a console xclip # access x clipboard from a console
dmenu # menu for x window system dmenu # menu for x window system
nitrogen # wallpaper manager nitrogen # wallpaper manager
rofimoji # emoji picker
]; ];
programs.rofi.pass = { programs.rofi.pass = {

View file

@ -283,7 +283,9 @@ myKeys conf =
-- launch 'dmenu_run' to choose applications -- launch 'dmenu_run' to choose applications
("M-r", spawn "dmenu_run"), ("M-r", spawn "dmenu_run"),
-- launch 'rofi-pass' to use password manager -- launch 'rofi-pass' to use password manager
("M-p", spawn "rofi-pass --last-used") ("M-p", spawn "rofi-pass --last-used"),
-- launch 'rofimoji' to pick emoji
("M-e", spawn "rofimoji --action copy")
-- Open calculator -- Open calculator
-- ("<XF86Calculator>", spawn "gnome-calculator"), -- ("<XF86Calculator>", spawn "gnome-calculator"),
] ]

View file

@ -1,4 +1,4 @@
{ lib, ... }: { lib, pkgs, ... }:
{ {
imports = [ ./common.nix ]; imports = [ ./common.nix ];
@ -36,4 +36,14 @@
local.programs.pass.enable = lib.mkDefault true; local.programs.pass.enable = lib.mkDefault true;
local.programs.browsers.librewolf.enable = lib.mkDefault true; local.programs.browsers.librewolf.enable = lib.mkDefault true;
security.sudo.extraRules = [{
commands = [
{
command = "/run/current-system/sw/bin/nixos-container";
options = [ "NOPASSWD" ];
}
];
groups = [ "wheel" ];
}];
} }

View file

@ -1,17 +1,35 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
cfg = config.local.sound;
in
{ {
options.local.sound.enable = lib.mkEnableOption "sound"; options.local.sound = {
enable = lib.mkEnableOption "sound";
systemWide = lib.mkEnableOption "systemWide";
};
config = lib.mkIf config.local.sound.enable { config = lib.mkIf cfg.enable {
sound = { sound = {
enable = true; enable = true;
mediaKeys.enable = true; mediaKeys.enable = true;
}; };
hardware.pulseaudio = { hardware.pulseaudio = lib.mkMerge [
{
enable = true; enable = true;
package = pkgs.pulseaudioFull; package = pkgs.pulseaudioFull;
}
(lib.mkIf cfg.systemWide {
systemWide = true;
support32Bit = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" ];
}; };
})
];
networking.firewall.allowedTCPPorts = lib.mkIf cfg.systemWide [ 4713 ];
}; };
} }

