modules: remove private network and ssh from containers

2024-09-27 23:13:34 +03:00 · 2024-09-27 23:13:34 +03:00 · 7f119a6844
commit 7f119a6844
parent c2b4b94f0e
9 changed files with 61 additions and 184 deletions
--- a/hosts/home/configuration.nix
+++ b/hosts/home/configuration.nix
@ -70,9 +70,17 @@
      "/tmp/.X11-unix" = { };
      "/run/opengl-driver/lib" = { };
      "/run/opengl-driver-32/lib" = { };
      "/dev/kfd" = { };
      "/dev/dri" = { };
    };
    allowedDevices = [
      {
        modifier = "r";
        node = "/dev/kfd";
      }
      {
        modifier = "r";
        node = "/dev/dri";
      }
    ];
    config = { pkgs, ... }: {
      nixpkgs.config.allowUnfree = true;
      system.stateVersion = "23.11";
@ -96,6 +104,8 @@
          innoextract
          vim
          unzip
          p7zip
          unrar-wrapper
          wget
        ];
      };
--- a/modules/home-manager/configs/window-manager/xmonad/default.nix
+++ b/modules/home-manager/configs/window-manager/xmonad/default.nix
@ -63,6 +63,7 @@ in
      xclip # access x clipboard from a console
      dmenu # menu for x window system
      nitrogen # wallpaper manager
      rofimoji # emoji picker
    ];
    programs.rofi.pass = {
--- a/modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs
+++ b/modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs
@ -283,7 +283,9 @@ myKeys conf =
        -- launch 'dmenu_run' to choose applications
        ("M-r", spawn "dmenu_run"),
        -- launch 'rofi-pass' to use password manager
-        ("M-p", spawn "rofi-pass --last-used")
+        ("M-p", spawn "rofi-pass --last-used"),
        -- launch 'rofimoji' to pick emoji
        ("M-e", spawn "rofimoji --action copy")
        -- Open calculator
        -- ("<XF86Calculator>", spawn "gnome-calculator"),
      ]
--- a/modules/machine.nix
+++ b/modules/machine.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 {
  imports = [ ./common.nix ];
@ -36,4 +36,14 @@
  local.programs.pass.enable = lib.mkDefault true;
  local.programs.browsers.librewolf.enable = lib.mkDefault true;
  security.sudo.extraRules = [{
    commands = [
      {
        command = "/run/current-system/sw/bin/nixos-container";
        options = [ "NOPASSWD" ];
      }
    ];
    groups = [ "wheel" ];
  }];
 }
--- a/modules/nixos/configs/sound.nix
+++ b/modules/nixos/configs/sound.nix
@ -1,17 +1,35 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.local.sound;
 in
 {
-  options.local.sound.enable = lib.mkEnableOption "sound";
+  options.local.sound = {
    enable = lib.mkEnableOption "sound";
    systemWide = lib.mkEnableOption "systemWide";
  };
-  config = lib.mkIf config.local.sound.enable {
+  config = lib.mkIf cfg.enable {
    sound = {
      enable = true;
      mediaKeys.enable = true;
    };
-    hardware.pulseaudio = {
+    hardware.pulseaudio = lib.mkMerge [
-      enable = true;
+      {
-      package = pkgs.pulseaudioFull;
+        enable = true;
-    };
+        package = pkgs.pulseaudioFull;
      }
      (lib.mkIf cfg.systemWide {
        systemWide = true;
        support32Bit = true;
        tcp = {
          enable = true;
          anonymousClients.allowedIpRanges = [ "127.0.0.1" ];
        };
      })
    ];
    networking.firewall.allowedTCPPorts = lib.mkIf cfg.systemWide [ 4713 ];
  };
 }
--- a/modules/nixos/programs/browsers/default.nix
+++ b/modules/nixos/programs/browsers/default.nix
@ -3,9 +3,6 @@
 let
  cfg = config.local.programs.browsers;
  hostAddress = "192.168.7.10";
  localAddress = "192.168.7.11";
  contPackages =
    lib.optional cfg.tor-browser.enable cfg.tor-browser.package
    ++ lib.optional cfg.librewolf.enable cfg.librewolf.package
@ -14,11 +11,7 @@ let
  hostPackages = lib.flip map contPackages (p:
    let
      hostRunBrowser = pkgs.writeScript "cont-run-browser" ''
-        host=browsers.containers
+        sudo nixos-container run browsers -- su -l kira -c $@
        if [ -z "$(ssh-keygen -F $host)" ]; then
