diff --git a/flake.nix b/flake.nix index 138e367..2114f51 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,7 @@ let nixpkgs = inputs.nixpkgs; - modules = [ + modules = system: [ ./common inputs.simple-nixos-mailserver.nixosModule inputs.agenix.nixosModule @@ -52,7 +52,7 @@ }) ]; - mkVpnContainer = container_config: { + mkVpnContainer = system: pkgs: mount: config: { ephemeral = true; autoStart = true; bindMounts = { @@ -68,14 +68,20 @@ hostPath = "/dev/fuse"; isReadOnly = false; }; + "${mount}" = { + hostPath = mount; + isReadOnly = false; + }; }; enableTun = true; privateNetwork = true; hostAddress = "172.16.100.1"; localAddress = "172.16.100.2"; - config = { config, pkgs, lib, ... }: { - imports = modules ++ [container_config]; + config = { lib, ... }: { + imports = (modules system) ++ [config]; + + nixpkgs.pkgs = pkgs; networking.firewall.enable = lib.mkForce false; pia.enable = true; @@ -89,10 +95,10 @@ mkSystem = system: nixpkgs: path: nixpkgs.lib.nixosSystem { inherit system; - modules = [path] ++ modules; + modules = (modules system) ++ [path]; specialArgs = { - inherit mkVpnContainer; + mkVpnContainer = (mkVpnContainer system); }; }; in diff --git a/machines/liza/configuration.nix b/machines/liza/configuration.nix index b5be44c..73e01e1 100644 --- a/machines/liza/configuration.nix +++ b/machines/liza/configuration.nix @@ -121,12 +121,14 @@ in { }; # wrap radio in a VPN - containers.vpn-container = mkVpnContainer { + containers.vpn = mkVpnContainer pkgs "/dev/null" { services.radio = { enable = true; host = "radio.neet.space"; }; }; + # containers cannot unlock their own secrets right now. unlock it here + age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf; services.drastikbot = { enable = true; @@ -262,7 +264,7 @@ in { networking.nat.enable = true; networking.nat.internalInterfaces = [ "dns0" # iodine - "ve-vpn-continer" # vpn container + "ve-vpn" # vpn container ]; networking.nat.externalInterface = "enp1s0";