From 1eceee7c6acc648e578ee7c2b1f9bc3fc74198e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Sat, 23 Mar 2024 19:30:17 +0100 Subject: [PATCH] modules/system/settei: containers module --- modules/system/settei/containers.nix | 116 +++++++++++++++++++++++++++ modules/system/settei/default.nix | 1 + 2 files changed, 117 insertions(+) create mode 100644 modules/system/settei/containers.nix diff --git a/modules/system/settei/containers.nix b/modules/system/settei/containers.nix new file mode 100644 index 0000000..58c7184 --- /dev/null +++ b/modules/system/settei/containers.nix @@ -0,0 +1,116 @@ +{ isLinux }: +{ + config, + options, + lib, + ... +}: +let + containerModule = + { name, ... }: + { + options = { + config = lib.mkOption { type = lib.types.deferredModule; }; + hostAddress = lib.mkOption { + type = lib.types.str; + readOnly = true; + }; + localAddress = lib.mkOption { + type = lib.types.str; + readOnly = true; + }; + hostAddress6 = lib.mkOption { + type = lib.types.str; + readOnly = true; + }; + localAddress6 = lib.mkOption { + type = lib.types.str; + readOnly = true; + }; + autoStart = lib.mkOption { + type = lib.types.bool; + default = true; + }; + bindMounts = lib.mkOption { + type = + with lib.types; + attrsOf (submodule { + options = { + hostPath = lib.mkOption { + default = null; + example = "/home/alice"; + type = nullOr str; + description = lib.mdDoc "Location of the host path to be mounted."; + }; + isReadOnly = lib.mkOption { + default = true; + type = bool; + description = lib.mdDoc "Determine whether the mounted path will be accessed in read-only mode."; + }; + }; + }); + default = { }; + }; + }; + + config = + let + fullHash = builtins.hashString "sha256" name; + getByte = + idx: + let + i = idx * 2; + s = builtins.substring i 2 fullHash; + in + (builtins.fromTOML "value = 0x${s}").value; + netAddr = lib.genList getByte 2; + net4 = "10.${lib.concatMapStringsSep "." toString netAddr}"; + net6 = "fc00:${lib.concatMapStrings lib.toHexString netAddr}:"; + in + { + hostAddress = "${net4}.1"; + localAddress = "${net4}.2"; + hostAddress6 = "${net6}:1"; + localAddress6 = "${net6}:2"; + }; + }; + + linuxConfig = lib.optionalAttrs isLinux { + containers = lib.mapAttrs ( + _: container: + container + // { + config = { + imports = [ container.config ]; + + services.openssh.hostKeys = [ ]; + system.stateVersion = lib.mkDefault config.system.stateVersion; + }; + + bindMounts = { + # Pass in host's system key to allow decrypting secrets inside containers + "/etc/ssh/ssh_host_ed25519_key" = { }; + } // container.bindMounts; + + privateNetwork = lib.mkForce true; + } + ) config.settei.containers; + }; + + darwinConfig = lib.optionalAttrs (!isLinux) { + warnings = lib.optional options.settei.containers.isDefined "settei.containers doesn't do anything on darwin yet"; + }; +in +{ + _file = ./containers.nix; + + options.settei.containers = lib.mkOption { + type = with lib.types; attrsOf (submodule containerModule); + default = { }; + }; + + config = lib.mkMerge [ + linuxConfig + darwinConfig + ]; +} diff --git a/modules/system/settei/default.nix b/modules/system/settei/default.nix index 479e222..648f5b5 100644 --- a/modules/system/settei/default.nix +++ b/modules/system/settei/default.nix @@ -19,6 +19,7 @@ ./user.nix (import ./programs { inherit isLinux; }) (import ./tailscale.nix { inherit isLinux; }) + (import ./containers.nix { inherit isLinux; }) ]; options.settei = with lib; {