infra/localhost
1
0
Fork 0
Code Releases Activity

Implements docker-based fhs env wrapper

Browse Source
This commit is contained in:
dump_stack() 2019-07-05 19:43:28 +00:00
parent 33bee58e3e
commit 76aecfccf6
Signed by: dump_stack
GPG Key ID: BE44DA8C062D87DC
4 changed files with 43 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configuration.nix
View File

@ -15,6 +15,7 @@ in {
./desktop.nix ./desktop.nix
./security.nix ./security.nix
./hacks.nix ./hacks.nix
./docker.nix
]; ];
time.timeZone = "UTC"; time.timeZone = "UTC";

36
docker.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, pkgs, ... }:
{
systemd = {
services = {
"docker-build-fhs" = {
enable = true;
description = "Create fhs docker container";
wantedBy = [ "multi-user.target" ];
script = ''
mkdir -p /var/docker-fhs && cd /var/docker-fhs
cat > Dockerfile <<EOF
FROM ubuntu:devel
ENV DEBIAN_FRONTEND noninteractive
RUN apt update && apt upgrade -y
RUN apt install -y git libssl-dev bison flex bc build-essential
RUN apt install -y libelf-dev python python3 zsh repo
RUN groupmod users -g 100
RUN useradd user -u 1000 -g 100 -s /bin/zsh
RUN echo 'cd \$HOST_PWD' >> /etc/zsh/zshrc
CMD bash -c 'su user'
EOF
${pkgs.docker}/bin/docker build -t fhs .
'';
serviceConfig.Type = "oneshot";
};
};
};
}

18
hacks.nix
View File

@ -10,22 +10,4 @@
}; };
boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65; boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
systemd = {
services = {
"sid-chroot-mounts" = {
enable = true;
description = "Setup mounts for debian sid chroot";
wantedBy = [ "multi-user.target" ];
script = ''
ls /home/user/chroots/sid-root/home/user/.zshrc && exit
${pkgs.utillinux}/bin/mount --bind /home/user /home/user/chroots/sid-root/home/user
${pkgs.utillinux}/bin/mount --bind /dev /home/user/chroots/sid-root/dev
${pkgs.utillinux}/bin/mount --bind /proc /home/user/chroots/sid-root/proc
${pkgs.utillinux}/bin/mount --bind /sys /home/user/chroots/sid-root/sys
'';
serviceConfig.Type = "oneshot";
};
};
};
} }

7
security.nix
View File

@ -1,6 +1,9 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ let
fhs = pkgs.writeShellScriptBin "fhs"
"${pkgs.docker}/bin/docker run -v /home/user:/home/user -e \"HOST_PWD=$PWD\" -it fhs";
in {
security.allowUserNamespaces = true; security.allowUserNamespaces = true;
security.allowSimultaneousMultithreading = true; security.allowSimultaneousMultithreading = true;
security.lockKernelModules = false; security.lockKernelModules = false;
@ -41,10 +44,12 @@
extraConfig = '' extraConfig = ''
%wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
%wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
%wheel ALL=(root) NOPASSWD: ${fhs}/bin/fhs
''; '';
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
(writeShellScriptBin "fhs" "sudo ${fhs}/bin/fhs")
(writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox") (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
]; ];