rootfull docker, mkcert ca, bw scripts

2023-04-27 16:33:37 +01:00 · 2023-04-27 16:33:37 +01:00 · 6aa649eb01
commit 6aa649eb01
parent e0d717f56b
4 changed files with 59 additions and 8 deletions
--- a/system/work/system.nix
+++ b/system/work/system.nix
@ -22,17 +22,62 @@
  ];


-  networking.firewall.allowedTCPPorts = [ ];
+  networking = {
+    networkmanager = {
+      plugins = [ pkgs.networkmanager-openvpn ];
+    };
+  };
+  
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_unprivileged_port_start" = 53;
+  };

  system.stateVersion = "22.11"; # do not change
+  
+  security.pki.certificates = [
+    # mkcert root CA
+    ''
+    -----BEGIN CERTIFICATE-----
+    MIIEtTCCAx2gAwIBAgIQJFzbDr6Qu0RdwlB9iBsKjjANBgkqhkiG9w0BAQsFADBz
+    MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExJDAiBgNVBAsMG3RyaXN0
+    YW5ARkNTLVRyaXN0YW4tTml4Ym9vazErMCkGA1UEAwwibWtjZXJ0IHRyaXN0YW5A
+    RkNTLVRyaXN0YW4tTml4Ym9vazAeFw0yMzA0MjcwOTA5MDBaFw0zMzA0MjcwOTA5
+    MDBaMHMxHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEkMCIGA1UECwwb
+    dHJpc3RhbkBGQ1MtVHJpc3Rhbi1OaXhib29rMSswKQYDVQQDDCJta2NlcnQgdHJp
+    c3RhbkBGQ1MtVHJpc3Rhbi1OaXhib29rMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+    MIIBigKCAYEA0rfztOVR6WnW/y/eSjVYPg9Hukegmj4JiPyYWWGwDU2WDFnZNL3h
+    g66YIngid/1tK/xau793oL5tSlxASCi/8v+UCu946p71iVnEM6GiI5bmLA2yV6DB
+    gbb6OQ5WCLfoOwOHW5jchlXpFstMsTGAyck3D8n0ndebQQc6YbOQG4RFyTftwI3g
+    2oy8Vl8NKyRL2V3NIPx16OkmLDhzo0bKHQAvPc+QUYfKRRn7UlUyfTy/ILwa0ezt
+    5KcggU/OMT68eFSp3LItUhRu1zSygCDk2zhJq8ieb5BypvSBWj/mSZtucpoasl72
+    txiRCN7yrGw21Z34KdqVF+mI0bWVEZESu1/93HzsEcy9SUX/tF11t/Zb5WAF3kFH
+    dk0UMRTayhKZuxCRmGIqjLrItUli2tDy+QTzNU0XZAaUokqk3to5GoXSij9H0MdJ
+    VRA8Y2Mdp+l16MMgLMG5gR9KVnCyM1bkqFJpR+xt8xyeAljI9hFVTyI4i36nUWoi
+    ITdpBUkaOSoVAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAG
+    AQH/AgEAMB0GA1UdDgQWBBQnpJfEOuRFXN0YJwf3R2EiWtApHDANBgkqhkiG9w0B
+    AQsFAAOCAYEAQx3kukopMjvybhbKsx/aU7CynjRCIbbONE10dX9fw7AtjQRB8Vcm
+    hlsW13MmM6DxroY6taWD8KLZxRNJeHoWdjN689sAbIlnaLrry7XDx5wtsBGfZh3j
+    vtFzSqHumxa1LjEQPUetTFp6YNgqDDyB53pU/Xfahwda8PCEOEqAsEveYyPqu0I1
+    MxNdPa/exE2HJxXZarWQ4pcqReykIVale+WbdOmSaT9cnA+E82hshhq3X6Aeti5s
+    DmIzY//L1LuNs0bXD4ECyMHA8Pgu3JyhnCIu8cxAKyOnM63P9iKZq5c9NASbvGgT
+    DNlxgyFqDQEI5k8Q2INM/6ZlJKcKRlIh1Nxd2PXl68IA0dWftBGydCGPPPcSdGCy
+    vA3XfPrgbuqdJjuPjQggMyajJsg2Y7b9YBL7XIBcwKqnSCxoDORGRQEy47sTaT8a
+    /BqBUuDPQbCF8MZcbsfwQP4pj8E/YyiSQCSZwQVpwVbZNBSOvcq28h0TEzDnAoHG
+    ey1rgb0TA5zi
+    -----END CERTIFICATE-----
+    ''
+  ];
+
+  # dangerous
+  users.users.tristan.extraGroups = [ "docker" ];

  virtualisation.docker = {
    enable = true;
    storageDriver = "btrfs";
-    rootless = {
-      enable = true;
-      setSocketVariable = true;
-    };
+    # rootless = {
+    #   enable = true;
+    #   setSocketVariable = true;
+    # };
  };

 }