View file

@ -3,9 +3,6 @@
let let
cfg = config.local.programs.browsers; cfg = config.local.programs.browsers;
hostAddress = "192.168.7.10";
localAddress = "192.168.7.11";
contPackages = contPackages =
lib.optional cfg.tor-browser.enable cfg.tor-browser.package lib.optional cfg.tor-browser.enable cfg.tor-browser.package
++ lib.optional cfg.librewolf.enable cfg.librewolf.package ++ lib.optional cfg.librewolf.enable cfg.librewolf.package
@ -14,11 +11,7 @@ let
hostPackages = lib.flip map contPackages (p: hostPackages = lib.flip map contPackages (p:
let let
hostRunBrowser = pkgs.writeScript "cont-run-browser" '' hostRunBrowser = pkgs.writeScript "cont-run-browser" ''
host=browsers.containers sudo nixos-container run browsers -- su -l kira -c $@
if [ -z "$(ssh-keygen -F $host)" ]; then
ssh-keyscan -H $host >> ~/.ssh/known_hosts
fi
ssh -o PubkeyAuthentication=no kira@$host $@
''; '';
hostBrowserScript = pkgs.writeScriptBin "${p.meta.mainProgram}" '' hostBrowserScript = pkgs.writeScriptBin "${p.meta.mainProgram}" ''
@ -46,40 +39,12 @@ in
config = lib.mkIf isEnable { config = lib.mkIf isEnable {
environment.systemPackages = hostPackages; environment.systemPackages = hostPackages;
hardware.pulseaudio = { local.sound.systemWide = true;
systemWide = true;
support32Bit = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
};
};
networking = {
firewall = {
allowedTCPPorts = [ 4713 ];
allowedTCPPortRanges = [
{ from = 3000; to = 3999; }
{ from = 5000; to = 5999; }
{ from = 8000; to = 9999; }
{ from = 32000; to = 33999; }
];
trustedInterfaces = [ "ve-*" ];
};
nat = {
enable = true;
internalInterfaces = [ "ve-browsers" ];
externalInterface = "wg0";
};
};
containers.browsers = { containers.browsers = {
autoStart = true; autoStart = true;
ephemeral = true; ephemeral = true;
privateNetwork = true;
inherit hostAddress localAddress;
bindMounts = lib.mkMerge [ bindMounts = lib.mkMerge [
{ {
"/tmp/.X11-unix" = { }; "/tmp/.X11-unix" = { };
@ -109,35 +74,11 @@ in
config = { pkgs, ... }: { config = { pkgs, ... }: {
system.stateVersion = "23.11"; system.stateVersion = "23.11";
# Inherit configs from host
networking.hosts = lib.mkMerge [
config.networking.hosts
{ "${hostAddress}" = [ "host" ]; }
];
fonts = { fonts = {
inherit (config.fonts) enableDefaultPackages packages; inherit (config.fonts) enableDefaultPackages packages;
fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; }; fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
}; };
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = true;
MaxAuthTries = 2;
};
hostKeys = [
{
bits = 4096;
path = "/etc/ssh/keys/ssh_host_rsa_key";
type = "rsa";
}
{
path = "/etc/ssh/keys/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
users.users.kira = { users.users.kira = {
isNormalUser = true; isNormalUser = true;
home = "/home/kira"; home = "/home/kira";
@ -148,7 +89,7 @@ in
environment.sessionVariables = { environment.sessionVariables = {
DISPLAY = ":0"; DISPLAY = ":0";
PULSE_SERVER = "tcp:${hostAddress}:4713"; PULSE_SERVER = "tcp:127.0.0.1:4713";
}; };
}; };
}; };

View file

@ -15,7 +15,6 @@ in
networking.firewall = lib.mkIf cfg.openFirewall { networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ 44000 ]; allowedTCPPorts = [ 44000 ];
trustedInterfaces = [ "wg0" ];
}; };
}; };
} }

View file

@ -4,15 +4,8 @@
let let
cfg = config.local.programs.communication.skype; cfg = config.local.programs.communication.skype;
hostAddress = "192.168.7.10";
localAddress = "192.168.7.20";
hostRunPackage = pkgs.writeScript "cont-run" '' hostRunPackage = pkgs.writeScript "cont-run" ''
host=skype.containers sudo nixos-container run skype su -l kira -c $@
if [ -z "$(ssh-keygen -F $host)" ]; then
ssh-keyscan -H $host >> ~/.ssh/known_hosts
fi
ssh -o PubkeyAuthentication=no kira@$host $@
''; '';
hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" '' hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" ''
@ -34,41 +27,15 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ hostSkype ]; environment.systemPackages = [ hostSkype ];
hardware.pulseaudio = { local.sound.systemWide = true;
systemWide = true;
support32Bit = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
};
};
networking = {
firewall = {
allowedTCPPorts = [ 4713 ];
trustedInterfaces = [ "ve-*" ];
};
nat = {
enable = true;
internalInterfaces = [ "ve-skype" ];
externalInterface = "wg0";
};
};
containers.skype = { containers.skype = {
autoStart = true; autoStart = true;
ephemeral = true; ephemeral = true;
privateNetwork = true;
inherit hostAddress localAddress;
bindMounts = lib.mkMerge [ bindMounts = lib.mkMerge [
{ {
"/tmp/.X11-unix" = { }; "/tmp/.X11-unix" = { };
"/etc/ssh/keys" = {
isReadOnly = false;
hostPath = "/persistent/per-machine/skype/etc/ssh/keys";
};
} }
(lib.mkIf config.hardware.graphics.enable { (lib.mkIf config.hardware.graphics.enable {
"/run/opengl-driver/lib" = { }; "/run/opengl-driver/lib" = { };
@ -87,25 +54,6 @@ in
fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; }; fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
}; };
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = true;
MaxAuthTries = 2;
};
hostKeys = [
{
bits = 4096;
path = "/etc/ssh/keys/ssh_host_rsa_key";
type = "rsa";
}
{
path = "/etc/ssh/keys/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
users.users.kira = { users.users.kira = {
isNormalUser = true; isNormalUser = true;
home = "/home/kira"; home = "/home/kira";
@ -116,7 +64,7 @@ in
environment.sessionVariables = { environment.sessionVariables = {
DISPLAY = ":0"; DISPLAY = ":0";
PULSE_SERVER = "tcp:${hostAddress}:4713"; PULSE_SERVER = "tcp:127.0.0.1:4713";
}; };
}; };
}; };

