From 3c84e737106c8ff38676861fdc1f7737a4fc2f73 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Tue, 5 Dec 2023 15:20:49 +0100
Subject: sync-containers3: remove interface at container shutdown to avoid
 stuck containers

---
 krebs/3modules/sync-containers3.nix | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index 58446c82b..cb239b955 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -246,6 +246,9 @@ in {
         }; }
         { "container@${ctr.name}" = lib.mkIf ctr.runContainer {
           serviceConfig = {
+            ExecStop = pkgs.writers.writeDash "remove_interface" ''
+              ${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
+            '';
             ExecStartPost = [
               (pkgs.writers.writeDash "bind-to-bridge" ''
                 ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
-- 
cgit v1.2.3


From adcb10a4e3afe98bff36307dbff8601cdbe61af6 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 6 Dec 2023 22:30:12 +0100
Subject: setuid: properly adapt module to work with 23.11

---
 krebs/3modules/setuid.nix | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index fdb96c8ba..e3108d88e 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -80,13 +80,25 @@ let
   };
 
   imp = {
-    system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
-      (concatMapStringsSep "\n"
-        (cfg: /* sh */ ''
-          ${cfg.activate}
-          rm -f ${cfg.wrapperDir}/${cfg.name}.real
-        '')
-        (attrValues config.krebs.setuid));
+    systemd.services."krebs.setuid" = {
+      wantedBy = [ "suid-sgid-wrappers.service" ];
+      after = [ "suid-sgid-wrappers.service" ];
+      path = [
+        pkgs.coreutils
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.writeDash "krebs.setuid.sh" ''
+          ${concatMapStringsSep "\n"
+            (getAttr "activate")
+            (attrValues config.krebs.setuid)
+          }
+        '';
+      };
+      unitConfig = {
+        DefaultDependencies = false;
+      };
+    };
   };
 
 in out
-- 
cgit v1.2.3


From 5beea992dd6df7e78f845131aa7f6cee2d49d963 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Tue, 12 Dec 2023 14:13:07 +0100
Subject: sync-containers3: print ping timeout reasons before container kill

---
 krebs/3modules/sync-containers3.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index cb239b955..d3a65bd4c 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -155,7 +155,7 @@ in {
                         # echo 'container is reachable, continueing'
                         continue
                       else
-                        # echo 'container seems dead, killing'
+                        echo 'container seems dead, killing'
                         break
                       fi
                     else
-- 
cgit v1.2.3


From cc61ce408000c5ac87602f96b26fcb04ea5c174b Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Tue, 9 Jan 2024 00:59:13 +0100
Subject: sync-containers3: fix dns issues

---
 krebs/3modules/sync-containers3.nix | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index d3a65bd4c..7373592a5 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -58,6 +58,8 @@ in {
             pkgs.jq
           ];
           networking.useDHCP = lib.mkForce true;
+          networking.useHostResolvConf = false;
+          services.resolved.enable = true;
           systemd.services.autoswitch = {
             environment = {
               NIX_REMOTE = "daemon";
@@ -297,9 +299,6 @@ in {
     (lib.mkIf (cfg.containers != {}) {
       # networking
 
-      # needed because otherwise we lose local dns
-      environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
-
       boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
       systemd.network.networks.ctr0 = {
         name = "ctr0";
@@ -312,6 +311,9 @@ in {
           ConfigureWithoutCarrier = true;
           DHCPServer = "yes";
         };
+        dhcpServerConfig = {
+          DNS = "9.9.9.9";
+        };
       };
       systemd.network.netdevs.ctr0.netdevConfig = {
         Kind = "bridge";
@@ -344,6 +346,12 @@ in {
 
       networking.useHostResolvConf = false;
       networking.useNetworkd = true;
+      services.resolved = {
+        enable = true;
+        extraConfig = ''
+          Domains=~.
+        '';
+      };
       systemd.network = {
         enable = true;
         networks.eth0 = {
-- 
cgit v1.2.3