vps: enable openvscode, vscode-server, container

2024-09-19 17:37:27 +02:00 · 2024-02-18 13:07:09 +03:00 · 2024-02-18 13:07:09 +03:00 · c96a0534aa
commit c96a0534aa
parent 85654ce3a9
2 changed files with 72 additions and 3 deletions
--- a/flake.nix
+++ b/flake.nix
@ -120,6 +120,7 @@
        inputs.nh.nixosModules.default
        ./hosts/vps1/configuration.nix
        ./hosts/vps1/hardware-configuration.nix
+        sops-nix.nixosModules.sops
      ];
    };
  };
--- a/hosts/vps1/configuration.nix
+++ b/hosts/vps1/configuration.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 let
  rootDomain = "lgmrszd.xyz";
  gtnhDomain = "gtnh.${rootDomain}";
@ -9,8 +9,13 @@ in
 {
  imports = [
    ./hardware-configuration.nix
+    (fetchTarball { url = "https://github.com/cariandrum22/nixos-vscode-server/tarball/support-for-new-dir-structure-of-vscode-server"; sha256 = "1sp4h0nb7dh7mcm8vdflihv76yz8azf5zifkcbxhq7xz48c8k5pd"; })
    
-    
+  ];
+
+
+  systemd.tmpfiles.rules = [
+    "d /shared/openvscode 2770 root ${config.services.openvscode-server.group}"
  ];

  programs.fish.enable = true;
@ -29,12 +34,69 @@ in
    settings.PasswordAuthentication = false;
  };

+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = ["ve-+"];
+  networking.nat.externalInterface = "eth0";
+
  services.endlessh-go = {
    enable = true;
    openFirewall = true;
    port = 22;
  };

+  services.vscode-server = {
+    enable = true;
+    nodejsPackage = pkgs.nodejs_18;
+    installPath = "$HOME/.vscodium-server";
+  };
+
+  services.openvscode-server = {
+    enable = true;
+    
+  };
+
+  containers.akkotest = let secretpath = "${config.sops.secrets.example_key.path}"; in {
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+    bindMounts."${secretpath}".isReadOnly = true;
+    specialArgs = {inherit secretpath;};
+
+    config = 
+    { config, pkgs, secretpath, ... }:
+    {
+      users = {
+        users."akkoma" = {
+          description = "Akkoma user";
+          group = "akkoma";
+          isSystemUser = true;
+          uid = 1234;
+        };
+        groups."akkoma" = { gid = 1234; };
+      };
+    };
+  };
+
+  users = {
+    users."akkoma" = {
+      description = "Fake Akkoma user to set up secrets permissions";
+      group = "akkoma";
+      isSystemUser = true;
+      uid = 1234;
+    };
+    groups."akkoma" = { gid = 1234; };
+  };
+
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    secrets.example_key = {
+      owner = config.users.users.akkoma.name;
+      group = config.users.users.akkoma.group;
+    };
+  };
+
  users.users.nginx.extraGroups = [ "acme" ];

  services.nginx = {
@ -93,12 +155,18 @@ in
  environment.systemPackages = with pkgs; [
    git
    vim
+    tmux
+    sops
  ];
  
  users.users.lgm = {
    isNormalUser = true;
    description = "lgm";
-    extraGroups = [ "wheel""docker"];
+    extraGroups = [
+      "wheel"
+      "docker"
+      config.services.openvscode-server.group
+    ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = [''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHFPA2RhqZIVCLwYuEUDQyOnJ4g1R6IfQyhGqZ2Cvvu+AAAABHNzaDo= lgm@lgm-nixos''];
  };