diff options
author | lassulus <lassulus@lassul.us> | 2018-11-20 23:02:17 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2018-11-20 23:02:17 +0100 |
commit | 9807d6823b31f36eb6b255cf7a01431e7e44a74e (patch) | |
tree | fe8f187bf98bc80e95b6850db031d3d052d85f36 /lass/2configs/blue-host.nix | |
parent | 81c18a4f44c44dbff4e100316aca28f8db17e14e (diff) |
l blue-host: sync state, start only when safe
Diffstat (limited to 'lass/2configs/blue-host.nix')
-rw-r--r-- | lass/2configs/blue-host.nix | 74 |
1 files changed, 66 insertions, 8 deletions
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix index 2302c70ec..be9f68c08 100644 --- a/lass/2configs/blue-host.nix +++ b/lass/2configs/blue-host.nix @@ -1,11 +1,28 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; +let + all_hosts = [ + "icarus" + "shodan" + "daedalus" + "skynet" + "prism" + ]; + remote_hosts = filter (h: h != config.networking.hostName) all_hosts; -{ +in { imports = [ <stockholm/lass/2configs/container-networking.nix> + { #hack for already defined + systemd.services."container@blue".reloadIfChanged = mkForce false; + systemd.services."container@blue".preStart = '' + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' + ''; + systemd.services."container@blue".preStop = '' + /run/wrappers/bin/fusermount -u /var/lib/containers/blue + ''; + } ]; - systemd.services."container@blue".reloadIfChanged = mkForce false; containers.blue = { config = { ... }: { environment.systemPackages = [ @@ -23,10 +40,56 @@ with import <stockholm/lib>; hostAddress = "10.233.2.9"; localAddress = "10.233.2.10"; }; + + + systemd.services = builtins.listToAttrs (map (host: + let + in nameValuePair "sync-blue-${host}" { + bindsTo = [ "container@blue.service" ]; + wantedBy = [ "container@blue.service" ]; + # ssh needed for rsync + path = [ pkgs.openssh ]; + serviceConfig = { + Restart = "always"; + RestartSec = 10; + ExecStart = pkgs.writeDash "sync-blue-${host}" '' + set -efu + #make sure blue is running + /run/wrappers/bin/ping -c1 blue.r > /dev/null + + #make sure the container is unlocked + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' + + #make sure our target is reachable + ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null + + #start sync + ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" '' + settings { + nodaemon = true, + inotifyMode = "CloseWrite or Modify", + } + sync { + default.rsyncssh, + source = "/var/lib/containers/.blue", + host = "${host}.r", + targetdir = "/var/lib/containers/.blue", + ssh = { + binary = "${pkgs.openssh}/bin/ssh"; + identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa", + }, + } + ''} + ''; + }; + unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; + } + ) remote_hosts); + environment.systemPackages = [ (pkgs.writeDashBin "start-blue" '' set -ef - if ping -c1 blue.r; then + if ping -c1 blue.r >/dev/null; then echo 'blue is already running. bailing out' exit 23 fi @@ -36,10 +99,5 @@ with import <stockholm/lib>; nixos-container start blue nixos-container run blue -- nixos-rebuild -I /var/src switch '') - (pkgs.writeDashBin "stop-blue" '' - set -ef - nixos-container stop blue - fusermount -u /var/lib/containers/blue - '') ]; } |