mooooore stuffs

2026-04-11 00:26:51 -04:00
parent 6c728033f2
commit 128e85d98e
10 changed files with 184 additions and 6 deletions
@@ -26,6 +26,25 @@
    netcat
    neovim
    firefox
-  ];
+  ]
      ++ (
      with lib; let
        # this function extracts the base file name from a path.
        basename = path: lib.lists.last (lib.strings.splitString "/" (toString path));
        files = lib.filesystem.listFilesRecursive ./scripts;
      in
        # for each script found, create a derivation installed in $PATH
        lib.lists.forEach files (
          file: let
            scriptName = strings.removeSuffix ".sh" (basename file);
          in
            pkgs.writeScriptBin
            # (basename file) # the new package's name
            scriptName
            (builtins.readFile file)
        )
    );
 }
@@ -0,0 +1,47 @@
 #!/usr/bin/env bash
 set -euo pipefail
 USER="$1"
 KEYFILE="$2"
 CONTAINER="lxc-${USER}"
 echo "Creating LXC container ${CONTAINER}..."
 lxc-create -n "$CONTAINER" -t download -- -d ubuntu -r noble -a amd64
 # start it
 lxc-start -n "$CONTAINER"
 # wait for networking
 sleep 5
 # set root password, install SSH, inject key
 lxc-attach -n "$CONTAINER" -- bash -c "
  apt-get update && apt-get install -y openssh-server
  mkdir -p /root/.ssh
  chmod 700 /root/.ssh
  sed -i 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
  systemctl enable ssh
  systemctl restart ssh
 "
 # push the key in
 cat "$KEYFILE" | lxc-attach -n "$CONTAINER" -- tee /root/.ssh/authorized_keys > /dev/null
 lxc-attach -n "$CONTAINER" -- chmod 600 /root/.ssh/authorized_keys
 # auto-start on boot
 echo "lxc.start.auto = 1" >> "/var/lib/lxc/${CONTAINER}/config"
 # get container IP
 CONTAINER_IP=$(lxc-info -n "$CONTAINER" -iH | head -1)
 # create host user that maps to this container
 useradd -m -s /bin/bash -G labmates "$USER" 2>/dev/null || true
 mkdir -p "/home/${USER}/.ssh"
 cp "$KEYFILE" "/home/${USER}/.ssh/authorized_keys"
 chown -R "${USER}:${USER}" "/home/${USER}/.ssh"
 chmod 700 "/home/${USER}/.ssh"
 # store mapping
 echo "$CONTAINER" > "/home/${USER}/.lxc-container"
 echo "Done. ${USER} SSH -> root@${CONTAINER} (${CONTAINER_IP})"
@@ -0,0 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail
 USER="$1"
 CONTAINER=$(cat "/home/${USER}/.lxc-container" 2>/dev/null)
 # [[ -n "$CONTAINER" ]] && lxc-stop -n "$CONTAINER" 2>/dev/null; lxc-destroy -n "$CONTAINER"
 if [[ -n "$CONTAINER" ]]; then
  lxc-stop -n "$CONTAINER" 2>/dev/null
  lxc-destroy -n "$CONTAINER"
 fi
 userdel -r "$USER" 2>/dev/null || true
 echo "Removed ${USER} and ${CONTAINER}"
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 printf "%-15s %-20s %-16s %s\n" "USER" "CONTAINER" "IP" "STATE"
 for f in /home/*/.lxc-container; do
  [[ -f "$f" ]] || continue
  U=$(basename "$(dirname "$f")")
  C=$(cat "$f")
  IP=$(lxc-info -n "$C" -iH 2>/dev/null | head -1)
  STATE=$(lxc-info -n "$C" -sH 2>/dev/null)
  printf "%-15s %-20s %-16s %s\n" "$U" "$C" "${IP:-n/a}" "${STATE:-n/a}"
 done
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 # CONTAINER=$(cat "/home/${USER}/.lxc-container" 2>/dev/null)
 CONTAINER=$(cat "/home/$(whoami)/.lxc-container" 2>/dev/null)
 if [[ -z "$CONTAINER" ]]; then
  echo "No container assigned. Contact admin."
  exit 1
 fi
 # ensure running
 lxc-start -n "$CONTAINER" 2>/dev/null || true
 if [[ -n "$SSH_ORIGINAL_COMMAND" ]]; then
  exec lxc-attach -n "$CONTAINER" -- bash -c "$SSH_ORIGINAL_COMMAND"
 else
  exec lxc-attach -n "$CONTAINER" -- login -f root
 fi
@@ -13,10 +13,10 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  # fileSystems."/" =
+  fileSystems."/" =
-    # { device = "/dev/disk/by-uuid/05ca9d56-3506-43c5-b9ec-be928b782996";
+    { device = "/dev/disk/by-uuid/05ca9d56-3506-43c5-b9ec-be928b782996";
-      # fsType = "ext4";
+      fsType = "ext4";
-    # };
+    };
  # fileSystems."/home/synchronous/.agenix/agenix.d" =
    # { device = "none";
@@ -0,0 +1,5 @@
 lxc.net.0.type = veth
 lxc.net.0.link = br0
 lxc.net.0.flags = up
 lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
 lxc.apparmor.profile = unconfined
@@ -0,0 +1,68 @@
 # system/lxc.nix
 { config, pkgs, ... }: {
  virtualisation.lxc = {
    enable = true;
    lxcfs.enable = true;
  };
  networking.bridges.br0.interfaces = [];
  networking.interfaces.br0.ipv4.addresses = [{
    address = "10.100.0.1";
    prefixLength = 24;
  }];
  # wildcard masquerade — no need to specify external interface per host
  networking.nat.enable = false;
  networking.nftables.enable = true;
  networking.nftables.tables.lab-nat = {
    family = "ip";
    content = ''
      chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 10.100.0.0/24 oifname != "br0" masquerade
      }
    '';
  };
  # IP forwarding
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  # DHCP for containers on the bridge
  services.dnsmasq = {
    enable = true;
    settings = {
      interface = "br0";
      bind-interfaces = true;
      dhcp-range = "10.100.0.10,10.100.0.200,24h";
      dhcp-option = [ "3,10.100.0.1" "6,8.8.8.8,1.1.1.1" ];
    };
  };
  # labmates get dropped into their container
  services.openssh.extraConfig = ''
    Match Group labmates
      ForceCommand /usr/local/bin/lxc-login
      AllowTcpForwarding no
      X11Forwarding no
  '';
  users.groups.labmates = {};
  environment.systemPackages = with pkgs; [
    lxc
    lxc-templates
    debootstrap
    bridge-utils
  ];
  environment.etc."lxc/default.conf".text = ''
    lxc.net.0.type = veth
    lxc.net.0.link = br0
    lxc.net.0.flags = up
    lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
    lxc.apparmor.profile = unconfined
  '';
  environment.etc."local/bin/lxc-login".source = ../home/scripts/lxc/lxc-login.sh;
  environment.etc."local/bin/lxc-login".mode = "0755";
 }
@@ -5,7 +5,8 @@
 }: {
  imports = [
    ./ssh.nix
-    ./disko-config.nix
+    ./lxc.nix
    # ./disko-config.nix
  ];
  # Set your time zone.