View file

@ -4,15 +4,8 @@
let let
cfg = config.local.programs.communication.telegram; cfg = config.local.programs.communication.telegram;
hostAddress = "192.168.7.10";
localAddress = "192.168.7.21";
hostRunPackage = pkgs.writeScript "cont-run" '' hostRunPackage = pkgs.writeScript "cont-run" ''
host=telegram.containers sudo nixos-container run telegram su -l kira -c $@
if [ -z "$(ssh-keygen -F $host)" ]; then
ssh-keyscan -H $host >> ~/.ssh/known_hosts
fi
ssh -o PubkeyAuthentication=no kira@$host $@
''; '';
hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" '' hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" ''
@ -34,41 +27,15 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ hostTelegram ]; environment.systemPackages = [ hostTelegram ];
hardware.pulseaudio = { local.sound.systemWide = true;
systemWide = true;
support32Bit = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
};
};
networking = {
firewall = {
allowedTCPPorts = [ 4713 ];
trustedInterfaces = [ "ve-*" ];
};
nat = {
enable = true;
internalInterfaces = [ "ve-telegram" ];
externalInterface = "wg0";
};
};
containers.telegram = { containers.telegram = {
autoStart = true; autoStart = true;
ephemeral = true; ephemeral = true;
privateNetwork = true;
inherit hostAddress localAddress;
bindMounts = lib.mkMerge [ bindMounts = lib.mkMerge [
{ {
"/tmp/.X11-unix" = { }; "/tmp/.X11-unix" = { };
"/etc/ssh/keys" = {
isReadOnly = false;
hostPath = "/persistent/per-machine/telegram/etc/ssh/keys";
};
} }
(lib.mkIf config.hardware.graphics.enable { (lib.mkIf config.hardware.graphics.enable {
"/run/opengl-driver/lib" = { }; "/run/opengl-driver/lib" = { };
@ -86,25 +53,6 @@ in
fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; }; fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
}; };
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = true;
MaxAuthTries = 2;
};
hostKeys = [
{
bits = 4096;
path = "/etc/ssh/keys/ssh_host_rsa_key";
type = "rsa";
}
{
path = "/etc/ssh/keys/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
users.users.kira = { users.users.kira = {
isNormalUser = true; isNormalUser = true;
home = "/home/kira"; home = "/home/kira";
@ -115,7 +63,7 @@ in
environment.sessionVariables = { environment.sessionVariables = {
DISPLAY = ":0"; DISPLAY = ":0";
PULSE_SERVER = "tcp:${hostAddress}:4713"; PULSE_SERVER = "tcp:127.0.0.1:4713";
}; };
}; };
}; };