          ssh-keyscan -H $host >> ~/.ssh/known_hosts
        fi
        ssh -o PubkeyAuthentication=no kira@$host $@
      '';
      hostBrowserScript = pkgs.writeScriptBin "${p.meta.mainProgram}" ''
@ -46,43 +39,15 @@ in
  config = lib.mkIf isEnable {
    environment.systemPackages = hostPackages;
-    hardware.pulseaudio = {
+    local.sound.systemWide = true;
      systemWide = true;
      support32Bit = true;
      tcp = {
        enable = true;
        anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
      };
    };
    networking = {
      firewall = {
        allowedTCPPorts = [ 4713 ];
        allowedTCPPortRanges = [
          { from = 3000; to = 3999; }
          { from = 5000; to = 5999; }
          { from = 8000; to = 9999; }
          { from = 32000; to = 33999; }
        ];
        trustedInterfaces = [ "ve-*" ];
      };
      nat = {
        enable = true;
        internalInterfaces = [ "ve-browsers" ];
        externalInterface = "wg0";
      };
    };
    containers.browsers = {
      autoStart = true;
      ephemeral = true;
      privateNetwork = true;
      inherit hostAddress localAddress;
      bindMounts = lib.mkMerge [
        {
-          "/tmp/.X11-unix" = {};
+          "/tmp/.X11-unix" = { };
          "/etc/ssh/keys" = {
            isReadOnly = false;
            hostPath = "/persistent/per-machine/browsers/etc/ssh/keys";
@ -109,35 +74,11 @@ in
      config = { pkgs, ... }: {
        system.stateVersion = "23.11";
        # Inherit configs from host
        networking.hosts = lib.mkMerge [
          config.networking.hosts
          { "${hostAddress}" = [ "host" ]; }
        ];
        fonts = {
          inherit (config.fonts) enableDefaultPackages packages;
          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
        };
        services.openssh = {
          enable = true;
          settings = {
            PasswordAuthentication = true;
            MaxAuthTries = 2;
          };
          hostKeys = [
            {
              bits = 4096;
              path = "/etc/ssh/keys/ssh_host_rsa_key";
              type = "rsa";
            }
            {
              path = "/etc/ssh/keys/ssh_host_ed25519_key";
              type = "ed25519";
            }
          ];
        };
        users.users.kira = {
          isNormalUser = true;
          home = "/home/kira";
@ -148,7 +89,7 @@ in
        environment.sessionVariables = {
          DISPLAY = ":0";
-          PULSE_SERVER = "tcp:${hostAddress}:4713";
+          PULSE_SERVER = "tcp:127.0.0.1:4713";
        };
      };
    };
--- a/modules/nixos/programs/communication/simplex-chat.nix
+++ b/modules/nixos/programs/communication/simplex-chat.nix
@ -15,7 +15,6 @@ in
    networking.firewall = lib.mkIf cfg.openFirewall {
      allowedTCPPorts = [ 44000 ];
      trustedInterfaces = [ "wg0" ];
    };
  };
 }
--- a/modules/nixos/programs/communication/skype.nix
+++ b/modules/nixos/programs/communication/skype.nix
@ -4,15 +4,8 @@
 let
  cfg = config.local.programs.communication.skype;
  hostAddress = "192.168.7.10";
  localAddress = "192.168.7.20";
  hostRunPackage = pkgs.writeScript "cont-run" ''
-    host=skype.containers
+    sudo nixos-container run skype su -l kira -c $@
    if [ -z "$(ssh-keygen -F $host)" ]; then
      ssh-keyscan -H $host >> ~/.ssh/known_hosts
    fi
    ssh -o PubkeyAuthentication=no kira@$host $@
  '';
  hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" ''
@ -34,41 +27,15 @@ in
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ hostSkype ];
-    hardware.pulseaudio = {
+    local.sound.systemWide = true;
      systemWide = true;
      support32Bit = true;
      tcp = {
        enable = true;
        anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
      };
    };
    networking = {
      firewall = {
        allowedTCPPorts = [ 4713 ];
        trustedInterfaces = [ "ve-*" ];
      };
      nat = {
        enable = true;
        internalInterfaces = [ "ve-skype" ];
        externalInterface = "wg0";
      };
    };
    containers.skype = {
      autoStart = true;
      ephemeral = true;
      privateNetwork = true;
      inherit hostAddress localAddress;
      bindMounts = lib.mkMerge [
        {
          "/tmp/.X11-unix" = { };
          "/etc/ssh/keys" = {
            isReadOnly = false;
            hostPath = "/persistent/per-machine/skype/etc/ssh/keys";
          };
        }
        (lib.mkIf config.hardware.graphics.enable {
          "/run/opengl-driver/lib" = { };
@ -87,25 +54,6 @@ in
          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
        };
        services.openssh = {
          enable = true;
          settings = {
            PasswordAuthentication = true;
            MaxAuthTries = 2;
          };
          hostKeys = [
            {
              bits = 4096;
              path = "/etc/ssh/keys/ssh_host_rsa_key";
              type = "rsa";
            }
            {
              path = "/etc/ssh/keys/ssh_host_ed25519_key";
              type = "ed25519";
            }
          ];
        };
        users.users.kira = {
          isNormalUser = true;
          home = "/home/kira";
@ -116,7 +64,7 @@ in
        environment.sessionVariables = {
          DISPLAY = ":0";
-          PULSE_SERVER = "tcp:${hostAddress}:4713";
+          PULSE_SERVER = "tcp:127.0.0.1:4713";
        };
      };
    };
--- a/modules/nixos/programs/communication/telegram.nix
+++ b/modules/nixos/programs/communication/telegram.nix
@ -4,15 +4,8 @@
 let
  cfg = config.local.programs.communication.telegram;
  hostAddress = "192.168.7.10";
  localAddress = "192.168.7.21";
  hostRunPackage = pkgs.writeScript "cont-run" ''
-    host=telegram.containers
+    sudo nixos-container run telegram su -l kira -c $@
    if [ -z "$(ssh-keygen -F $host)" ]; then
      ssh-keyscan -H $host >> ~/.ssh/known_hosts
    fi
    ssh -o PubkeyAuthentication=no kira@$host $@
  '';
  hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" ''
@ -34,41 +27,15 @@ in
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ hostTelegram ];
-    hardware.pulseaudio = {
+    local.sound.systemWide = true;
      systemWide = true;
      support32Bit = true;
      tcp = {
        enable = true;
        anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
      };
    };
    networking = {
      firewall = {
        allowedTCPPorts = [ 4713 ];
        trustedInterfaces = [ "ve-*" ];
      };
      nat = {
        enable = true;
        internalInterfaces = [ "ve-telegram" ];
        externalInterface = "wg0";
      };
    };
    containers.telegram = {
      autoStart = true;
      ephemeral = true;
      privateNetwork = true;
      inherit hostAddress localAddress;
      bindMounts = lib.mkMerge [
        {
          "/tmp/.X11-unix" = { };
          "/etc/ssh/keys" = {
            isReadOnly = false;
            hostPath = "/persistent/per-machine/telegram/etc/ssh/keys";
          };
        }
        (lib.mkIf config.hardware.graphics.enable {
          "/run/opengl-driver/lib" = { };
@ -86,25 +53,6 @@ in
          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
        };
        services.openssh = {
          enable = true;
          settings = {
            PasswordAuthentication = true;
            MaxAuthTries = 2;
          };
          hostKeys = [
            {
              bits = 4096;
              path = "/etc/ssh/keys/ssh_host_rsa_key";
              type = "rsa";
            }
            {
              path = "/etc/ssh/keys/ssh_host_ed25519_key";
              type = "ed25519";
            }
          ];
        };
        users.users.kira = {
          isNormalUser = true;
          home = "/home/kira";
@ -115,7 +63,7 @@ in
        environment.sessionVariables = {
          DISPLAY = ":0";
-          PULSE_SERVER = "tcp:${hostAddress}:4713";
+          PULSE_SERVER = "tcp:127.0.0.1:4713";
        };
      };
    };